Share via


CredentialDescription Class

Definition

Description of a credential. Credentials are used to prove the identity of the application (See ClientCredentials), or to decrypt tokens (See TokenDecryptionCredentials). Credentials can be secrets (client secrets), certificates, or signed assertions. They can be stored or provided in a variety of ways, and this class provides a way to describe them. The description is then used by Microsoft.Identity.Web to retrieve the credential. (See the DefaultCredentialProvider class)

public class CredentialDescription
type CredentialDescription = class
Public Class CredentialDescription
Inheritance
CredentialDescription
Derived

Constructors

CredentialDescription()

Properties

Base64EncodedValue

When SourceType is Base64Encoded, specifies the base64 encoded value of the certificate.

CachedValue

When the credential is retrieved by a ICredentialsLoader, it will be stored in this property, where you can retrieve it. If the credential is a certificate, it will also be stored in the Certificate property.

Certificate

When SourceType is Certificate, you will use this property to provide the certificate yourself. When SourceType is Base64Encoded or KeyVault or Path or StoreWithDistinguishedName or StoreWithThumbprint after the certificate is retrieved by a ICredentialsLoader, it will be stored in this property and also in the CachedValue.

CertificateDiskPath

When SourceType is Path, specifies the path to the certificate on disk. You can use this property to specify the path to a PFX file containing the certificate and its private key. If a password is needed, use CertificatePassword.

CertificateDistinguishedName

When SourceType is StoreWithDistinguishedName, specifies the distinguished name of the certificate in the store specified by CertificateStorePath.

CertificatePassword

When SourceType is Path, specifies the password to use to access the certificate which path is specified by CertificateDiskPath. Only use this property if the certificate is protected by a password.

CertificateStorePath

When SourceType is StoreWithDistinguishedName or StoreWithThumbprint, specifies the certificate store from which to extract the certificate. The format is the concatenation of a value of StoreLocation and a value of StoreName separated by a slash. For instance, use CurrentUser/My for a user certificate, and LocalMachine/My for a computer certificate.

CertificateThumbprint

When SourceType is StoreWithThumbprint specifies the thumbprint of the certificate to extract from the certificate store specified by CertificateStorePath.

ClientSecret

When SourceType is ClientSecret, describes the client secret to use as a client credential in a confidential client application. The client secret is a string known only to the application and the identity provider. It needs to match the value configured during the application registration.

Container

Container in which to find the credential. You will normally not use this property directly. It could be used by property editors in tools or IDEs. Instead, use the properties that are specific to the SourceType.

CredentialType

Describes the type of credentials, based on the SourceType.

DecryptKeysAuthenticationOptions

When SourceType is AutoDecryptKeys, this property describes the authority to use to get a token for a web API to get the keys used to decrypt an encrypted token. The cloud instance will be the same as the application, but the application can be a multi-tenant application (tenant = common or organizations), and in this case to get a token on behalf of itself, the credential type needs to provide a tenant. More generally you might want to specify authentication options, including protocol, PopKey, etc ... This credential description is only used for decrypt credentials, not for client credentials.

Id

Gets a unique identifier for a CredentialDescription based on SourceType and ReferenceOrValue.

KeyVaultCertificateName

When SourceType is KeyVault, use this property to specify the the name of the certificate in Key Vault in conjunction with KeyVaultUrl.

KeyVaultUrl

When SourceType is KeyVault, use this property to specify the URL of the Key Vault containing the certificate, in conjunction with KeyVaultCertificateName.

ManagedIdentityClientId

When SourceType is SignedAssertionFromManagedIdentity, it specifies the client ID of the Azure user-assigned managed identity used to provide a signed assertion to act as a client credential for the application. This requires that the application is deployed on Azure, that the managed identity is configured, and that workload identity federation with the managed identity is declared in the application registration. For details, see https://learn.microsoft.com/azure/active-directory/workload-identities/workload-identity-federation.

ReferenceOrValue

Reference to the certificate or value. You will normally not use this property directly. It could be used by property editors in tools or IDEs. Instead, use the properties that are specific to the SourceType.

SignedAssertionFileDiskPath

When SourceType is SignedAssertionFilePath, optionally specifies the path on disk of a file containing a signed assertion used as a client assertion for the confidential client application. The signed assertion file is a file containing a signed JWT assertion that is used as a client credential. You will usually use this option when you want to integrate with workload identity federation with Azure Kubernetes Service (AKS). For details, see https://learn.microsoft.com/azure/active-directory/workload-identities/workload-identity-federation.

Skip

Skip this credential description. This is useful when, you specify a list of credentials, some of which don't apply in a particular deployment. It will also be used by the ICredentialsLoader if it cannot find or load the credential.

SourceType

Type of the source of the credential. This property is used to determine which other properties need to be provided to describe the credential.

TokenExchangeUrl

(Microsoft Entra specific) Value that can be used to configure the token exchange resource url in the case of federation identity credentials with Managed identity.

Applies to