in pkg/internal/pop/msal_confidential.go [24:90]
func AcquirePoPTokenConfidential(
context context.Context,
popClaims map[string]string,
scopes []string,
cred confidential.Credential,
msalOptions *MsalClientOptions,
popKeyFunc func() (*SwKey, error),
) (string, int64, error) {
if popKeyFunc == nil {
popKeyFunc = GetSwPoPKey
}
popKey, err := popKeyFunc()
if err != nil {
return "", -1, fmt.Errorf("unable to get PoP key: %w", err)
}
authnScheme := &PoPAuthenticationScheme{
Host: popClaims["u"],
PoPKey: popKey,
}
var client confidential.Client
if msalOptions == nil {
return "", -1, fmt.Errorf("unable to create confidential client: msalClientOptions is empty")
}
if msalOptions.Options.Transport != nil {
client, err = confidential.New(
msalOptions.Authority,
msalOptions.ClientID,
cred,
confidential.WithHTTPClient(msalOptions.Options.Transport.(*http.Client)),
confidential.WithX5C(),
confidential.WithInstanceDiscovery(!msalOptions.DisableInstanceDiscovery),
)
} else {
client, err = confidential.New(
msalOptions.Authority,
msalOptions.ClientID,
cred,
confidential.WithX5C(),
confidential.WithInstanceDiscovery(!msalOptions.DisableInstanceDiscovery),
)
}
if err != nil {
return "", -1, fmt.Errorf("unable to create confidential client: %w", err)
}
result, err := client.AcquireTokenSilent(
context,
scopes,
confidential.WithAuthenticationScheme(authnScheme),
confidential.WithTenantID(msalOptions.TenantID),
)
if err != nil {
result, err = client.AcquireTokenByCredential(
context,
scopes,
confidential.WithAuthenticationScheme(authnScheme),
confidential.WithTenantID(msalOptions.TenantID),
)
if err != nil {
return "", -1, fmt.Errorf("failed to create service principal PoP token using secret: %w", err)
}
}
return result.AccessToken, result.ExpiresOn.Unix(), nil
}