Align CLI implementation with PR #3151 - rename to UserDelegatedAuthOptions and add provider field

Copilot · anushakolan · Copilot · commit b0f98fe91396 · 2026-02-23T20:48:55.000Z
Co-authored-by: anushakolan &lt;45540936+anushakolan@users.noreply.github.com&gt;
diff --git a/global.json b/global.json
@@ -1,6 +1,6 @@
 {
   "sdk": {
-    "version": "8.0.418",
+    "version": "8.0.417",
     "rollForward": "latestFeature"
   }
 }
diff --git a/src/Cli.Tests/UserDelegatedAuthRuntimeParsingTests.cs b/src/Cli.Tests/UserDelegatedAuthRuntimeParsingTests.cs
@@ -53,8 +53,6 @@ public void TestRuntimeCanParseUserDelegatedAuthConfig()
             Assert.IsNotNull(config.DataSource.UserDelegatedAuth);
             Assert.IsTrue(config.DataSource.UserDelegatedAuth.Enabled);
             Assert.AreEqual("https://database.windows.net", config.DataSource.UserDelegatedAuth.DatabaseAudience);
-            Assert.AreEqual(50, config.DataSource.UserDelegatedAuth.EffectiveTokenCacheDurationMinutes);
-            Assert.IsTrue(config.DataSource.UserDelegatedAuth.EffectiveDisableConnectionPooling);
         }
 
         [TestMethod]
diff --git a/src/Cli/ConfigGenerator.cs b/src/Cli/ConfigGenerator.cs
@@ -643,7 +643,7 @@ private static bool TryUpdateConfiguredDataSourceOptions(
             DatabaseType dbType = runtimeConfig.DataSource.DatabaseType;
             string dataSourceConnectionString = runtimeConfig.DataSource.ConnectionString;
             DatasourceHealthCheckConfig? datasourceHealthCheckConfig = runtimeConfig.DataSource.Health;
-            UserDelegatedAuthConfig? userDelegatedAuthConfig = runtimeConfig.DataSource.UserDelegatedAuth;
+            UserDelegatedAuthOptions? userDelegatedAuthConfig = runtimeConfig.DataSource.UserDelegatedAuth;
 
             if (options.DataSourceDatabaseType is not null)
             {
@@ -735,16 +735,21 @@ private static bool TryUpdateConfiguredDataSourceOptions(
                 string? databaseAudience = options.DataSourceUserDelegatedAuthDatabaseAudience
                     ?? userDelegatedAuthConfig?.DatabaseAudience;
 
+                // Get provider: preserve existing or use default "EntraId"
+                string? provider = userDelegatedAuthConfig?.Provider ?? "EntraId";
+
                 // Create or update user-delegated-auth config
-                userDelegatedAuthConfig = new UserDelegatedAuthConfig(
+                userDelegatedAuthConfig = new UserDelegatedAuthOptions(
                     Enabled: enabled,
-                    DatabaseAudience: databaseAudience,
-                    DisableConnectionPooling: userDelegatedAuthConfig?.DisableConnectionPooling,
-                    TokenCacheDurationMinutes: userDelegatedAuthConfig?.TokenCacheDurationMinutes);
+                    Provider: provider,
+                    DatabaseAudience: databaseAudience);
             }
 
             dbOptions = EnumerableUtilities.IsNullOrEmpty(dbOptions) ? null : dbOptions;
-            DataSource dataSource = new(dbType, dataSourceConnectionString, dbOptions, datasourceHealthCheckConfig, userDelegatedAuthConfig);
+            DataSource dataSource = new(dbType, dataSourceConnectionString, dbOptions, datasourceHealthCheckConfig)
+            {
+                UserDelegatedAuth = userDelegatedAuthConfig
+            };
             runtimeConfig = runtimeConfig with { DataSource = dataSource };
 
             return runtimeConfig != null;
diff --git a/src/Config/Converters/DataSourceConverterFactory.cs b/src/Config/Converters/DataSourceConverterFactory.cs
@@ -51,13 +51,16 @@ public DataSourceConverter(DeserializationVariableReplacementSettings? replaceme
                 string connectionString = string.Empty;
                 DatasourceHealthCheckConfig? health = null;
                 Dictionary<string, object?>? datasourceOptions = null;
-                UserDelegatedAuthConfig? userDelegatedAuth = null;
+                UserDelegatedAuthOptions? userDelegatedAuth = null;
 
                 while (reader.Read())
                 {
                     if (reader.TokenType is JsonTokenType.EndObject)
                     {
-                        return new DataSource(databaseType, connectionString, datasourceOptions, health, userDelegatedAuth);
+                        return new DataSource(databaseType, connectionString, datasourceOptions, health)
+                        {
+                            UserDelegatedAuth = userDelegatedAuth
+                        };
                     }
 
                     if (reader.TokenType is JsonTokenType.PropertyName)
@@ -98,7 +101,7 @@ public DataSourceConverter(DeserializationVariableReplacementSettings? replaceme
                                 {
                                     try
                                     {
-                                        userDelegatedAuth = JsonSerializer.Deserialize<UserDelegatedAuthConfig>(ref reader, options);
+                                        userDelegatedAuth = JsonSerializer.Deserialize<UserDelegatedAuthOptions>(ref reader, options);
                                     }
                                     catch (Exception e)
                                     {
diff --git a/src/Config/ObjectModel/DataSource.cs b/src/Config/ObjectModel/DataSource.cs
@@ -14,13 +14,11 @@ namespace Azure.DataApiBuilder.Config.ObjectModel;
 /// <param name="ConnectionString">Connection string to access the database.</param>
 /// <param name="Options">Custom options for the specific database. If there are no options, this could be null.</param>
 /// <param name="Health">Health check configuration for the datasource.</param>
-/// <param name="UserDelegatedAuth">User-delegated authentication configuration (OBO). Optional.</param>
 public record DataSource(
     DatabaseType DatabaseType,
     string ConnectionString,
     Dictionary<string, object?>? Options = null,
-    DatasourceHealthCheckConfig? Health = null,
-    UserDelegatedAuthConfig? UserDelegatedAuth = null)
+    DatasourceHealthCheckConfig? Health = null)
 {
     [JsonIgnore]
     public bool IsDatasourceHealthEnabled =>
@@ -42,6 +40,13 @@ public int DatasourceThresholdMs
         }
     }
 
+    /// <summary>
+    /// Configuration for user-delegated authentication (OBO) against the
+    /// configured database.
+    /// </summary>
+    [JsonPropertyName("user-delegated-auth")]
+    public UserDelegatedAuthOptions? UserDelegatedAuth { get; init; }
+
     /// <summary>
     /// Converts the <c>Options</c> dictionary into a typed options object.
     /// May return null if the dictionary is null.
diff --git a/src/Config/ObjectModel/UserDelegatedAuthConfig.cs b/src/Config/ObjectModel/UserDelegatedAuthConfig.cs
diff --git a/src/Config/ObjectModel/UserDelegatedAuthOptions.cs b/src/Config/ObjectModel/UserDelegatedAuthOptions.cs
@@ -0,0 +1,45 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+using System.Text.Json.Serialization;
+
+namespace Azure.DataApiBuilder.Config.ObjectModel;
+
+/// <summary>
+/// Configuration for user-delegated authentication (OBO - On-Behalf-Of).
+/// Enables per-user Entra ID access token authentication to Azure SQL.
+/// </summary>
+/// <param name="Enabled">Whether user-delegated authentication is enabled.</param>
+/// <param name="Provider">Identity provider for user-delegated authentication.</param>
+/// <param name="DatabaseAudience">The Azure SQL resource identifier for token acquisition.</param>
+public record UserDelegatedAuthOptions(
+    [property: JsonPropertyName("enabled")] bool Enabled = false,
+    [property: JsonPropertyName("provider")] string? Provider = null,
+    [property: JsonPropertyName("database-audience")] string? DatabaseAudience = null)
+{
+    /// <summary>
+    /// Default duration, in minutes, to cache tokens for a given delegated identity.
+    /// With a 5-minute early refresh buffer, tokens are refreshed at the 40-minute mark.
+    /// </summary>
+    public const int DEFAULT_TOKEN_CACHE_DURATION_MINUTES = 45;
+
+    /// <summary>
+    /// Environment variable name for OBO App Registration client ID.
+    /// Uses DAB-specific prefix to avoid conflict with AZURE_CLIENT_ID which is
+    /// interpreted by DefaultAzureCredential/ManagedIdentityCredential as a
+    /// User-Assigned Managed Identity ID.
+    /// </summary>
+    public const string AZURE_CLIENT_ID_ENV_VAR = "DAB_OBO_CLIENT_ID";
+
+    /// <summary>
+    /// Environment variable name for OBO App Registration client secret.
+    /// Used for On-Behalf-Of token exchange.
+    /// </summary>
+    public const string AZURE_CLIENT_SECRET_ENV_VAR = "DAB_OBO_CLIENT_SECRET";
+
+    /// <summary>
+    /// Environment variable name for OBO tenant ID.
+    /// Uses DAB-specific prefix for consistency with OBO client ID.
+    /// </summary>
+    public const string AZURE_TENANT_ID_ENV_VAR = "DAB_OBO_TENANT_ID";
+}

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"sdk": {`
`3`		`- "version": "8.0.418",`
	`3`	`+ "version": "8.0.417",`
`4`	`4`	`"rollForward": "latestFeature"`
`5`	`5`	`}`
`6`	`6`	`}`
Original file line number	Diff line number	Diff line change
`@@ -53,8 +53,6 @@ public void TestRuntimeCanParseUserDelegatedAuthConfig()`
`53`	`53`	`Assert.IsNotNull(config.DataSource.UserDelegatedAuth);`
`54`	`54`	`Assert.IsTrue(config.DataSource.UserDelegatedAuth.Enabled);`
`55`	`55`	`Assert.AreEqual("https://database.windows.net", config.DataSource.UserDelegatedAuth.DatabaseAudience);`
`56`		`- Assert.AreEqual(50, config.DataSource.UserDelegatedAuth.EffectiveTokenCacheDurationMinutes);`
`57`		`- Assert.IsTrue(config.DataSource.UserDelegatedAuth.EffectiveDisableConnectionPooling);`
`58`	`56`	`}`
`59`	`57`
`60`	`58`	`[TestMethod]`
Original file line number	Diff line number	Diff line change
`@@ -51,13 +51,16 @@ public DataSourceConverter(DeserializationVariableReplacementSettings? replaceme`
`51`	`51`	`string connectionString = string.Empty;`
`52`	`52`	`DatasourceHealthCheckConfig? health = null;`
`53`	`53`	`Dictionary<string, object?>? datasourceOptions = null;`
`54`		`- UserDelegatedAuthConfig? userDelegatedAuth = null;`
	`54`	`+ UserDelegatedAuthOptions? userDelegatedAuth = null;`
`55`	`55`
`56`	`56`	`while (reader.Read())`
`57`	`57`	`{`
`58`	`58`	`if (reader.TokenType is JsonTokenType.EndObject)`
`59`	`59`	`{`
`60`		`- return new DataSource(databaseType, connectionString, datasourceOptions, health, userDelegatedAuth);`
	`60`	`+ return new DataSource(databaseType, connectionString, datasourceOptions, health)`
	`61`	`+ {`
	`62`	`+ UserDelegatedAuth = userDelegatedAuth`
	`63`	`+ };`
`61`	`64`	`}`
`62`	`65`
`63`	`66`	`if (reader.TokenType is JsonTokenType.PropertyName)`
`@@ -98,7 +101,7 @@ public DataSourceConverter(DeserializationVariableReplacementSettings? replaceme`
`98`	`101`	`{`
`99`	`102`	`try`
`100`	`103`	`{`
`101`		`- userDelegatedAuth = JsonSerializer.Deserialize<UserDelegatedAuthConfig>(ref reader, options);`
	`104`	`+ userDelegatedAuth = JsonSerializer.Deserialize<UserDelegatedAuthOptions>(ref reader, options);`
`102`	`105`	`}`
`103`	`106`	`catch (Exception e)`
`104`	`107`	`{`