Support for AAD Audience in connection string (for sovereign cloud)

.github/workflows/build-common.yml

@@ -8,7 +8,7 @@ on:
         required: false
 
 env:
-  EXPORTER_VERSION: 1.0.0-beta.1 # to be updated with the latest version
+  EXPORTER_VERSION: 1.0.0-beta.4 # to be updated with the latest version
 
 jobs:
   spotless:

CHANGELOG.md

@@ -1,4 +1,6 @@
 # CHANGELOG
+## Version 3.7.2 GA (Unreleased)
+* Support for using the AAD Audience from the connection string ([#4121](https://github.com/microsoft/ApplicationInsights-Java/pull/4121))
 
 ## Version 3.7.1 GA (02/26/2025)
 

agent/agent-tooling/build.gradle.kts

@@ -21,7 +21,7 @@ dependencies {
   implementation(project(":agent:agent-profiler:agent-diagnostics"))
   implementation(project(":etw:java"))
 
-  implementation("com.azure:azure-monitor-opentelemetry-autoconfigure:1.0.0-beta.3")
+  implementation("com.azure:azure-monitor-opentelemetry-autoconfigure:1.0.0-beta.4")
   compileOnly("io.opentelemetry.javaagent:opentelemetry-javaagent-bootstrap")
   compileOnly("io.opentelemetry.javaagent:opentelemetry-javaagent-tooling")
   compileOnly("io.opentelemetry.javaagent:opentelemetry-javaagent-tooling-java9")

agent/agent-tooling/gradle.lockfile

@@ -9,7 +9,7 @@ com.azure:azure-core-http-netty:1.15.7=runtimeClasspath
 com.azure:azure-core:1.54.1=runtimeClasspath
 com.azure:azure-identity:1.15.3=runtimeClasspath
 com.azure:azure-json:1.3.0=runtimeClasspath
-com.azure:azure-monitor-opentelemetry-autoconfigure:1.0.0-beta.3=runtimeClasspath
+com.azure:azure-monitor-opentelemetry-autoconfigure:1.0.0-beta.4=runtimeClasspath
 com.azure:azure-sdk-bom:1.2.31=runtimeClasspath
 com.azure:azure-storage-blob:12.29.0=runtimeClasspath
 com.azure:azure-storage-common:12.28.0=runtimeClasspath

agent/agent-tooling/src/main/java/com/microsoft/applicationinsights/agent/internal/httpclient/LazyHttpClient.java

@@ -37,9 +37,6 @@
 
 public class LazyHttpClient implements HttpClient {
 
-  private static final String APPLICATIONINSIGHTS_AUTHENTICATION_SCOPE =
-      "https://monitor.azure.com//.default";
-
   private static final HttpClient INSTANCE = new LazyHttpClient();
 
   public static final CountDownLatch safeToInitLatch = new CountDownLatch(1);
@@ -113,16 +110,18 @@ private static HttpClient init() {
   }
 
   public static HttpPipeline newHttpPipeLineWithDefaultRedirect(
-      @Nullable Configuration.AadAuthentication aadConfiguration) {
-    return newHttpPipeLine(aadConfiguration, new RedirectPolicy(new DefaultRedirectStrategy()));
+      @Nullable Configuration.AadAuthentication aadConfiguration, String aadAudienceWithScope) {
+    return newHttpPipeLine(
+        aadConfiguration, aadAudienceWithScope, new RedirectPolicy(new DefaultRedirectStrategy()));
   }
 
   public static HttpPipeline newHttpPipeLine(
       @Nullable Configuration.AadAuthentication aadConfiguration,
+      String aadAudienceWithScope,
       HttpPipelinePolicy... additionalPolicies) {
     List<HttpPipelinePolicy> policies = new ArrayList<>();
     if (aadConfiguration != null && aadConfiguration.enabled) {
-      policies.add(getAuthenticationPolicy(aadConfiguration));
+      policies.add(getAuthenticationPolicy(aadConfiguration, aadAudienceWithScope));
     }
     policies.addAll(asList(additionalPolicies));
     // Add Logging Policy. Can be enabled using AZURE_LOG_LEVEL.
@@ -144,31 +143,31 @@ public Mono<HttpResponse> send(HttpRequest request, Context context) {
   }
 
   private static HttpPipelinePolicy getAuthenticationPolicy(
-      Configuration.AadAuthentication configuration) {
+      Configuration.AadAuthentication configuration, String aadAudienceWithScope) {
     switch (configuration.type) {
       case UAMI:
-        return getAuthenticationPolicyWithUami(configuration);
+        return getAuthenticationPolicyWithUami(configuration, aadAudienceWithScope);
       case SAMI:
-        return getAuthenticationPolicyWithSami();
+        return getAuthenticationPolicyWithSami(aadAudienceWithScope);
       case VSCODE:
-        return getAuthenticationPolicyWithVsCode();
+        return getAuthenticationPolicyWithVsCode(aadAudienceWithScope);
       case CLIENTSECRET:
-        return getAuthenticationPolicyWithClientSecret(configuration);
+        return getAuthenticationPolicyWithClientSecret(configuration, aadAudienceWithScope);
     }
     throw new IllegalStateException(
         "Invalid Authentication Type used in AAD Authentication: " + configuration.type);
   }
 
   private static HttpPipelinePolicy getAuthenticationPolicyWithUami(
-      Configuration.AadAuthentication configuration) {
+      Configuration.AadAuthentication configuration, String aadAudienceWithScope) {
     ManagedIdentityCredentialBuilder managedIdentityCredential =
         new ManagedIdentityCredentialBuilder().clientId(configuration.clientId);
     return new BearerTokenAuthenticationPolicy(
-        managedIdentityCredential.build(), APPLICATIONINSIGHTS_AUTHENTICATION_SCOPE);
+        managedIdentityCredential.build(), aadAudienceWithScope);
   }
 
   private static HttpPipelinePolicy getAuthenticationPolicyWithClientSecret(
-      Configuration.AadAuthentication configuration) {
+      Configuration.AadAuthentication configuration, String aadAudienceWithScope) {
     ClientSecretCredentialBuilder credential =
         new ClientSecretCredentialBuilder()
             .tenantId(configuration.tenantId)
@@ -177,21 +176,18 @@ private static HttpPipelinePolicy getAuthenticationPolicyWithClientSecret(
     if (configuration.authorityHost != null) {
       credential.authorityHost(configuration.authorityHost);
     }
-    return new BearerTokenAuthenticationPolicy(
-        credential.build(), APPLICATIONINSIGHTS_AUTHENTICATION_SCOPE);
+    return new BearerTokenAuthenticationPolicy(credential.build(), aadAudienceWithScope);
   }
 
-  private static HttpPipelinePolicy getAuthenticationPolicyWithVsCode() {
+  private static HttpPipelinePolicy getAuthenticationPolicyWithVsCode(String aadAudienceWithScope) {
     VisualStudioCodeCredential visualStudioCodeCredential =
         new VisualStudioCodeCredentialBuilder().build();
-    return new BearerTokenAuthenticationPolicy(
-        visualStudioCodeCredential, APPLICATIONINSIGHTS_AUTHENTICATION_SCOPE);
+    return new BearerTokenAuthenticationPolicy(visualStudioCodeCredential, aadAudienceWithScope);
   }
 
-  private static HttpPipelinePolicy getAuthenticationPolicyWithSami() {
+  private static HttpPipelinePolicy getAuthenticationPolicyWithSami(String aadAudienceWithScope) {
     ManagedIdentityCredential managedIdentityCredential =
         new ManagedIdentityCredentialBuilder().build();
-    return new BearerTokenAuthenticationPolicy(
-        managedIdentityCredential, APPLICATIONINSIGHTS_AUTHENTICATION_SCOPE);
+    return new BearerTokenAuthenticationPolicy(managedIdentityCredential, aadAudienceWithScope);
   }
 }

agent/agent-tooling/src/main/java/com/microsoft/applicationinsights/agent/internal/init/SecondEntryPoint.java

@@ -201,7 +201,10 @@ public void customize(AutoConfigurationCustomizer autoConfiguration) {
     if (telemetryClient.getConnectionString() != null) {
       statsbeatModule.start(
           AzureMonitorHelper.createStatsbeatTelemetryItemExporter(
-              LazyHttpClient.newHttpPipeLine(null), statsbeatModule, tempDir),
+              LazyHttpClient.newHttpPipeLine(
+                  null, telemetryClient.getConnectionString().getAadAudienceWithScope()),
+              statsbeatModule,
+              tempDir),
           telemetryClient::getStatsbeatConnectionString,
           telemetryClient::getInstrumentationKey,
           configuration.internal.statsbeat.disabledAll,
@@ -224,7 +227,9 @@ public void customize(AutoConfigurationCustomizer autoConfiguration) {
     if (configuration.preview.liveMetrics.enabled) {
       quickPulse =
           QuickPulse.create(
-              LazyHttpClient.newHttpPipeLineWithDefaultRedirect(configuration.authentication),
+              LazyHttpClient.newHttpPipeLineWithDefaultRedirect(
+                  configuration.authentication,
+                  telemetryClient.getConnectionString().getAadAudienceWithScope()),
               () -> {
                 ConnectionString connectionString = telemetryClient.getConnectionString();
                 return connectionString == null ? null : connectionString.getLiveEndpoint();

agent/agent-tooling/src/main/java/com/microsoft/applicationinsights/agent/internal/profiler/ProfilingInitializer.java

@@ -121,6 +121,7 @@ private synchronized void performInit() {
     httpPipeline =
         LazyHttpClient.newHttpPipeLine(
             telemetryClient.getAadAuthentication(),
+            telemetryClient.getConnectionString().getAadAudienceWithScope(),
             new RedirectPolicy(
                 new DefaultRedirectStrategy(
                     3,

agent/agent-tooling/src/main/java/com/microsoft/applicationinsights/agent/internal/telemetry/TelemetryClient.java

@@ -227,6 +227,7 @@ private BatchItemProcessor initBatchItemProcessor(
     HttpPipeline httpPipeline =
         LazyHttpClient.newHttpPipeLine(
             aadAuthentication,
+            connectionString.getAadAudienceWithScope(),
             new NetworkStatsbeatHttpPipelinePolicy(statsbeatModule.getNetworkStatsbeat()));
     // TODO (heya) refactor the following by using AzureMonitorHelper.createTelemetryItemExporter by
     // passing in getNonessentialStatsbeat