Implement an Event Hubs Shared Access Key Credential

[jsquire]

Summary

Event Hubs allows for authorization using a shared key and shared access signature that is currently only supported when using a connection string. To align with best practices, we would like to guide library users to down the path of using Identity credentials for production applications. In order to provide a unified approach to authorization around the use of a credential for all scenarios, a service-specific credential type that mimics the API of the TokenCredential is desirable.

Scope of Work

• Design and implementation of a EventHubsSharedAccessKeyCredential type where the API mimics the TokenCredential form.

• The credential should NOT derive from TokenCredential to avoid accidentally attempting to use it with another service.

• The credential should support creation using a shared key name and shared key value combination.

• The credential should support creation using a shared access signature.

• The credential should allow the shared key and value or the shared access signature to be updated without stopping or recreating the associated clients.

• The proposed surface area of the credential, as well as changes to the client API to accept it should be reviewed with the language architect, and approval obtained. Full board review is not necessary.

Success Criteria

• The design of a credential type detailed by the scope has been completed and approved by the language architect.

• The credential has been implemented according to the design and is exposed as part of the public API of the library.

• All clients that accept a TokenCredential also accept the new EventHubsSharedAccessKeyCredential in a similar manner,

• The tests necessary for its validation have been created or adjusted and pass reliably.

• The existing test suite continues to produce deterministic results and pass reliably.

References

• Follow-Up: Client Creation Discussion
• Client Creation Discussion

[ramya-rao-a]

The scope of this task has changed since the last 6 months.
Latest update:

AzureNamedKeyCredential and AzureSasCredential classes were added to Azure Core in the past few months. This task is to ensure that the client builders in Event Hubs support these classes as overloads to the existing credential() builder.

The name and key in AzureNamedKeyCredential are to be used just like how the SharedAccessKeyName and SharedAccessKey parts of the connection string in the connectionString() builder get used

The signature in AzureSasCredential class is to be used just like how the SharedAccessSignature part of the connection string in the connectionString() builder gets used.

cc @joshfree, @YijunXieMS, @conniey, @hemanttanwar

[v-xuto]

PR #21228 merged, could we close this issue?

[jsquire]

could we close this issue?

Thanks, @v-xuto. Seems reasonable to me; closing out. @conniey: feel free to reopen if you think there's more that needs to be done.

[conniey]

@v-xuto You can automatically close issues with PRs using the "Fixes" keywords. https://docs.github.com/en/issues/tracking-your-work-with-issues/creating-issues/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword