plugin/pkg/client/auth/azure/azure.go - external/github.com/kubernetes/client-go - Git at Google

 /*
 Copyright 2017 The Kubernetes Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at

     http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */

 package azure

 import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
 	"os"
 	"strconv"
 	"sync"

 	"github.com/Azure/go-autorest/autorest"
 	"github.com/Azure/go-autorest/autorest/adal"
 	"github.com/Azure/go-autorest/autorest/azure"
 	"k8s.io/klog/v2"

 	"k8s.io/apimachinery/pkg/util/net"
 	restclient "k8s.io/client-go/rest"
 )

 type configMode int

 const (
 	azureTokenKey = "azureTokenKey"
 	tokenType     = "Bearer"
 	authHeader    = "Authorization"

 	cfgClientID     = "client-id"
 	cfgTenantID     = "tenant-id"
 	cfgAccessToken  = "access-token"
 	cfgRefreshToken = "refresh-token"
 	cfgExpiresIn    = "expires-in"
 	cfgExpiresOn    = "expires-on"
 	cfgEnvironment  = "environment"
 	cfgApiserverID  = "apiserver-id"
 	cfgConfigMode   = "config-mode"

 	configModeDefault       configMode = 0
 	configModeOmitSPNPrefix configMode = 1
 )

 func init() {
 	if err := restclient.RegisterAuthProviderPlugin("azure", newAzureAuthProvider); err != nil {
 		klog.Fatalf("Failed to register azure auth plugin: %v", err)
 	}
 }

 var cache = newAzureTokenCache()

 type azureTokenCache struct {
 	lock  sync.Mutex
 	cache map[string]*azureToken
 }

 func newAzureTokenCache() *azureTokenCache {
 	return &azureTokenCache{cache: make(map[string]*azureToken)}
 }

 func (c *azureTokenCache) getToken(tokenKey string) *azureToken {
 	c.lock.Lock()
 	defer c.lock.Unlock()
 	return c.cache[tokenKey]
 }

 func (c *azureTokenCache) setToken(tokenKey string, token *azureToken) {
 	c.lock.Lock()
 	defer c.lock.Unlock()
 	c.cache[tokenKey] = token
 }

 func newAzureAuthProvider(_ string, cfg map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) {
 	var (
 		ts          tokenSource
 		environment azure.Environment
 		err         error
 		mode        configMode
 	)

 	environment, err = azure.EnvironmentFromName(cfg[cfgEnvironment])
 	if err != nil {
 		environment = azure.PublicCloud
 	}

 	mode = configModeDefault
 	if cfg[cfgConfigMode] != "" {
 		configModeInt, err := strconv.Atoi(cfg[cfgConfigMode])
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse %s, error: %s", cfgConfigMode, err)
 		}
 		mode = configMode(configModeInt)
 		switch mode {
 		case configModeOmitSPNPrefix:
 		case configModeDefault:
 		default:
 			return nil, fmt.Errorf("%s:%s is not a valid mode", cfgConfigMode, cfg[cfgConfigMode])
 		}
 	}
 	ts, err = newAzureTokenSourceDeviceCode(environment, cfg[cfgClientID], cfg[cfgTenantID], cfg[cfgApiserverID], mode)
 	if err != nil {
 		return nil, fmt.Errorf("creating a new azure token source for device code authentication: %v", err)
 	}
 	cacheSource := newAzureTokenSource(ts, cache, cfg, mode, persister)

 	return &azureAuthProvider{
 		tokenSource: cacheSource,
 	}, nil
 }

 type azureAuthProvider struct {
 	tokenSource tokenSource
 }

 func (p *azureAuthProvider) Login() error {
 	return errors.New("not yet implemented")
 }

 func (p *azureAuthProvider) WrapTransport(rt http.RoundTripper) http.RoundTripper {
 	return &azureRoundTripper{
 		tokenSource:  p.tokenSource,
 		roundTripper: rt,
 	}
 }

 type azureRoundTripper struct {
 	tokenSource  tokenSource
 	roundTripper http.RoundTripper
 }

 var _ net.RoundTripperWrapper = &azureRoundTripper{}

 func (r *azureRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
 	if len(req.Header.Get(authHeader)) != 0 {
 		return r.roundTripper.RoundTrip(req)
 	}

 	token, err := r.tokenSource.Token()
 	if err != nil {
 		klog.Errorf("Failed to acquire a token: %v", err)
 		return nil, fmt.Errorf("acquiring a token for authorization header: %v", err)
 	}

 	// clone the request in order to avoid modifying the headers of the original request
 	req2 := new(http.Request)
 	*req2 = *req
 	req2.Header = make(http.Header, len(req.Header))
 	for k, s := range req.Header {
 		req2.Header[k] = append([]string(nil), s...)
 	}

 	req2.Header.Set(authHeader, fmt.Sprintf("%s %s", tokenType, token.token.AccessToken))

 	return r.roundTripper.RoundTrip(req2)
 }

 func (r *azureRoundTripper) WrappedRoundTripper() http.RoundTripper { return r.roundTripper }

 type azureToken struct {
 	token       adal.Token
 	environment string
 	clientID    string
 	tenantID    string
 	apiserverID string
 }

 type tokenSource interface {
 	Token() (*azureToken, error)
 	Refresh(*azureToken) (*azureToken, error)
 }

 type azureTokenSource struct {
 	source     tokenSource
 	cache      *azureTokenCache
 	lock       sync.Mutex
 	configMode configMode
 	cfg        map[string]string
 	persister  restclient.AuthProviderConfigPersister
 }

 func newAzureTokenSource(source tokenSource, cache *azureTokenCache, cfg map[string]string, configMode configMode, persister restclient.AuthProviderConfigPersister) tokenSource {
 	return &azureTokenSource{
 		source:     source,
 		cache:      cache,
 		cfg:        cfg,
 		persister:  persister,
 		configMode: configMode,
 	}
 }

 // Token fetches a token from the cache of configuration if present otherwise
 // acquires a new token from the configured source. Automatically refreshes
 // the token if expired.
 func (ts *azureTokenSource) Token() (*azureToken, error) {
 	ts.lock.Lock()
 	defer ts.lock.Unlock()

 	var err error
 	token := ts.cache.getToken(azureTokenKey)

 	if token != nil && !token.token.IsExpired() {
 		return token, nil
 	}

 	// retrieve from config if no cache
 	if token == nil {
 		tokenFromCfg, err := ts.retrieveTokenFromCfg()

 		if err == nil {
 			token = tokenFromCfg
 		}
 	}

 	if token != nil {
 		// cache and return if the token is as good
 		// avoids frequent persistor calls
 		if !token.token.IsExpired() {
 			ts.cache.setToken(azureTokenKey, token)
 			return token, nil
 		}

 		klog.V(4).Info("Refreshing token.")
 		tokenFromRefresh, err := ts.Refresh(token)
 		switch {
 		case err == nil:
 			token = tokenFromRefresh
 		case autorest.IsTokenRefreshError(err):
 			klog.V(4).Infof("Failed to refresh expired token, proceed to auth: %v", err)
 			// reset token to nil so that the token source will be used to acquire new
 			token = nil
 		default:
 			return nil, fmt.Errorf("unexpected error when refreshing token: %v", err)
 		}
 	}

 	if token == nil {
 		tokenFromSource, err := ts.source.Token()
 		if err != nil {
 			return nil, fmt.Errorf("failed acquiring new token: %v", err)
 		}
 		token = tokenFromSource
 	}

 	// sanity check
 	if token == nil {
 		return nil, fmt.Errorf("unable to acquire token")
 	}

 	// corner condition, newly got token is valid but expired
 	if token.token.IsExpired() {
 		return nil, fmt.Errorf("newly acquired token is expired")
 	}

 	err = ts.storeTokenInCfg(token)
 	if err != nil {
 		return nil, fmt.Errorf("storing the refreshed token in configuration: %v", err)
 	}
 	ts.cache.setToken(azureTokenKey, token)

 	return token, nil
 }

 func (ts *azureTokenSource) retrieveTokenFromCfg() (*azureToken, error) {
 	accessToken := ts.cfg[cfgAccessToken]
 	if accessToken == "" {
 		return nil, fmt.Errorf("no access token in cfg: %s", cfgAccessToken)
 	}
 	refreshToken := ts.cfg[cfgRefreshToken]
 	if refreshToken == "" {
 		return nil, fmt.Errorf("no refresh token in cfg: %s", cfgRefreshToken)
 	}
 	environment := ts.cfg[cfgEnvironment]
 	if environment == "" {
 		return nil, fmt.Errorf("no environment in cfg: %s", cfgEnvironment)
 	}
 	clientID := ts.cfg[cfgClientID]
 	if clientID == "" {
 		return nil, fmt.Errorf("no client ID in cfg: %s", cfgClientID)
 	}
 	tenantID := ts.cfg[cfgTenantID]
 	if tenantID == "" {
 		return nil, fmt.Errorf("no tenant ID in cfg: %s", cfgTenantID)
 	}
 	resourceID := ts.cfg[cfgApiserverID]
 	if resourceID == "" {
 		return nil, fmt.Errorf("no apiserver ID in cfg: %s", cfgApiserverID)
 	}
 	expiresIn := ts.cfg[cfgExpiresIn]
 	if expiresIn == "" {
 		return nil, fmt.Errorf("no expiresIn in cfg: %s", cfgExpiresIn)
 	}
 	expiresOn := ts.cfg[cfgExpiresOn]
 	if expiresOn == "" {
 		return nil, fmt.Errorf("no expiresOn in cfg: %s", cfgExpiresOn)
 	}
 	tokenAudience := resourceID
 	if ts.configMode == configModeDefault {
 		tokenAudience = fmt.Sprintf("spn:%s", resourceID)
 	}

 	return &azureToken{
 		token: adal.Token{
 			AccessToken:  accessToken,
 			RefreshToken: refreshToken,
 			ExpiresIn:    json.Number(expiresIn),
 			ExpiresOn:    json.Number(expiresOn),
 			NotBefore:    json.Number(expiresOn),
 			Resource:     tokenAudience,
 			Type:         tokenType,
 		},
 		environment: environment,
 		clientID:    clientID,
 		tenantID:    tenantID,
 		apiserverID: resourceID,
 	}, nil
 }

 func (ts *azureTokenSource) storeTokenInCfg(token *azureToken) error {
 	newCfg := make(map[string]string)
 	newCfg[cfgAccessToken] = token.token.AccessToken
 	newCfg[cfgRefreshToken] = token.token.RefreshToken
 	newCfg[cfgEnvironment] = token.environment
 	newCfg[cfgClientID] = token.clientID
 	newCfg[cfgTenantID] = token.tenantID
 	newCfg[cfgApiserverID] = token.apiserverID
 	newCfg[cfgExpiresIn] = string(token.token.ExpiresIn)
 	newCfg[cfgExpiresOn] = string(token.token.ExpiresOn)
 	newCfg[cfgConfigMode] = strconv.Itoa(int(ts.configMode))

 	err := ts.persister.Persist(newCfg)
 	if err != nil {
 		return fmt.Errorf("persisting the configuration: %v", err)
 	}
 	ts.cfg = newCfg
 	return nil
 }

 func (ts *azureTokenSource) Refresh(token *azureToken) (*azureToken, error) {
 	return ts.source.Refresh(token)
 }

 // refresh outdated token with adal.
 // adal.RefreshTokenError will be returned if error occur during refreshing.
 func (ts *azureTokenSourceDeviceCode) Refresh(token *azureToken) (*azureToken, error) {
 	env, err := azure.EnvironmentFromName(token.environment)
 	if err != nil {
 		return nil, err
 	}

 	var oauthConfig *adal.OAuthConfig
 	if ts.configMode == configModeOmitSPNPrefix {
 		oauthConfig, err = adal.NewOAuthConfigWithAPIVersion(env.ActiveDirectoryEndpoint, token.tenantID, nil)
 		if err != nil {
 			return nil, fmt.Errorf("building the OAuth configuration without api-version for token refresh: %v", err)
 		}
 	} else {
 		oauthConfig, err = adal.NewOAuthConfig(env.ActiveDirectoryEndpoint, token.tenantID)
 		if err != nil {
 			return nil, fmt.Errorf("building the OAuth configuration for token refresh: %v", err)
 		}
 	}

 	callback := func(t adal.Token) error {
 		return nil
 	}
 	spt, err := adal.NewServicePrincipalTokenFromManualToken(
 		*oauthConfig,
 		token.clientID,
 		token.apiserverID,
 		token.token,
 		callback)
 	if err != nil {
 		return nil, fmt.Errorf("creating new service principal for token refresh: %v", err)
 	}

 	if err := spt.Refresh(); err != nil {
 		return nil, fmt.Errorf("refreshing token: %v", err)
 	}

 	return &azureToken{
 		token:       spt.Token(),
 		environment: token.environment,
 		clientID:    token.clientID,
 		tenantID:    token.tenantID,
 		apiserverID: token.apiserverID,
 	}, nil
 }

 type azureTokenSourceDeviceCode struct {
 	environment azure.Environment
 	clientID    string
 	tenantID    string
 	apiserverID string
 	configMode  configMode
 }

 func newAzureTokenSourceDeviceCode(environment azure.Environment, clientID string, tenantID string, apiserverID string, configMode configMode) (tokenSource, error) {
 	if clientID == "" {
 		return nil, errors.New("client-id is empty")
 	}
 	if tenantID == "" {
 		return nil, errors.New("tenant-id is empty")
 	}
 	if apiserverID == "" {
 		return nil, errors.New("apiserver-id is empty")
 	}
 	return &azureTokenSourceDeviceCode{
 		environment: environment,
 		clientID:    clientID,
 		tenantID:    tenantID,
 		apiserverID: apiserverID,
 		configMode:  configMode,
 	}, nil
 }

 func (ts *azureTokenSourceDeviceCode) Token() (*azureToken, error) {
 	var (
 		oauthConfig *adal.OAuthConfig
 		err         error
 	)
 	if ts.configMode == configModeOmitSPNPrefix {
 		oauthConfig, err = adal.NewOAuthConfigWithAPIVersion(ts.environment.ActiveDirectoryEndpoint, ts.tenantID, nil)
 		if err != nil {
 			return nil, fmt.Errorf("building the OAuth configuration without api-version for device code authentication: %v", err)
 		}
 	} else {
 		oauthConfig, err = adal.NewOAuthConfig(ts.environment.ActiveDirectoryEndpoint, ts.tenantID)
 		if err != nil {
 			return nil, fmt.Errorf("building the OAuth configuration for device code authentication: %v", err)
 		}
 	}
 	client := &autorest.Client{}
 	deviceCode, err := adal.InitiateDeviceAuth(client, *oauthConfig, ts.clientID, ts.apiserverID)
 	if err != nil {
 		return nil, fmt.Errorf("initialing the device code authentication: %v", err)
 	}

 	_, err = fmt.Fprintln(os.Stderr, *deviceCode.Message)
 	if err != nil {
 		return nil, fmt.Errorf("prompting the device code message: %v", err)
 	}

 	token, err := adal.WaitForUserCompletion(client, deviceCode)
 	if err != nil {
 		return nil, fmt.Errorf("waiting for device code authentication to complete: %v", err)
 	}

 	return &azureToken{
 		token:       *token,
 		environment: ts.environment.Name,
 		clientID:    ts.clientID,
 		tenantID:    ts.tenantID,
 		apiserverID: ts.apiserverID,
 	}, nil
 }
	/*
	Copyright 2017 The Kubernetes Authors.

	Licensed under the Apache License, Version 2.0 (the "License");
	you may not use this file except in compliance with the License.
	You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	*/

	package azure

	import (
	"encoding/json"
	"errors"
	"fmt"
	"net/http"
	"os"
	"strconv"
	"sync"

	"github.com/Azure/go-autorest/autorest"
	"github.com/Azure/go-autorest/autorest/adal"
	"github.com/Azure/go-autorest/autorest/azure"
	"k8s.io/klog/v2"

	"k8s.io/apimachinery/pkg/util/net"
	restclient "k8s.io/client-go/rest"
	)

	type configMode int

	const (
	azureTokenKey = "azureTokenKey"
	tokenType = "Bearer"
	authHeader = "Authorization"

	cfgClientID = "client-id"
	cfgTenantID = "tenant-id"
	cfgAccessToken = "access-token"
	cfgRefreshToken = "refresh-token"
	cfgExpiresIn = "expires-in"
	cfgExpiresOn = "expires-on"
	cfgEnvironment = "environment"
	cfgApiserverID = "apiserver-id"
	cfgConfigMode = "config-mode"

	configModeDefault configMode = 0
	configModeOmitSPNPrefix configMode = 1
	)

	func init() {
	if err := restclient.RegisterAuthProviderPlugin("azure", newAzureAuthProvider); err != nil {
	klog.Fatalf("Failed to register azure auth plugin: %v", err)
	}
	}

	var cache = newAzureTokenCache()

	type azureTokenCache struct {
	lock sync.Mutex
	cache map[string]*azureToken
	}

	func newAzureTokenCache() *azureTokenCache {
	return &azureTokenCache{cache: make(map[string]*azureToken)}
	}

	func (c azureTokenCache) getToken(tokenKey string) azureToken {
	c.lock.Lock()
	defer c.lock.Unlock()
	return c.cache[tokenKey]
	}

	func (c azureTokenCache) setToken(tokenKey string, token azureToken) {
	c.lock.Lock()
	defer c.lock.Unlock()
	c.cache[tokenKey] = token
	}

	func newAzureAuthProvider(_ string, cfg map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) {
	var (
	ts tokenSource
	environment azure.Environment
	err error
	mode configMode
	)

	environment, err = azure.EnvironmentFromName(cfg[cfgEnvironment])
	if err != nil {
	environment = azure.PublicCloud
	}

	mode = configModeDefault
	if cfg[cfgConfigMode] != "" {
	configModeInt, err := strconv.Atoi(cfg[cfgConfigMode])
	if err != nil {
	return nil, fmt.Errorf("failed to parse %s, error: %s", cfgConfigMode, err)
	}
	mode = configMode(configModeInt)
	switch mode {
	case configModeOmitSPNPrefix:
	case configModeDefault:
	default:
	return nil, fmt.Errorf("%s:%s is not a valid mode", cfgConfigMode, cfg[cfgConfigMode])
	}
	}
	ts, err = newAzureTokenSourceDeviceCode(environment, cfg[cfgClientID], cfg[cfgTenantID], cfg[cfgApiserverID], mode)
	if err != nil {
	return nil, fmt.Errorf("creating a new azure token source for device code authentication: %v", err)
	}
	cacheSource := newAzureTokenSource(ts, cache, cfg, mode, persister)

	return &azureAuthProvider{
	tokenSource: cacheSource,
	}, nil
	}

	type azureAuthProvider struct {
	tokenSource tokenSource
	}

	func (p *azureAuthProvider) Login() error {
	return errors.New("not yet implemented")
	}

	func (p *azureAuthProvider) WrapTransport(rt http.RoundTripper) http.RoundTripper {
	return &azureRoundTripper{
	tokenSource: p.tokenSource,
	roundTripper: rt,
	}
	}

	type azureRoundTripper struct {
	tokenSource tokenSource
	roundTripper http.RoundTripper
	}

	var _ net.RoundTripperWrapper = &azureRoundTripper{}

	func (r azureRoundTripper) RoundTrip(req http.Request) (*http.Response, error) {
	if len(req.Header.Get(authHeader)) != 0 {
	return r.roundTripper.RoundTrip(req)
	}

	token, err := r.tokenSource.Token()
	if err != nil {
	klog.Errorf("Failed to acquire a token: %v", err)
	return nil, fmt.Errorf("acquiring a token for authorization header: %v", err)
	}

	// clone the request in order to avoid modifying the headers of the original request
	req2 := new(http.Request)
	req2 = req
	req2.Header = make(http.Header, len(req.Header))
	for k, s := range req.Header {
	req2.Header[k] = append([]string(nil), s...)
	}

	req2.Header.Set(authHeader, fmt.Sprintf("%s %s", tokenType, token.token.AccessToken))

	return r.roundTripper.RoundTrip(req2)
	}

	func (r *azureRoundTripper) WrappedRoundTripper() http.RoundTripper { return r.roundTripper }

	type azureToken struct {
	token adal.Token
	environment string
	clientID string
	tenantID string
	apiserverID string
	}

	type tokenSource interface {
	Token() (*azureToken, error)
	Refresh(azureToken) (azureToken, error)
	}

	type azureTokenSource struct {
	source tokenSource
	cache *azureTokenCache
	lock sync.Mutex
	configMode configMode
	cfg map[string]string
	persister restclient.AuthProviderConfigPersister
	}

	func newAzureTokenSource(source tokenSource, cache *azureTokenCache, cfg map[string]string, configMode configMode, persister restclient.AuthProviderConfigPersister) tokenSource {
	return &azureTokenSource{
	source: source,
	cache: cache,
	cfg: cfg,
	persister: persister,
	configMode: configMode,
	}
	}

	// Token fetches a token from the cache of configuration if present otherwise
	// acquires a new token from the configured source. Automatically refreshes
	// the token if expired.
	func (ts azureTokenSource) Token() (azureToken, error) {
	ts.lock.Lock()
	defer ts.lock.Unlock()

	var err error
	token := ts.cache.getToken(azureTokenKey)

	if token != nil && !token.token.IsExpired() {
	return token, nil
	}

	// retrieve from config if no cache
	if token == nil {
	tokenFromCfg, err := ts.retrieveTokenFromCfg()

	if err == nil {
	token = tokenFromCfg
	}
	}

	if token != nil {
	// cache and return if the token is as good
	// avoids frequent persistor calls
	if !token.token.IsExpired() {
	ts.cache.setToken(azureTokenKey, token)
	return token, nil
	}

	klog.V(4).Info("Refreshing token.")
	tokenFromRefresh, err := ts.Refresh(token)
	switch {
	case err == nil:
	token = tokenFromRefresh
	case autorest.IsTokenRefreshError(err):
	klog.V(4).Infof("Failed to refresh expired token, proceed to auth: %v", err)
	// reset token to nil so that the token source will be used to acquire new
	token = nil
	default:
	return nil, fmt.Errorf("unexpected error when refreshing token: %v", err)
	}
	}

	if token == nil {
	tokenFromSource, err := ts.source.Token()
	if err != nil {
	return nil, fmt.Errorf("failed acquiring new token: %v", err)
	}
	token = tokenFromSource
	}

	// sanity check
	if token == nil {
	return nil, fmt.Errorf("unable to acquire token")
	}

	// corner condition, newly got token is valid but expired
	if token.token.IsExpired() {
	return nil, fmt.Errorf("newly acquired token is expired")
	}

	err = ts.storeTokenInCfg(token)
	if err != nil {
	return nil, fmt.Errorf("storing the refreshed token in configuration: %v", err)
	}
	ts.cache.setToken(azureTokenKey, token)

	return token, nil
	}

	func (ts azureTokenSource) retrieveTokenFromCfg() (azureToken, error) {
	accessToken := ts.cfg[cfgAccessToken]
	if accessToken == "" {
	return nil, fmt.Errorf("no access token in cfg: %s", cfgAccessToken)
	}
	refreshToken := ts.cfg[cfgRefreshToken]
	if refreshToken == "" {
	return nil, fmt.Errorf("no refresh token in cfg: %s", cfgRefreshToken)
	}
	environment := ts.cfg[cfgEnvironment]
	if environment == "" {
	return nil, fmt.Errorf("no environment in cfg: %s", cfgEnvironment)
	}
	clientID := ts.cfg[cfgClientID]
	if clientID == "" {
	return nil, fmt.Errorf("no client ID in cfg: %s", cfgClientID)
	}
	tenantID := ts.cfg[cfgTenantID]
	if tenantID == "" {
	return nil, fmt.Errorf("no tenant ID in cfg: %s", cfgTenantID)
	}
	resourceID := ts.cfg[cfgApiserverID]
	if resourceID == "" {
	return nil, fmt.Errorf("no apiserver ID in cfg: %s", cfgApiserverID)
	}
	expiresIn := ts.cfg[cfgExpiresIn]
	if expiresIn == "" {
	return nil, fmt.Errorf("no expiresIn in cfg: %s", cfgExpiresIn)
	}
	expiresOn := ts.cfg[cfgExpiresOn]
	if expiresOn == "" {
	return nil, fmt.Errorf("no expiresOn in cfg: %s", cfgExpiresOn)
	}
	tokenAudience := resourceID
	if ts.configMode == configModeDefault {
	tokenAudience = fmt.Sprintf("spn:%s", resourceID)
	}

	return &azureToken{
	token: adal.Token{
	AccessToken: accessToken,
	RefreshToken: refreshToken,
	ExpiresIn: json.Number(expiresIn),
	ExpiresOn: json.Number(expiresOn),
	NotBefore: json.Number(expiresOn),
	Resource: tokenAudience,
	Type: tokenType,
	},
	environment: environment,
	clientID: clientID,
	tenantID: tenantID,
	apiserverID: resourceID,
	}, nil
	}

	func (ts azureTokenSource) storeTokenInCfg(token azureToken) error {
	newCfg := make(map[string]string)
	newCfg[cfgAccessToken] = token.token.AccessToken
	newCfg[cfgRefreshToken] = token.token.RefreshToken
	newCfg[cfgEnvironment] = token.environment
	newCfg[cfgClientID] = token.clientID
	newCfg[cfgTenantID] = token.tenantID
	newCfg[cfgApiserverID] = token.apiserverID
	newCfg[cfgExpiresIn] = string(token.token.ExpiresIn)
	newCfg[cfgExpiresOn] = string(token.token.ExpiresOn)
	newCfg[cfgConfigMode] = strconv.Itoa(int(ts.configMode))

	err := ts.persister.Persist(newCfg)
	if err != nil {
	return fmt.Errorf("persisting the configuration: %v", err)
	}
	ts.cfg = newCfg
	return nil
	}

	func (ts azureTokenSource) Refresh(token azureToken) (*azureToken, error) {
	return ts.source.Refresh(token)
	}

	// refresh outdated token with adal.
	// adal.RefreshTokenError will be returned if error occur during refreshing.
	func (ts azureTokenSourceDeviceCode) Refresh(token azureToken) (*azureToken, error) {
	env, err := azure.EnvironmentFromName(token.environment)
	if err != nil {
	return nil, err
	}

	var oauthConfig *adal.OAuthConfig
	if ts.configMode == configModeOmitSPNPrefix {
	oauthConfig, err = adal.NewOAuthConfigWithAPIVersion(env.ActiveDirectoryEndpoint, token.tenantID, nil)
	if err != nil {
	return nil, fmt.Errorf("building the OAuth configuration without api-version for token refresh: %v", err)
	}
	} else {
	oauthConfig, err = adal.NewOAuthConfig(env.ActiveDirectoryEndpoint, token.tenantID)
	if err != nil {
	return nil, fmt.Errorf("building the OAuth configuration for token refresh: %v", err)
	}
	}

	callback := func(t adal.Token) error {
	return nil
	}
	spt, err := adal.NewServicePrincipalTokenFromManualToken(
	*oauthConfig,
	token.clientID,
	token.apiserverID,
	token.token,
	callback)
	if err != nil {
	return nil, fmt.Errorf("creating new service principal for token refresh: %v", err)
	}

	if err := spt.Refresh(); err != nil {
	return nil, fmt.Errorf("refreshing token: %v", err)
	}

	return &azureToken{
	token: spt.Token(),
	environment: token.environment,
	clientID: token.clientID,
	tenantID: token.tenantID,
	apiserverID: token.apiserverID,
	}, nil
	}

	type azureTokenSourceDeviceCode struct {
	environment azure.Environment
	clientID string
	tenantID string
	apiserverID string
	configMode configMode
	}

	func newAzureTokenSourceDeviceCode(environment azure.Environment, clientID string, tenantID string, apiserverID string, configMode configMode) (tokenSource, error) {
	if clientID == "" {
	return nil, errors.New("client-id is empty")
	}
	if tenantID == "" {
	return nil, errors.New("tenant-id is empty")
	}
	if apiserverID == "" {
	return nil, errors.New("apiserver-id is empty")
	}
	return &azureTokenSourceDeviceCode{
	environment: environment,
	clientID: clientID,
	tenantID: tenantID,
	apiserverID: apiserverID,
	configMode: configMode,
	}, nil
	}

	func (ts azureTokenSourceDeviceCode) Token() (azureToken, error) {
	var (
	oauthConfig *adal.OAuthConfig
	err error
	)
	if ts.configMode == configModeOmitSPNPrefix {
	oauthConfig, err = adal.NewOAuthConfigWithAPIVersion(ts.environment.ActiveDirectoryEndpoint, ts.tenantID, nil)
	if err != nil {
	return nil, fmt.Errorf("building the OAuth configuration without api-version for device code authentication: %v", err)
	}
	} else {
	oauthConfig, err = adal.NewOAuthConfig(ts.environment.ActiveDirectoryEndpoint, ts.tenantID)
	if err != nil {
	return nil, fmt.Errorf("building the OAuth configuration for device code authentication: %v", err)
	}
	}
	client := &autorest.Client{}
	deviceCode, err := adal.InitiateDeviceAuth(client, *oauthConfig, ts.clientID, ts.apiserverID)
	if err != nil {
	return nil, fmt.Errorf("initialing the device code authentication: %v", err)
	}

	_, err = fmt.Fprintln(os.Stderr, *deviceCode.Message)
	if err != nil {
	return nil, fmt.Errorf("prompting the device code message: %v", err)
	}

	token, err := adal.WaitForUserCompletion(client, deviceCode)
	if err != nil {
	return nil, fmt.Errorf("waiting for device code authentication to complete: %v", err)
	}

	return &azureToken{
	token: *token,
	environment: ts.environment.Name,
	clientID: ts.clientID,
	tenantID: ts.tenantID,
	apiserverID: ts.apiserverID,
	}, nil
	}