Support AzurePipelinesCredential in Azure Event Hubs for Kafka passwordless connection#49108
Merged
rujche merged 14 commits intoMay 18, 2026
Merged
Conversation
rujche
requested review from
a team,
Netyyyy,
moarychan and
saragluna
as code owners
rujche
added
the
azure-spring-eventhubs-kafka
Member
Author
|
/azp run java - spring - tests |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request enables the EventHubsKafkaBinderOAuthIT Spring Cloud Azure integration test so it runs as part of the Event Hubs IT suite (when -DskipSpringITs=false is used in CI), aligning with the intent to validate Event Hubs Kafka OAuth scenarios end-to-end.
Changes:
- Removed the
@Disabledannotation fromEventHubsKafkaBinderOAuthIT. - Removed the now-unused
Disabledimport.
rujche
requested review from
JonathanGiles,
alzimmermsft,
g2vinay and
samvaity
as code owners
Member
Author
|
/azp run java - spring - tests |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Member
Author
|
/azp run java - spring - tests |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Revert the kafka-clients 3.8.1 override (incompatible with spring-kafka 4.x, caused VerifyError in EventHubsKafkaBinderConnectionStringIT) and instead disable the Spring Cloud Stream Kafka binder's topic auto-creation and admin-based health check. Azure Event Hubs for Kafka does not support the Kafka AdminClient API, so the binder must not create one against the Event Hubs endpoint.
Member
Author
|
/azp run java - spring - tests |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Member
Author
|
/azp run java - spring - tests |
|
Azure Pipelines successfully started running 1 pipeline(s). |
rujche
changed the title
rujche
changed the title
EventHubsKafkaBinderOAuthIT, update KafkaOAuth2AuthenticateCallbackHandler to make test pass
rujche
changed the title
EventHubsKafkaBinderOAuthIT, update KafkaOAuth2AuthenticateCallbackHandler to make test passAzurePipelinesCredential in Azure Event Hubs for Kafka passwordless connection
In sovereign clouds (Azure China, US Gov) DefaultAzureCredentialBuilderFactory configures profile.environment.activeDirectoryEndpoint, but the newly added AzurePipelinesCredentialBuilder was created without it and defaulted to the public-cloud authority. Since ChainedTokenCredential only falls through on CredentialUnavailableException, a wrong-authority failure would block the DefaultAzureCredential fallback. Pass AzureProperties into the builder and apply authorityHost when available.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.
Comments suppressed due to low confidence (1)
sdk/spring/spring-cloud-azure-service/src/main/java/com/azure/spring/cloud/service/implementation/kafka/KafkaOAuth2AuthenticateCallbackHandler.java:185
- This
AzurePipelinesCredentialBuilderis created directly, so unlike theDefaultAzureCredentialBuilderFactorypath it does not receive theAzurePropertiesHTTP client, proxy, logging, retry, or custom pipeline settings. In environments that require those Spring-configured settings (for example an outbound proxy), the Azure Pipelines credential can fail before the configured default credential is usable. Apply the same common credential builder configuration to this builder as the default credential path.
AzurePipelinesCredentialBuilder builder = new AzurePipelinesCredentialBuilder()
.systemAccessToken(systemAccessToken)
.clientId(clientId)
.tenantId(tenantId)
.serviceConnectionId(serviceConnectionId);
String authorityHost = resolveAuthorityHost(properties);
if (!isNullOrEmpty(authorityHost)) {
builder.authorityHost(authorityHost);
Member
Author
|
/azp run java - spring - tests |
|
Azure Pipelines successfully started running 1 pipeline(s). |
github-project-automation
Bot
moved this from In Progress
to Done
in Spring Cloud Azure
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This pull request adds support for using
AzurePipelinesCredentialto enable passwordless authentication for Azure Event Hubs via Kafka when running in Azure Pipelines. The implementation detects specific Azure DevOps environment variables and, if present, chains the new credential with the existingDefaultAzureCredential. The changes also include a new integration test to verify this behavior and update the changelog accordingly.Azure Pipelines Credential Support for Kafka Event Hubs
AzurePipelinesCredentialin theKafkaOAuth2AuthenticateCallbackHandlerto allow passwordless authentication for Azure Event Hubs for Kafka when running in Azure Pipelines. The credential is used only if all required environment variables are present; otherwise, the system falls back toDefaultAzureCredential. The authority host is set based on the current Azure environment for correct cloud targeting. [1] [2] [3] [4]Testing Enhancements
testCreateChainedTokenCredentialWhenAzurePipelinesEnvVarsPresent) to verify that aChainedTokenCredentialis created when all Azure Pipelines environment variables are set, ensuring the new credential logic is exercised and isolated per test run. [1] [2] [3]Documentation Updates
Integration Test Activation
EventHubsKafkaBinderOAuthITintegration test, which was previously disabled, to allow validation of OAuth scenarios in CI/CD pipelines. [1] [2]** Related PR** : #47176
All SDK Contribution checklist:
General Guidelines and Best Practices
Testing Guidelines