fix: update lego.

2018-04-09 18:28:03 +02:00 · 2018-04-09 18:28:03 +02:00 · b1be062437
commit b1be062437
parent 2d0d320d05
48 changed files with 2979 additions and 1076 deletions
--- a/vendor/github.com/Azure/go-autorest/autorest/adal/config.go
+++ b/vendor/github.com/Azure/go-autorest/autorest/adal/config.go
@ -1,5 +1,19 @@
 package adal

+// Copyright 2017 Microsoft Corporation
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
 import (
 	"fmt"
 	"net/url"
@ -18,8 +32,24 @@ type OAuthConfig struct {
 	DeviceCodeEndpoint url.URL
 }

+// IsZero returns true if the OAuthConfig object is zero-initialized.
+func (oac OAuthConfig) IsZero() bool {
+	return oac == OAuthConfig{}
+}
+
+func validateStringParam(param, name string) error {
+	if len(param) == 0 {
+		return fmt.Errorf("parameter '" + name + "' cannot be empty")
+	}
+	return nil
+}
+
 // NewOAuthConfig returns an OAuthConfig with tenant specific urls
 func NewOAuthConfig(activeDirectoryEndpoint, tenantID string) (*OAuthConfig, error) {
+	if err := validateStringParam(activeDirectoryEndpoint, "activeDirectoryEndpoint"); err != nil {
+		return nil, err
+	}
+	// it's legal for tenantID to be empty so don't validate it
 	const activeDirectoryEndpointTemplate = "%s/oauth2/%s?api-version=%s"
 	u, err := url.Parse(activeDirectoryEndpoint)
 	if err != nil {
--- a/vendor/github.com/Azure/go-autorest/autorest/adal/devicetoken.go
+++ b/vendor/github.com/Azure/go-autorest/autorest/adal/devicetoken.go
@ -1,5 +1,19 @@
 package adal

+// Copyright 2017 Microsoft Corporation
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
 /*
  This file is largely based on rjw57/oauth2device's code, with the follow differences:
   * scope -> resource, and only allow a single one
--- a/vendor/github.com/Azure/go-autorest/autorest/adal/msi.go
+++ b/vendor/github.com/Azure/go-autorest/autorest/adal/msi.go
@ -1,6 +0,0 @@
-// +build !windows
-
-package adal
-
-// msiPath is the path to the MSI Extension settings file (to discover the endpoint)
-var msiPath = "/var/lib/waagent/ManagedIdentity-Settings"
--- a/vendor/github.com/Azure/go-autorest/autorest/adal/msi_windows.go
+++ b/vendor/github.com/Azure/go-autorest/autorest/adal/msi_windows.go
@ -1,11 +0,0 @@
-// +build windows
-
-package adal
-
-import (
-	"os"
-	"strings"
-)
-
-// msiPath is the path to the MSI Extension settings file (to discover the endpoint)
-var msiPath = strings.Join([]string{os.Getenv("SystemDrive"), "WindowsAzure/Config/ManagedIdentity-Settings"}, "/")
--- a/vendor/github.com/Azure/go-autorest/autorest/adal/persist.go
+++ b/vendor/github.com/Azure/go-autorest/autorest/adal/persist.go
@ -1,5 +1,19 @@
 package adal

+// Copyright 2017 Microsoft Corporation
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
 import (
 	"encoding/json"
 	"fmt"
--- a/vendor/github.com/Azure/go-autorest/autorest/adal/sender.go
+++ b/vendor/github.com/Azure/go-autorest/autorest/adal/sender.go
@ -1,5 +1,19 @@
 package adal

+// Copyright 2017 Microsoft Corporation
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
 import (
 	"net/http"
 )
--- a/vendor/github.com/Azure/go-autorest/autorest/adal/token.go
+++ b/vendor/github.com/Azure/go-autorest/autorest/adal/token.go
@ -1,5 +1,19 @@
 package adal

+// Copyright 2017 Microsoft Corporation
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
 import (
 	"crypto/rand"
 	"crypto/rsa"
@ -13,6 +27,7 @@ import (
 	"net/url"
 	"strconv"
 	"strings"
+	"sync"
 	"time"

 	"github.com/Azure/go-autorest/autorest/date"
@ -28,11 +43,20 @@ const (
 	// OAuthGrantTypeClientCredentials is the "grant_type" identifier used in credential flows
 	OAuthGrantTypeClientCredentials = "client_credentials"

+	// OAuthGrantTypeUserPass is the "grant_type" identifier used in username and password auth flows
+	OAuthGrantTypeUserPass = "password"
+
 	// OAuthGrantTypeRefreshToken is the "grant_type" identifier used in refresh token flows
 	OAuthGrantTypeRefreshToken = "refresh_token"

+	// OAuthGrantTypeAuthorizationCode is the "grant_type" identifier used in authorization code flows
+	OAuthGrantTypeAuthorizationCode = "authorization_code"
+
 	// metadataHeader is the header required by MSI extension
 	metadataHeader = "Metadata"
+
+	// msiEndpoint is the well known endpoint for getting MSI authentications tokens
+	msiEndpoint = "http://169.254.169.254/metadata/identity/oauth2/token"
 )

 // OAuthTokenProvider is an interface which should be implemented by an access token retriever
@ -40,6 +64,12 @@ type OAuthTokenProvider interface {
 	OAuthToken() string
 }

+// TokenRefreshError is an interface used by errors returned during token refresh.
+type TokenRefreshError interface {
+	error
+	Response() *http.Response
+}
+
 // Refresher is an interface for token refresh functionality
 type Refresher interface {
 	Refresh() error
@ -64,6 +94,11 @@ type Token struct {
 	Type     string `json:"token_type"`
 }

+// IsZero returns true if the token object is zero-initialized.
+func (t Token) IsZero() bool {
+	return t == Token{}
+}
+
 // Expires returns the time.Time when the Token expires.
 func (t Token) Expires() time.Time {
 	s, err := strconv.Atoi(t.ExpiresOn)
@ -131,6 +166,34 @@ type ServicePrincipalCertificateSecret struct {
 type ServicePrincipalMSISecret struct {
 }

+// ServicePrincipalUsernamePasswordSecret implements ServicePrincipalSecret for username and password auth.
+type ServicePrincipalUsernamePasswordSecret struct {
+	Username string
+	Password string
+}
+
+// ServicePrincipalAuthorizationCodeSecret implements ServicePrincipalSecret for authorization code auth.
+type ServicePrincipalAuthorizationCodeSecret struct {
+	ClientSecret      string
+	AuthorizationCode string
+	RedirectURI       string
+}
+
+// SetAuthenticationValues is a method of the interface ServicePrincipalSecret.
+func (secret *ServicePrincipalAuthorizationCodeSecret) SetAuthenticationValues(spt *ServicePrincipalToken, v *url.Values) error {
+	v.Set("code", secret.AuthorizationCode)
+	v.Set("client_secret", secret.ClientSecret)
+	v.Set("redirect_uri", secret.RedirectURI)
+	return nil
+}
+
+// SetAuthenticationValues is a method of the interface ServicePrincipalSecret.
+func (secret *ServicePrincipalUsernamePasswordSecret) SetAuthenticationValues(spt *ServicePrincipalToken, v *url.Values) error {
+	v.Set("username", secret.Username)
+	v.Set("password", secret.Password)
+	return nil
+}
+
 // SetAuthenticationValues is a method of the interface ServicePrincipalSecret.
 func (msiSecret *ServicePrincipalMSISecret) SetAuthenticationValues(spt *ServicePrincipalToken, v *url.Values) error {
 	return nil
@ -183,27 +246,47 @@ func (secret *ServicePrincipalCertificateSecret) SetAuthenticationValues(spt *Se

 // ServicePrincipalToken encapsulates a Token created for a Service Principal.
 type ServicePrincipalToken struct {
-	Token
-
+	token         Token
 	secret        ServicePrincipalSecret
 	oauthConfig   OAuthConfig
 	clientID      string
 	resource      string
 	autoRefresh   bool
+	refreshLock   *sync.RWMutex
 	refreshWithin time.Duration
 	sender        Sender

 	refreshCallbacks []TokenRefreshCallback
 }

+func validateOAuthConfig(oac OAuthConfig) error {
+	if oac.IsZero() {
+		return fmt.Errorf("parameter 'oauthConfig' cannot be zero-initialized")
+	}
+	return nil
+}
+
 // NewServicePrincipalTokenWithSecret create a ServicePrincipalToken using the supplied ServicePrincipalSecret implementation.
 func NewServicePrincipalTokenWithSecret(oauthConfig OAuthConfig, id string, resource string, secret ServicePrincipalSecret, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error) {
+	if err := validateOAuthConfig(oauthConfig); err != nil {
+		return nil, err
+	}
+	if err := validateStringParam(id, "id"); err != nil {
+		return nil, err
+	}
+	if err := validateStringParam(resource, "resource"); err != nil {
+		return nil, err
+	}
+	if secret == nil {
+		return nil, fmt.Errorf("parameter 'secret' cannot be nil")
+	}
 	spt := &ServicePrincipalToken{
 		oauthConfig:      oauthConfig,
 		secret:           secret,
 		clientID:         id,
 		resource:         resource,
 		autoRefresh:      true,
+		refreshLock:      &sync.RWMutex{},
 		refreshWithin:    defaultRefresh,
 		sender:           &http.Client{},
 		refreshCallbacks: callbacks,
@ -213,6 +296,18 @@ func NewServicePrincipalTokenWithSecret(oauthConfig OAuthConfig, id string, reso

 // NewServicePrincipalTokenFromManualToken creates a ServicePrincipalToken using the supplied token
 func NewServicePrincipalTokenFromManualToken(oauthConfig OAuthConfig, clientID string, resource string, token Token, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error) {
+	if err := validateOAuthConfig(oauthConfig); err != nil {
+		return nil, err
+	}
+	if err := validateStringParam(clientID, "clientID"); err != nil {
+		return nil, err
+	}
+	if err := validateStringParam(resource, "resource"); err != nil {
+		return nil, err
+	}
+	if token.IsZero() {
+		return nil, fmt.Errorf("parameter 'token' cannot be zero-initialized")
+	}
 	spt, err := NewServicePrincipalTokenWithSecret(
 		oauthConfig,
 		clientID,
@ -223,7 +318,7 @@ func NewServicePrincipalTokenFromManualToken(oauthConfig OAuthConfig, clientID s
 		return nil, err
 	}

-	spt.Token = token
+	spt.token = token

 	return spt, nil
 }
@ -231,6 +326,18 @@ func NewServicePrincipalTokenFromManualToken(oauthConfig OAuthConfig, clientID s
 // NewServicePrincipalToken creates a ServicePrincipalToken from the supplied Service Principal
 // credentials scoped to the named resource.
 func NewServicePrincipalToken(oauthConfig OAuthConfig, clientID string, secret string, resource string, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error) {
+	if err := validateOAuthConfig(oauthConfig); err != nil {
+		return nil, err
+	}
+	if err := validateStringParam(clientID, "clientID"); err != nil {
+		return nil, err
+	}
+	if err := validateStringParam(secret, "secret"); err != nil {
+		return nil, err
+	}
+	if err := validateStringParam(resource, "resource"); err != nil {
+		return nil, err
+	}
 	return NewServicePrincipalTokenWithSecret(
 		oauthConfig,
 		clientID,
@ -242,8 +349,23 @@ func NewServicePrincipalToken(oauthConfig OAuthConfig, clientID string, secret s
 	)
 }

-// NewServicePrincipalTokenFromCertificate create a ServicePrincipalToken from the supplied pkcs12 bytes.
+// NewServicePrincipalTokenFromCertificate creates a ServicePrincipalToken from the supplied pkcs12 bytes.
 func NewServicePrincipalTokenFromCertificate(oauthConfig OAuthConfig, clientID string, certificate *x509.Certificate, privateKey *rsa.PrivateKey, resource string, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error) {
+	if err := validateOAuthConfig(oauthConfig); err != nil {
+		return nil, err
+	}
+	if err := validateStringParam(clientID, "clientID"); err != nil {
+		return nil, err
+	}
+	if err := validateStringParam(resource, "resource"); err != nil {
+		return nil, err
+	}
+	if certificate == nil {
+		return nil, fmt.Errorf("parameter 'certificate' cannot be nil")
+	}
+	if privateKey == nil {
+		return nil, fmt.Errorf("parameter 'privateKey' cannot be nil")
+	}
 	return NewServicePrincipalTokenWithSecret(
 		oauthConfig,
 		clientID,
@ -256,59 +378,163 @@ func NewServicePrincipalTokenFromCertificate(oauthConfig OAuthConfig, clientID s
 	)
 }

-// GetMSIVMEndpoint gets the MSI endpoint on Virtual Machines.
-func GetMSIVMEndpoint() (string, error) {
-	return getMSIVMEndpoint(msiPath)
+// NewServicePrincipalTokenFromUsernamePassword creates a ServicePrincipalToken from the username and password.
+func NewServicePrincipalTokenFromUsernamePassword(oauthConfig OAuthConfig, clientID string, username string, password string, resource string, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error) {
+	if err := validateOAuthConfig(oauthConfig); err != nil {
+		return nil, err
+	}
+	if err := validateStringParam(clientID, "clientID"); err != nil {
+		return nil, err
+	}
+	if err := validateStringParam(username, "username"); err != nil {
+		return nil, err
+	}
+	if err := validateStringParam(password, "password"); err != nil {
+		return nil, err
+	}
+	if err := validateStringParam(resource, "resource"); err != nil {
+		return nil, err
+	}
+	return NewServicePrincipalTokenWithSecret(
+		oauthConfig,
+		clientID,
+		resource,
+		&ServicePrincipalUsernamePasswordSecret{
+			Username: username,
+			Password: password,
+		},
+		callbacks...,
+	)
 }

-func getMSIVMEndpoint(path string) (string, error) {
-	// Read MSI settings
-	bytes, err := ioutil.ReadFile(path)
-	if err != nil {
-		return "", err
+// NewServicePrincipalTokenFromAuthorizationCode creates a ServicePrincipalToken from the
+func NewServicePrincipalTokenFromAuthorizationCode(oauthConfig OAuthConfig, clientID string, clientSecret string, authorizationCode string, redirectURI string, resource string, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error) {
+
+	if err := validateOAuthConfig(oauthConfig); err != nil {
+		return nil, err
 	}
-	msiSettings := struct {
-		URL string `json:"url"`
-	}{}
-	err = json.Unmarshal(bytes, &msiSettings)
-	if err != nil {
-		return "", err
+	if err := validateStringParam(clientID, "clientID"); err != nil {
+		return nil, err
+	}
+	if err := validateStringParam(clientSecret, "clientSecret"); err != nil {
+		return nil, err
+	}
+	if err := validateStringParam(authorizationCode, "authorizationCode"); err != nil {
+		return nil, err
+	}
+	if err := validateStringParam(redirectURI, "redirectURI"); err != nil {
+		return nil, err
+	}
+	if err := validateStringParam(resource, "resource"); err != nil {
+		return nil, err
 	}

-	return msiSettings.URL, nil
+	return NewServicePrincipalTokenWithSecret(
+		oauthConfig,
+		clientID,
+		resource,
+		&ServicePrincipalAuthorizationCodeSecret{
+			ClientSecret:      clientSecret,
+			AuthorizationCode: authorizationCode,
+			RedirectURI:       redirectURI,
+		},
+		callbacks...,
+	)
+}
+
+// GetMSIVMEndpoint gets the MSI endpoint on Virtual Machines.
+func GetMSIVMEndpoint() (string, error) {
+	return msiEndpoint, nil
 }

 // NewServicePrincipalTokenFromMSI creates a ServicePrincipalToken via the MSI VM Extension.
+// It will use the system assigned identity when creating the token.
 func NewServicePrincipalTokenFromMSI(msiEndpoint, resource string, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error) {
+	return newServicePrincipalTokenFromMSI(msiEndpoint, resource, nil, callbacks...)
+}
+
+// NewServicePrincipalTokenFromMSIWithUserAssignedID creates a ServicePrincipalToken via the MSI VM Extension.
+// It will use the specified user assigned identity when creating the token.
+func NewServicePrincipalTokenFromMSIWithUserAssignedID(msiEndpoint, resource string, userAssignedID string, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error) {
+	return newServicePrincipalTokenFromMSI(msiEndpoint, resource, &userAssignedID, callbacks...)
+}
+
+func newServicePrincipalTokenFromMSI(msiEndpoint, resource string, userAssignedID *string, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error) {
+	if err := validateStringParam(msiEndpoint, "msiEndpoint"); err != nil {
+		return nil, err
+	}
+	if err := validateStringParam(resource, "resource"); err != nil {
+		return nil, err
+	}
+	if userAssignedID != nil {
+		if err := validateStringParam(*userAssignedID, "userAssignedID"); err != nil {
+			return nil, err
+		}
+	}
 	// We set the oauth config token endpoint to be MSI's endpoint
 	msiEndpointURL, err := url.Parse(msiEndpoint)
 	if err != nil {
 		return nil, err
 	}

-	oauthConfig, err := NewOAuthConfig(msiEndpointURL.String(), "")
-	if err != nil {
-		return nil, err
+	v := url.Values{}
+	v.Set("resource", resource)
+	v.Set("api-version", "2018-02-01")
+	if userAssignedID != nil {
+		v.Set("client_id", *userAssignedID)
 	}
+	msiEndpointURL.RawQuery = v.Encode()

 	spt := &ServicePrincipalToken{
-		oauthConfig:      *oauthConfig,
+		oauthConfig: OAuthConfig{
+			TokenEndpoint: *msiEndpointURL,
+		},
 		secret:           &ServicePrincipalMSISecret{},
 		resource:         resource,
 		autoRefresh:      true,
+		refreshLock:      &sync.RWMutex{},
 		refreshWithin:    defaultRefresh,
 		sender:           &http.Client{},
 		refreshCallbacks: callbacks,
 	}

+	if userAssignedID != nil {
+		spt.clientID = *userAssignedID
+	}
+
 	return spt, nil
 }

+// internal type that implements TokenRefreshError
+type tokenRefreshError struct {
+	message string
+	resp    *http.Response
+}
+
+// Error implements the error interface which is part of the TokenRefreshError interface.
+func (tre tokenRefreshError) Error() string {
+	return tre.message
+}
+
+// Response implements the TokenRefreshError interface, it returns the raw HTTP response from the refresh operation.
+func (tre tokenRefreshError) Response() *http.Response {
+	return tre.resp
+}
+
+func newTokenRefreshError(message string, resp *http.Response) TokenRefreshError {
+	return tokenRefreshError{message: message, resp: resp}
+}
+
 // EnsureFresh will refresh the token if it will expire within the refresh window (as set by
-// RefreshWithin) and autoRefresh flag is on.
+// RefreshWithin) and autoRefresh flag is on.  This method is safe for concurrent use.
 func (spt *ServicePrincipalToken) EnsureFresh() error {
-	if spt.autoRefresh && spt.WillExpireIn(spt.refreshWithin) {
-		return spt.Refresh()
+	if spt.autoRefresh && spt.token.WillExpireIn(spt.refreshWithin) {
+		// take the write lock then check to see if the token was already refreshed
+		spt.refreshLock.Lock()
+		defer spt.refreshLock.Unlock()
+		if spt.token.WillExpireIn(spt.refreshWithin) {
+			return spt.refreshInternal(spt.resource)
+		}
 	}
 	return nil
 }
@ -317,7 +543,7 @@ func (spt *ServicePrincipalToken) EnsureFresh() error {
 func (spt *ServicePrincipalToken) InvokeRefreshCallbacks(token Token) error {
 	if spt.refreshCallbacks != nil {
 		for _, callback := range spt.refreshCallbacks {
-			err := callback(spt.Token)
+			err := callback(spt.token)
 			if err != nil {
 				return fmt.Errorf("adal: TokenRefreshCallback handler failed. Error = '%v'", err)
 			}
@ -327,43 +553,74 @@ func (spt *ServicePrincipalToken) InvokeRefreshCallbacks(token Token) error {
 }

 // Refresh obtains a fresh token for the Service Principal.
+// This method is not safe for concurrent use and should be syncrhonized.
 func (spt *ServicePrincipalToken) Refresh() error {
+	spt.refreshLock.Lock()
+	defer spt.refreshLock.Unlock()
 	return spt.refreshInternal(spt.resource)
 }

 // RefreshExchange refreshes the token, but for a different resource.
+// This method is not safe for concurrent use and should be syncrhonized.
 func (spt *ServicePrincipalToken) RefreshExchange(resource string) error {
+	spt.refreshLock.Lock()
+	defer spt.refreshLock.Unlock()
 	return spt.refreshInternal(resource)
 }

-func (spt *ServicePrincipalToken) refreshInternal(resource string) error {
-	v := url.Values{}
-	v.Set("client_id", spt.clientID)
-	v.Set("resource", resource)
-
-	if spt.RefreshToken != "" {
-		v.Set("grant_type", OAuthGrantTypeRefreshToken)
-		v.Set("refresh_token", spt.RefreshToken)
-	} else {
-		v.Set("grant_type", OAuthGrantTypeClientCredentials)
-		err := spt.secret.SetAuthenticationValues(spt, &v)
-		if err != nil {
-			return err
-		}
+func (spt *ServicePrincipalToken) getGrantType() string {
+	switch spt.secret.(type) {
+	case *ServicePrincipalUsernamePasswordSecret:
+		return OAuthGrantTypeUserPass
+	case *ServicePrincipalAuthorizationCodeSecret:
+		return OAuthGrantTypeAuthorizationCode
+	default:
+		return OAuthGrantTypeClientCredentials
 	}
+}

-	s := v.Encode()
-	body := ioutil.NopCloser(strings.NewReader(s))
-	req, err := http.NewRequest(http.MethodPost, spt.oauthConfig.TokenEndpoint.String(), body)
+func isIMDS(u url.URL) bool {
+	imds, err := url.Parse(msiEndpoint)
+	if err != nil {
+		return false
+	}
+	return u.Host == imds.Host && u.Path == imds.Path
+}
+
+func (spt *ServicePrincipalToken) refreshInternal(resource string) error {
+	req, err := http.NewRequest(http.MethodPost, spt.oauthConfig.TokenEndpoint.String(), nil)
 	if err != nil {
 		return fmt.Errorf("adal: Failed to build the refresh request. Error = '%v'", err)
 	}

-	req.ContentLength = int64(len(s))
-	req.Header.Set(contentType, mimeTypeFormPost)
+	if !isIMDS(spt.oauthConfig.TokenEndpoint) {
+		v := url.Values{}
+		v.Set("client_id", spt.clientID)
+		v.Set("resource", resource)
+
+		if spt.token.RefreshToken != "" {
+			v.Set("grant_type", OAuthGrantTypeRefreshToken)
+			v.Set("refresh_token", spt.token.RefreshToken)
+		} else {
+			v.Set("grant_type", spt.getGrantType())
+			err := spt.secret.SetAuthenticationValues(spt, &v)
+			if err != nil {
+				return err
+			}
+		}
+
+		s := v.Encode()
+		body := ioutil.NopCloser(strings.NewReader(s))
+		req.ContentLength = int64(len(s))
+		req.Header.Set(contentType, mimeTypeFormPost)
+		req.Body = body
+	}
+
 	if _, ok := spt.secret.(*ServicePrincipalMSISecret); ok {
+		req.Method = http.MethodGet
 		req.Header.Set(metadataHeader, "true")
 	}
+
 	resp, err := spt.sender.Do(req)
 	if err != nil {
 		return fmt.Errorf("adal: Failed to execute the refresh request. Error = '%v'", err)
@ -374,9 +631,9 @@ func (spt *ServicePrincipalToken) refreshInternal(resource string) error {

 	if resp.StatusCode != http.StatusOK {
 		if err != nil {
-			return fmt.Errorf("adal: Refresh request failed. Status Code = '%d'. Failed reading response body", resp.StatusCode)
+			return newTokenRefreshError(fmt.Sprintf("adal: Refresh request failed. Status Code = '%d'. Failed reading response body", resp.StatusCode), resp)
 		}
-		return fmt.Errorf("adal: Refresh request failed. Status Code = '%d'. Response body: %s", resp.StatusCode, string(rb))
+		return newTokenRefreshError(fmt.Sprintf("adal: Refresh request failed. Status Code = '%d'. Response body: %s", resp.StatusCode, string(rb)), resp)
 	}

 	if err != nil {
@ -391,7 +648,7 @@ func (spt *ServicePrincipalToken) refreshInternal(resource string) error {
 		return fmt.Errorf("adal: Failed to unmarshal the service principal token during refresh. Error = '%v' JSON = '%s'", err, string(rb))
 	}

-	spt.Token = token
+	spt.token = token

 	return spt.InvokeRefreshCallbacks(token)
 }
@ -411,3 +668,17 @@ func (spt *ServicePrincipalToken) SetRefreshWithin(d time.Duration) {
 // SetSender sets the http.Client used when obtaining the Service Principal token. An
 // undecorated http.Client is used by default.
 func (spt *ServicePrincipalToken) SetSender(s Sender) { spt.sender = s }
+
+// OAuthToken implements the OAuthTokenProvider interface.  It returns the current access token.
+func (spt *ServicePrincipalToken) OAuthToken() string {
+	spt.refreshLock.RLock()
+	defer spt.refreshLock.RUnlock()
+	return spt.token.OAuthToken()
+}
+
+// Token returns a copy of the current token.
+func (spt *ServicePrincipalToken) Token() Token {
+	spt.refreshLock.RLock()
+	defer spt.refreshLock.RUnlock()
+	return spt.token
+}