Add MFA support for azd #42488
Add MFA support for azd #42488
Conversation
github-project-automation
bot
moved this to Untriaged
in Azure Identity SDK Improvements
xiangyan99
requested review from
maorleger,
christothes,
scottaddie,
chlowell,
anannya03 and
minhanh-phan
There was a problem hiding this comment.
Pull Request Overview
This PR adds Multi-Factor Authentication (MFA) support for the Azure Developer CLI credential by implementing claims handling in both sync and async versions of AzureDeveloperCliCredential.
Key changes:
- Enables the
claimsparameter inget_token()methods to handle MFA challenges - Adds a new utility function to extract user-friendly error messages from azd CLI JSON output
- Improves error handling by parsing structured error messages from azd CLI output
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
sdk/identity/azure-identity/azure/identity/aio/_credentials/azd_cli.py |
Async version - adds claims parameter support and improved error message extraction |
sdk/identity/azure-identity/azure/identity/_credentials/azd_cli.py |
Sync version - implements claims parameter support and adds extract_cli_error_message utility function |
Comments suppressed due to low confidence (1)
sdk/identity/azure-identity/azure/identity/_credentials/azd_cli.py:329
- Use f-string formatting instead of
.format()for consistency with the rest of the codebase. Replace withcombined_text = f"{ex.output or ''}\n{ex.stderr or ''}"
combined_text = "{}\n{}".format(ex.output or "", ex.stderr or "")
| @@ -175,16 +179,23 @@ def _get_token_base( | |||
| ) | |||
| if tenant: | |||
| command_args += ["--tenant-id", tenant] | |||
| if claims: | |||
There was a problem hiding this comment.
If claims are populated, shouldn't we raise immediately with the error message containing the command to run to login again?
There was a problem hiding this comment.
The azd implementation differs from the CLI/PSH by not using "azd auth login --claims."
Instead, users must first run "azd auth token --claims", which stores the claims.
Then, users can execute "azd auth login" without the "--claims" flag, as azd retrieves the claims from the cached data created in the previous step.
There was a problem hiding this comment.
Yes - but shouldn't we raise immediately when we have claims to tell the user to run those commands to proceed?
There was a problem hiding this comment.
Based on my observations, the command 'azd auth token --claims' may return a valid token, such as when the device is enrolled. To ensure robust code, let's handle both scenarios.
There was a problem hiding this comment.
How would we know if it is a valid token? Once we leave the credential and try to use the token in a policy, where would we throw with the azd specific error message?
There was a problem hiding this comment.
When we execute azd auth token --claims and receive a token, it is considered valid.
If token retrieval fails, an error is returned in JSON format from azd.
For AzdCredential, upon receiving claims during the get_token call, we need to invoke
azd auth token --claims <claims_challenge>to allow Azd to store the claims.Subsequently, we notify the user to run
azd auth loginagain to re-authenticate.