[Enhancement Proposal] Add config option to disable token cache encryption #19506
Description
Azure PowerShell's token encryption issues
Various issues have been reported regarding Azure PowerShell's token encryption functionality:
Windows:
- Connect-AzAccount Unable to acquire token for tenant 'organizations' azure-powershell#14925
- Connect-AzAccount : InteractiveBrowserCredential authentication failed: Persistence check failed. Inspect inner exception for details azure-powershell#13691
MacOS:
- OSX Connect-AzAccount doesn't function azure-powershell#14478
- Connect-AzAccount: MacOS KeyChain authorization/authentication failed azure-powershell#15423
The workaround is to disable persistent token cache between sessions:
However, this approach is not feasible for Azure CLI, as there is no concept of session - Azure CLI is a python application and there is no connection between commands.
Python SDK status
In current Python SDKs, a fallback mechanism is used:
- Azure Identity (Python) provides
allow_unencrypted - MSAL Extension (Python)'s sample code uses
fallback_to_plaintext
But this fallback mechanism only takes effect when initializing LibsecretPersistence on Linux fails - it is possible that failures can also occur when
FilePersistenceWithDataProtectionon Windows,KeychainPersistenceon MacOS are initialized or actually used. (Token encryption is enforced on Windows and MacOS)LibsecretPersistenceon Linux is actually used
When failures happen on various platforms, forcing token encryption will render Azure CLI totally unusable.
Proposed solution
Instead of using allow_unencrypted or fallback_to_plaintext and let Azure CLI try its best to encrypt, we should introduce a definitive option like plaintext to force unencrypted token cache, so that complex platform-dependent problems can be bypassed.
Reference email: Workaround for DPAPI/KeyChain Errors