Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Identity] Enable brokered auth in DAC #40335

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

[Identity] Enable brokered auth in DAC #40335

wants to merge 4 commits into from
+62 −3

Conversation

pvaneck
Copy link
Member

@pvaneck pvaneck commented Apr 2, 2025

Description

This adds InteractiveBrowserBrokerCredential silent flow authentication to the end of the DefaultAzureCredential chain. Here, we opt to conditionally add it to the chain only if the broker package is installed.

Additional context: https://gist.github.com/christothes/f8a0dc6249261cb36a6c452717c4e932

Closes: #39966

@azure-sdk
Copy link
Collaborator

API change check

API changes are not detected in this pull request.

@pvaneck
[Identity] Enable brokered auth in DAC
e24dd7e 
Signed-off-by: Paul Van Eck <paulvaneck@microsoft.com>
@pvaneck pvaneck force-pushed the identity-dac-broker branch from bf20396 to e24dd7e Compare April 3, 2025 00:24
@pvaneck
Copy link
Member Author

pvaneck commented Apr 3, 2025

@xiangyan99 This is the preliminary implementation. Would be good to get your thoughts on:

  1. If we should introduce more keyword arguments for broker cred client_id/tenant_id or reuse interactive_browser_client_id and interactive_browser_tenant_id which I am currently doing.
  2. Since this is the silent flow and non-interactive, should we introduce this credential to the async DAC (even though it would be run synchronously)?

pvaneck added 2 commits April 7, 2025 20:59
@pvaneck
Add logging and tests
65c2e27 
Signed-off-by: Paul Van Eck <paulvaneck@microsoft.com>
@pvaneck
misc updates
c620d89 
Signed-off-by: Paul Van Eck <paulvaneck@microsoft.com>
@pvaneck pvaneck requested a review from Copilot April 7, 2025 22:31
Copilot
Copilot AI reviewed Apr 7, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

Files not reviewed (1)
  • sdk/identity/azure-identity/dev_requirements.txt: Language not supported

@pvaneck pvaneck marked this pull request as ready for review April 8, 2025 00:20
@pvaneck pvaneck requested a review from a team as a code owner April 8, 2025 00:20
xiangyan99
xiangyan99 reviewed Apr 8, 2025
View reviewed changes
sdk/identity/azure-identity/azure/identity/_credentials/default.py
def _get_broker_credential() -> Optional[Type["InteractiveBrowserBrokerCredential"]]:
# Get the broker credential if available
try:
from azure.identity.broker import InteractiveBrowserBrokerCredential
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to double check the behavior of get_token in the brokered credential.

Does it raise AuthFail or AuthUnavailable?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If within DAC, the broker credential token request methods will raise CredentialUnavailableError. However, I am noticing that if silent auth fails, we fall back to interactive sign-in. If we want this to be purely silent auth, we'd likely have to introduce some kwarg to signal the credential not to try interactive auth. WDYT?

@pvaneck
doc updates
736ae6f 
Signed-off-by: Paul Van Eck <paulvaneck@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xiangyan99 xiangyan99 xiangyan99 left review comments

Copilot code review Copilot Copilot left review comments

@maorleger maorleger Awaiting requested review from maorleger maorleger is a code owner automatically assigned from Azure/azure-sdk-write-identity

@joshfree joshfree Awaiting requested review from joshfree joshfree is a code owner automatically assigned from Azure/azure-sdk-write-identity

@billwert billwert Awaiting requested review from billwert billwert is a code owner automatically assigned from Azure/azure-sdk-write-identity

@g2vinay g2vinay Awaiting requested review from g2vinay g2vinay is a code owner automatically assigned from Azure/azure-sdk-write-identity

@KarishmaGhiya KarishmaGhiya Awaiting requested review from KarishmaGhiya KarishmaGhiya is a code owner automatically assigned from Azure/azure-sdk-write-identity

@mpodwysocki mpodwysocki Awaiting requested review from mpodwysocki mpodwysocki is a code owner automatically assigned from Azure/azure-sdk-write-identity

@minhanh-phan minhanh-phan Awaiting requested review from minhanh-phan minhanh-phan is a code owner automatically assigned from Azure/azure-sdk-write-identity

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Azure.Identity
Projects
Azure Identity SDK Improvements
Status: Untriaged
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

DefaultAzureCredential: Re-enable SSO with VSCode on Windows
3 participants
@pvaneck @azure-sdk @xiangyan99