[Profile] az login: Support --claims-challenge in auth code flow
#31778
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jiasli
requested review from
bebound,
calvinhzy,
evelyn-ys,
jsntcy,
kairu-ms,
necusjz and
zhoxing-ms
as code owners
️✔️AzureCLI-FullTest
|
|
| rule | cmd_name | rule_message | suggest_message |
|---|---|---|---|
| login | cmd login added parameter claims_challenge |
Collaborator
|
Thank you for your contribution! We will review the pull request and get back to you soon. |
|
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR. Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
|
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for the --claims-challenge argument to az login, allowing clients to pass a Base64-encoded claims challenge (e.g., to trigger MFA) during interactive authentication. It decodes the flag at the CLI layer and propagates the decoded value through Profile.login down to MSAL.
- Register
--claims-challengein theaz logincommand and decode its value. - Introduce
b64decodeutility and simplifyb64encode. - Update authentication methods and
Profile.loginto accept an explicitclaims_challengeparameter and remove**kwargs.
Reviewed Changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| src/azure-cli/azure/cli/command_modules/profile/custom.py | Added claims_challenge parameter, Base64 decoding, and pass-through to profile.login. |
| src/azure-cli/azure/cli/command_modules/profile/init.py | Registered the --claims-challenge CLI argument with help text. |
| src/azure-cli-core/azure/cli/core/util.py | Simplified b64encode, and added new b64decode function. |
| src/azure-cli-core/azure/cli/core/auth/identity.py | Changed login methods to explicit claims_challenge parameter and removed **kwargs. |
| src/azure-cli-core/azure/cli/core/_profile.py | Updated Profile.login signature to include claims_challenge and adapted internal calls. |
Comments suppressed due to low confidence (2)
src/azure-cli-core/azure/cli/core/_profile.py:155
- Add documentation for the new
claims_challengeparameter in theloginmethod docstring to explain its purpose, expected format, and how it integrates with MSAL.
claims_challenge=None):
src/azure-cli/azure/cli/command_modules/profile/custom.py:152
- Add or update unit/integration tests for the new
--claims-challengeflag to verify that Base64 decoding is performed correctly and the value is passed through to authentication flows.
if claims_challenge:
az login: support --claims-challengeaz login: Support --claims-challenge
jiasli
commented
Jul 10, 2025
|
|
||
| if use_device_code: | ||
| user_identity = identity.login_with_device_code(scopes=scopes, **kwargs) | ||
| user_identity = identity.login_with_device_code(scopes=scopes) |
Member
Author
There was a problem hiding this comment.
initiate_device_flow doesn't support claims_challenge and fails with
File "d:\cli\azure-cli\src\azure-cli-core\azure\cli\core\auth\identity.py", line 176, in login_with_device_code
flow = self._msal_app.initiate_device_flow(scopes, claims_challenge=claims_challenge)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "D:\cli\py312\Lib\site-packages\msal\application.py", line 2341, in initiate_device_flow
flow = self.client.initiate_device_flow(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "D:\cli\py312\Lib\site-packages\msal\oauth2cli\oauth2.py", line 326, in initiate_device_flow
resp = self._http_client.post(self.configuration[DAE],
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "D:\cli\py312\Lib\site-packages\msal\individual_cache.py", line 273, in wrapper
value = function(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "D:\cli\py312\Lib\site-packages\msal\individual_cache.py", line 273, in wrapper
value = function(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "D:\cli\py312\Lib\site-packages\msal\throttled_http_client.py", line 96, in post
return NormalizedResponse(self.http_client.post(*args, **kwargs))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "D:\cli\py312\Lib\site-packages\requests\sessions.py", line 637, in post
return self.request("POST", url, data=data, json=json, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: Session.request() got an unexpected keyword argument 'claims_challenge'
If claims_challenge is not passed to initiate_device_flow, calling acquire_token_by_device_flow with claims_challenge fails:
File "d:\cli\azure-cli\src\azure-cli-core\azure\cli\core\auth\identity.py", line 186, in login_with_device_code
return check_result(result)
^^^^^^^^^^^^^^^^^^^^
File "d:\cli\azure-cli\src\azure-cli-core\azure\cli\core\auth\util.py", line 134, in check_result
aad_error_handler(result, **kwargs)
File "d:\cli\azure-cli\src\azure-cli-core\azure\cli\core\auth\util.py", line 53, in aad_error_handler
raise AuthenticationError(error_description, msal_error=error, recommendation=recommendation)
azure.cli.core.azclierror.AuthenticationError: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '797f4846-ba00-4fd7-ba43-dac1f8f63013'. Trace ID: 9416cbef-6f2f-4bba-b99f-e41722113e00 Correlation ID: d657b456-40d3-4d39-ae98-4d2927752bb8 Timestamp: 2025-06-24 07:56:44Z
This has been reported to MSAL:
Member
There was a problem hiding this comment.
Shall we show a warning telling customers that --claims-challenge is not supported for device code flow and will be ignored?
Member
Author
There was a problem hiding this comment.
This is a temporary bug in MSAL's device code implementation. I prefer not to complicate things as the bug will be fixed eventually.
jiasli
changed the title
az login: Support --claims-challengeaz login: Support --claims-challenge in auth code flow
bebound
reviewed
Jul 10, 2025
| allow_no_subscriptions=False, | ||
| use_cert_sn_issuer=None, | ||
| show_progress=False, | ||
| **kwargs): |
Contributor
There was a problem hiding this comment.
This PR removes lots of kwargs. I just want to confirm that kwargs is never used and always empty, right?
Member
Author
There was a problem hiding this comment.
No. It is not used by any means. See the explanation in the PR description #31778 (comment).
evelyn-ys
approved these changes
Jul 10, 2025
bebound
approved these changes
Jul 10, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related command
az loginDescription
During the MSAL migration (#19853), interactive re-authentication with claims challenge is already supported by core via
**kwargs, but is not exposed viaaz loginand AAD error handling, because:Connect-AzAccountcmdlet which doesn't support claims challenge.As now MFA policy returns a claims challenge, re-authenticating without this claims challenge will not trigger the MFA process.
Similar to #17778 which added
--scope, this PR adds--claims-challengeargument toaz loginin order to trigger the MFA process during interactive authentication.Because
kwargsofazure.cli.core._profile.Profile.loginwas initially designed for supportingclaims_challengeandclaims_challengeis now explicitly supported, there is no need to keepkwargs.Testing Guide
History Notes
[Profile]
az login: Add--claims-challengeargument to support interactive authentication with claims challenge