Skip to content

{Auth} Remove broker_error detection for re-authentication message #31743

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jiasli merged 1 commit into from
Jul 4, 2025
Merged

{Auth} Remove broker_error detection for re-authentication message #31743

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 1 addition & 5 deletions src/azure-cli-core/azure/cli/core/auth/util.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,11 +45,7 @@ def aad_error_handler(error, **kwargs):
recommendation = PASSWORD_CERTIFICATE_WARNING
else:
login_command = _generate_login_command(**kwargs)
recommendation = (
# Cloud Shell uses IMDS-like interface for implicit login. If getting token/cert failed,
# we let the user explicitly log in to AAD with MSAL.
"Please explicitly log in with:\n{}" if error.get('error') == 'broker_error'
Copy link
Copy Markdown
Member Author

@jiasli jiasli Jul 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In Cloud Shell, az account get-access-token --scope non-existing triggers a {'error': 'AudienceNotSupported', 'error_description': 'Audience non-existing is not a supported MSI token audience.'}.

error.get('error') == 'broker_error' does not match this error.

Copy link
Copy Markdown
Contributor

@rayluo rayluo Jul 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with this PR. Here comes more context about the "broker_error", for posterity.

  1. In MSAL's underlying implementation, the {"error": "broker_error", ...} was a necessary placeholder to normalize Cloud Shell's potential "deceivingly successful token response containing a mismatching token type" situation. It happened that the "broker_error" value was chosen (rather than inventing a "cloud_shell_error").

  2. Now looking back, if this error handling snippet in Azure CLI was meant to pinpoint that corner case, it should have used a more precise condition, something like this:

    recommendation = (
    """You are using Cloud Shell and it does not yet support this token type request.
        Please explicitly log in with: {}"""  # But I don't quite remember whether an "az login --identity" would make a difference here
    if in_cloud_console() and error.get('error') == 'broker_error'
    else "Interactive authentication is needed. Please run:\n{}"
    ).format(login_command)

  3. Now that the differentiation in #2 is no longer needed, yes let's simplify the implementation here to remove that "A if condition else B" usage. This change feels right because, even though an interactive login will NOT address all errors (certainly not the --scope NON-EXIST wrong usage), but at least the end user shall get a better error UI when interacting with Entra ID web pages.

Copy link
Copy Markdown
Member Author

@jiasli jiasli Jul 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if this error handling snippet in Azure CLI was meant to pinpoint that corner case

Yes. The error handing is indeed to pinpoint Cloud Shell's potential "deceivingly successful token response containing a mismatching token type" situation, so we can use if in_cloud_console() and error.get('error') == 'broker_error to still handle this error.

In the latest Cloud Shell, this error is no longer reproducible:

cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://pas.windows.net/CheckMyAccess/Linux/.default',), kwargs={'data': {'token_type': 'ssh-cert', ...
cli.azure.cli.core.auth.msal_credentials: CloudShellCredential.acquire_token: scopes=['https://pas.windows.net/CheckMyAccess/Linux/.default'], kwargs={'data': {'token_type': 'ssh-cert', ...
urllib3.connectionpool: Starting new HTTP connection (1): localhost:50342
urllib3.connectionpool: http://localhost:50342 "POST /oauth2/token HTTP/1.1" 200 2085
msal.token_cache: event={
    "authority_type": "CLOUDSHELL",
    "client_id": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
    "data": {
        ...
        "token_type": "ssh-cert"
    },
    "response": {
        ...
        "token_type": "ssh-cert"
    },
    "scope": [
        "https://pas.windows.net/CheckMyAccess/Linux/.default"
    ],
    "token_endpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/token"
}
cli.azext_ssh.custom: Generating certificate /tmp/aadsshcertddj67t98/id_rsa.pub-aadcert.pub

The token_type in the response does match the token_type in the request, so there is no need to keep this error handing logic.

else "Interactive authentication is needed. Please run:\n{}").format(login_command)
recommendation = "Interactive authentication is needed. Please run:\n{}".format(login_command)

from azure.cli.core.azclierror import AuthenticationError
raise AuthenticationError(error_description, msal_error=error, recommendation=recommendation)
Expand Down
Loading