Switch to fallback approach for federated token authentication

Instead of detecting federated tokens via GUID patterns, use a more robust
fallback mechanism: try with tenant ID first (preserving existing behavior),
then retry without tenant ID if it fails for service principals.

This addresses the concern that GUID detection cannot distinguish between
regular service principals and federated token service principals, as both
use client IDs as names.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: rauchy

config/auth_azure_cli.go

@@ -177,17 +177,17 @@ func (ts *azureCliTokenSource) getTokenBytes() ([]byte, error) {
 		return nil, fmt.Errorf("cannot unmarshal account info: %w", err)
 	}
 
-	// Check for authentication types that should not use tenant ID:
-	// 1. Traditional MSI (system/user assigned identities)
 	isMsi := account.User.Type == "servicePrincipal" && (account.User.Name == "systemAssignedIdentity" || account.User.Name == "userAssignedIdentity")
-
-	// 2. Service principal with client ID as name (likely federated token)
-	// When user.name is a GUID and user.type is servicePrincipal, it's often federated token auth
-	// where specifying tenant ID can cause failures
-	isFederatedToken := account.User.Type == "servicePrincipal" && ts.isGuidLike(account.User.Name)
-
-	if !isMsi && !isFederatedToken {
-		return ts.getTokenBytesWithTenantId(ts.azureTenantId)
+	if !isMsi {
+		// For regular service principals, try with tenant ID first
+		result, err := ts.getTokenBytesWithTenantId(ts.azureTenantId)
+		if err != nil && account.User.Type == "servicePrincipal" {
+			// If it fails for service principals, it might be a federated token scenario
+			// where tenant ID should not be specified. Fall back to no tenant ID.
+			logger.Infof(ts.ctx, "Failed to get token with tenant ID for service principal, trying without tenant ID: %v", err)
+			return ts.getTokenBytesWithTenantId("")
+		}
+		return result, err
 	}
 	return ts.getTokenBytesWithTenantId("")
 }
@@ -219,11 +219,3 @@ func (ts *azureCliTokenSource) getTokenBytesWithTenantId(tenantId string) ([]byt
 	}
 	return result, nil
 }
-
-// isGuidLike checks if the string looks like a GUID (client ID)
-func (ts *azureCliTokenSource) isGuidLike(s string) bool {
-	// Simple check for GUID format: 8-4-4-4-12 characters separated by hyphens
-	parts := strings.Split(s, "-")
-	return len(parts) == 5 && len(parts[0]) == 8 && len(parts[1]) == 4 &&
-		len(parts[2]) == 4 && len(parts[3]) == 4 && len(parts[4]) == 12
-}

config/auth_azure_cli_federated_token_test.go

@@ -10,8 +10,8 @@ import (
 
 func TestAzureCliCredentials_FederatedTokenServicePrincipal(t *testing.T) {
 	// This test verifies the fix where service principals authenticated via
-	// federated token (like in AKS with workload identity) should be detected via GUID pattern
-	// and skip tenant ID usage entirely (no fallback needed with the new approach).
+	// federated token (like in AKS with workload identity) use a fallback mechanism:
+	// try with tenant ID first, then retry without tenant ID if it fails.
 
 	env.CleanupEnvironment(t)
 	t.Setenv("PATH", testdataPath())
@@ -21,8 +21,8 @@ func TestAzureCliCredentials_FederatedTokenServicePrincipal(t *testing.T) {
 	t.Setenv("AZ_USER_NAME", "5817e630-86b3-4f67-a38e-a63e6a1a401c")
 	t.Setenv("AZ_USER_TYPE", "servicePrincipal")
 
-	// This would make the mock az command fail if --tenant were passed, but with the GUID
-	// detection fix, --tenant should never be passed for this GUID-like service principal name
+	// This makes the mock az command fail when --tenant is passed, simulating the federated 
+	// token scenario where tenant ID causes authentication failure
 	t.Setenv("FAIL_IF_TENANT_ID_SET", "true")
 
 	aa := AzureCliCredentials{}
@@ -31,10 +31,10 @@ func TestAzureCliCredentials_FederatedTokenServicePrincipal(t *testing.T) {
 		AzureTenantID: "e6a2f6d5-ece9-4c0d-9464-9c493497cb8f",
 	}
 
-	// With the GUID detection fix, this should work because the service principal name
-	// matches the GUID pattern and is treated like MSI (no --tenant parameter used)
+	// With the fallback fix, this should work: first attempt with --tenant fails,
+	// then fallback without --tenant succeeds
 	visitor, err := aa.Configure(context.Background(), cfg)
 
-	assert.NoError(t, err, "Authentication should work with federated token service principals via GUID detection")
+	assert.NoError(t, err, "Authentication should work with federated token service principals via fallback mechanism")
 	assert.NotNil(t, visitor, "Should return a valid credentials provider")
 }