Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Core] Use WAM as the default authentication method on Windows #28085

Merged
merged 1 commit into from
Feb 27, 2024
Merged

[Core] Use WAM as the default authentication method on Windows #28085

merged 1 commit into from
Feb 27, 2024

Conversation

jiasli
Copy link
Member

@jiasli jiasli commented Dec 22, 2023
edited
Loading

Related command
az login

Description
Fix #26573
Fix #28417
Require #27726

After previewing WAM for over a year (#23828), we now use WAM as the default authentication method on Windows.

This PR bumps MSAL to 1.27.0 (AzureAD/microsoft-authentication-library-for-python#669) which raised the upper bound of pymsalruntime (AzureAD/microsoft-authentication-library-for-python@59c3000). pymsalruntime 0.14.1 fixes the issues with PIM (#26573) and VM SSH (#28417).

Testing Guide

az login

# To opt out
az config set core.enable_broker_on_windows=false
az login

History Notes
[Core] BREAKING CHANGE: az login: Use WAM as the default authentication method on Windows. If you encounter any issue and want to opt out, run az config set core.enable_broker_on_windows=false, az account clear and az login

@azure-client-tools-bot-prd azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Dec 22, 2023
edited
Loading

️✔️AzureCLI-FullTest
️✔️acr
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️acs
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️advisor
️✔️latest
️✔️3.11
️✔️3.9
️✔️ams
️✔️latest
️✔️3.11
️✔️3.9
️✔️apim
️✔️latest
️✔️3.11
️✔️3.9
️✔️appconfig
️✔️latest
️✔️3.11
️✔️3.9
️✔️appservice
️✔️latest
️✔️3.11
️✔️3.9
️✔️aro
️✔️latest
️✔️3.11
️✔️3.9
️✔️backup
️✔️latest
️✔️3.11
️✔️3.9
️✔️batch
️✔️latest
️✔️3.11
️✔️3.9
️✔️batchai
️✔️latest
️✔️3.11
️✔️3.9
️✔️billing
️✔️latest
️✔️3.11
️✔️3.9
️✔️botservice
️✔️latest
️✔️3.11
️✔️3.9
️✔️cdn
️✔️latest
️✔️3.11
️✔️3.9
️✔️cloud
️✔️latest
️✔️3.11
️✔️3.9
️✔️cognitiveservices
️✔️latest
️✔️3.11
️✔️3.9
️✔️config
️✔️latest
️✔️3.11
️✔️3.9
️✔️configure
️✔️latest
️✔️3.11
️✔️3.9
️✔️consumption
️✔️latest
️✔️3.11
️✔️3.9
️✔️container
️✔️latest
️✔️3.11
️✔️3.9
️✔️containerapp
️✔️latest
️✔️3.11
️✔️3.9
️✔️core
️✔️2018-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️cosmosdb
️✔️latest
️✔️3.11
️✔️3.9
️✔️databoxedge
️✔️2019-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️dla
️✔️latest
️✔️3.11
️✔️3.9
️✔️dls
️✔️latest
️✔️3.11
️✔️3.9
️✔️dms
️✔️latest
️✔️3.11
️✔️3.9
️✔️eventgrid
️✔️latest
️✔️3.11
️✔️3.9
️✔️eventhubs
️✔️latest
️✔️3.11
️✔️3.9
️✔️feedback
️✔️latest
️✔️3.11
️✔️3.9
️✔️find
️✔️latest
️✔️3.11
️✔️3.9
️✔️hdinsight
️✔️latest
️✔️3.11
️✔️3.9
️✔️identity
️✔️latest
️✔️3.11
️✔️3.9
️✔️iot
️✔️2019-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️keyvault
️✔️2018-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️kusto
️✔️latest
️✔️3.11
️✔️3.9
️✔️lab
️✔️latest
️✔️3.11
️✔️3.9
️✔️managedservices
️✔️latest
️✔️3.11
️✔️3.9
️✔️maps
️✔️latest
️✔️3.11
️✔️3.9
️✔️marketplaceordering
️✔️latest
️✔️3.11
️✔️3.9
️✔️monitor
️✔️latest
️✔️3.11
️✔️3.9
️✔️mysql
️✔️latest
️✔️3.11
️✔️3.9
️✔️netappfiles
️✔️latest
️✔️3.11
️✔️3.9
️✔️network
️✔️2018-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️policyinsights
️✔️latest
️✔️3.11
️✔️3.9
️✔️privatedns
️✔️latest
️✔️3.11
️✔️3.9
️✔️profile
️✔️latest
️✔️3.11
️✔️3.9
️✔️rdbms
️✔️latest
️✔️3.11
️✔️3.9
️✔️redis
️✔️latest
️✔️3.11
️✔️3.9
️✔️relay
️✔️latest
️✔️3.11
️✔️3.9
️✔️resource
️✔️2018-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️role
️✔️latest
️✔️3.11
️✔️3.9
️✔️search
️✔️latest
️✔️3.11
️✔️3.9
️✔️security
️✔️latest
️✔️3.11
️✔️3.9
️✔️servicebus
️✔️latest
️✔️3.11
️✔️3.9
️✔️serviceconnector
️✔️latest
️✔️3.11
️✔️3.9
️✔️servicefabric
️✔️latest
️✔️3.11
️✔️3.9
️✔️signalr
️✔️latest
️✔️3.11
️✔️3.9
️✔️sql
️✔️latest
️✔️3.11
️✔️3.9
️✔️sqlvm
️✔️latest
️✔️3.11
️✔️3.9
️✔️storage
️✔️2018-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️synapse
️✔️latest
️✔️3.11
️✔️3.9
️✔️telemetry
️✔️2018-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️util
️✔️latest
️✔️3.11
️✔️3.9
️✔️vm
️✔️2018-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9

@azure-client-tools-bot-prd azure-client-tools-bot-prd
Copy link

Hi @jiasli,
Since the current milestone time is less than 7 days, this pr will be reviewed in the next milestone.

@azure-client-tools-bot-prd azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Dec 22, 2023
edited
Loading

️✔️AzureCLI-BreakingChangeTest
️✔️Non Breaking Changes

@yonzhan
Copy link
Collaborator

yonzhan commented Dec 22, 2023

Core

@microsoft-github-policy-service microsoft-github-policy-service bot added the Auto-Assign Auto assign by bot label Dec 22, 2023
@microsoft-github-policy-service microsoft-github-policy-service bot added Account az login/account Core CLI core infrastructure labels Dec 22, 2023
@jiasli
Copy link
Member Author

jiasli commented Dec 27, 2023

AzureAD/microsoft-authentication-library-for-python#569 introduced account_source so that

acquire_token_silent() shall not invoke broker if the account was not established by broker.

Besides fixing device code flow (AzureAD/microsoft-authentication-library-for-python#563), another great benefit of that PR is that enabling WAM will not break the current login context established by auth code flow. We get error in a previous version of MSAL, such as 1.24.0b2.

# Turn off token encryption so that we can edit it manually later
az config set core.encrypt_token_cache=false

# Make sure the WAM cache is cleared
az config set core.allow_broker=true
az account clear

az config set core.allow_broker=false
az login

# Edit ~/.azure/msal_token_cache.json. Change AccessToken.<key>.expires_on to 0 to make the access token expire
# {
#     "AccessToken": {        
#         "...": {
#             ...
#             "expires_on": "0",

az config set core.allow_broker=true

# Trigger token refreshing
az group list

We get error

Account has previously been signed out of this application.. Status: Response_Status.Status_AccountUnusable, Error code: 0, Tag: 540940121
Please explicitly log in with:
az login --scope https://management.core.windows.net//.default

Thanks to this change, MSAL will check account_source and retrieve the refresh token from MSAL token cache, instead of WAM. Running the above commands again will not trigger any error.

# Turn off token encryption so that we can edit it manually later
az config set core.encrypt_token_cache=false

# Make sure the WAM cache is cleared
az config set core.enable_broker_on_windows=true
az account clear

az config set core.enable_broker_on_windows=false
az login

# Edit ~/.azure/msal_token_cache.json. Change AccessToken.<key>.expires_on to 0 to make the access token expire
# {
#     "AccessToken": {        
#         "...": {
#             ...
#             "expires_on": "0",

az config set core.enable_broker_on_windows=true

# Trigger token refreshing
az group list

This makes this PR a non-breaking change as long as the existing Azure CLI already uses MSAL >=1.25.0. However, updating from an old version of MSAL to the latest MSAL with account_source involves too many moving factors, including renaming allow_broker to enable_broker_on_windows, so we don't dive too deep into it. allow_broker is only in preview after all.

@jiasli jiasli mentioned this pull request Dec 27, 2023
Merged
@jiasli jiasli mentioned this pull request Jan 10, 2024
Merged
@jiasli jiasli mentioned this pull request Feb 26, 2024
Merged
@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 3 pipeline(s).

@jiasli jiasli marked this pull request as ready for review February 26, 2024 08:23
jiasli
jiasli commented Feb 26, 2024
View reviewed changes
src/azure-cli-core/azure/cli/core/auth/landing_pages/success.html
Comment on lines -24 to -31
<h3>Announcements</h3>
<p>[Windows only] Azure CLI is collecting feedback on using the <a href="https://learn.microsoft.com/windows/uwp/security/web-account-manager">Web Account Manager</a> (WAM) broker for the login experience.</p>
<p>You may opt-in to use WAM by running the following commands:</p>
<code>
az config set core.enable_broker_on_windows=true<br>
az account clear<br>
az login
</code>
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These lines are introduced by #25416.

The code block in <style> is kept in case we need it again in the future.

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 3 pipeline(s).

@azure-pipelines Azure Pipelines
Copy link

Command 'run for' is not supported by Azure Pipelines.

Supported commands
  • help:
    • Get descriptions, examples and documentation about supported commands
    • Example: help "command_name"
  • list:
    • List all pipelines for this repository using a comment.
    • Example: "list"
  • run:
    • Run all pipelines or specific pipelines for this repository using a comment. Use this command by itself to trigger all related pipelines, or specify specific pipelines to run.
    • Example: "run" or "run pipeline_name, pipeline_name, pipeline_name"
  • where:
    • Report back the Azure DevOps orgs that are related to this repository and org
    • Example: "where"

See additional documentation.

1 similar comment
@azure-pipelines Azure Pipelines
Copy link

Command 'run for' is not supported by Azure Pipelines.

Supported commands
  • help:
    • Get descriptions, examples and documentation about supported commands
    • Example: help "command_name"
  • list:
    • List all pipelines for this repository using a comment.
    • Example: "list"
  • run:
    • Run all pipelines or specific pipelines for this repository using a comment. Use this command by itself to trigger all related pipelines, or specify specific pipelines to run.
    • Example: "run" or "run pipeline_name, pipeline_name, pipeline_name"
  • where:
    • Report back the Azure DevOps orgs that are related to this repository and org
    • Example: "where"

See additional documentation.

@jiasli
Copy link
Member Author

jiasli commented Feb 27, 2024

Pipeline rerun for #28454, #28456.

@jiasli jiasli merged commit da6cfe0 into Azure:dev Feb 27, 2024
54 checks passed
@jiasli jiasli deleted the wam-as-default branch February 27, 2024 06:45
@jiasli jiasli mentioned this pull request Feb 29, 2024
Merged
jiasli added a commit that referenced this pull request Feb 29, 2024
@jiasli
{Core} Revert #28085 (#28483)
c3b73ea
@bebound bebound mentioned this pull request Mar 29, 2024
Merged
@jiasli jiasli mentioned this pull request Apr 26, 2024
Merged
@jiasli
Copy link
Member Author

jiasli commented Apr 26, 2024

This PR has been reverted by #28483.

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@bebound bebound bebound approved these changes

@evelyn-ys evelyn-ys evelyn-ys approved these changes

@yonzhan yonzhan Awaiting requested review from yonzhan

@calvinhzy calvinhzy Awaiting requested review from calvinhzy calvinhzy is a code owner

@jsntcy jsntcy Awaiting requested review from jsntcy jsntcy is a code owner

@kairu-ms kairu-ms Awaiting requested review from kairu-ms kairu-ms is a code owner

@zhoxing-ms zhoxing-ms Awaiting requested review from zhoxing-ms zhoxing-ms is a code owner

@necusjz necusjz Awaiting requested review from necusjz necusjz is a code owner

Assignees

@jiasli jiasli

Labels
Account az login/account Auto-Assign Auto assign by bot Core CLI core infrastructure
Projects
None yet
Milestone
February 2024 (2024-03-05)
Development

Successfully merging this pull request may close these issues.

WAM-integration & PIM "UNPROTECTED PRIVATE KEY FILE" error when using az ssh vm
4 participants
@jiasli @yonzhan @bebound @evelyn-ys