[Profile] az login: Fall back to device code flow in GitHub Codespaces

[sinedied]

Related command

az login

Description

This PR fixes the long standing issue of az login not working in GitHub Codespaces (#20315).
For that it uses a simple workaround, the same used in the gh CLI: if the CODESPACES=true environnement variable is set, it falls back to using a device code login.

Testing Guide

1. In a bash terminal: run az login -> by default, it should run the web browser login
2. Run CODESPACES=true az login -> it should automatically fallback to device code login. You can also simply run az login in GitHub Codespaces :)

[azure-client-tools-bot-prd]

️✔️AzureCLI-FullTest

️✔️acr

️✔️2020-09-01-hybrid

️✔️3.11

️✔️3.12

️✔️3.9

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️acs

️✔️2020-09-01-hybrid

️✔️3.11

️✔️3.12

️✔️3.9

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️advisor

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️ams

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️apim

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️appconfig

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️appservice

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️aro

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️backup

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️batch

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️batchai

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️billing

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️botservice

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️cdn

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️cloud

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️cognitiveservices

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️compute_recommender

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️config

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️configure

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️consumption

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️container

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️containerapp

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️core

️✔️2018-03-01-hybrid

️✔️3.11

️✔️3.12

️✔️3.9

️✔️2019-03-01-hybrid

️✔️3.11

️✔️3.12

️✔️3.9

️✔️2020-09-01-hybrid

️✔️3.11

️✔️3.12

️✔️3.9

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️cosmosdb

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️databoxedge

️✔️2019-03-01-hybrid

️✔️3.11

️✔️3.12

️✔️3.9

️✔️2020-09-01-hybrid

️✔️3.11

️✔️3.12

️✔️3.9

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️dla

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️dls

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️dms

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️eventgrid

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️eventhubs

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️feedback

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️find

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️hdinsight

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️identity

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️iot

️✔️2019-03-01-hybrid

️✔️3.11

️✔️3.12

️✔️3.9

️✔️2020-09-01-hybrid

️✔️3.11

️✔️3.12

️✔️3.9

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️keyvault

️✔️2018-03-01-hybrid

️✔️3.11

️✔️3.12

️✔️3.9

️✔️2020-09-01-hybrid

️✔️3.11

️✔️3.12

️✔️3.9

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️kusto

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️lab

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️managedservices

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️maps

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️marketplaceordering

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️monitor

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️mysql

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️netappfiles

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️network

️✔️2018-03-01-hybrid

️✔️3.11

️✔️3.12

️✔️3.9

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️policyinsights

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️privatedns

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️profile

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️rdbms

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️redis

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️relay

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️resource

️✔️2018-03-01-hybrid

️✔️3.11

️✔️3.12

️✔️3.9

️✔️2019-03-01-hybrid

️✔️3.11

️✔️3.12

️✔️3.9

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️role

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️search

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️security

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️servicebus

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️serviceconnector

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️servicefabric

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️signalr

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️sql

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️sqlvm

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️storage

️✔️2018-03-01-hybrid

️✔️3.11

️✔️3.12

️✔️3.9

️✔️2019-03-01-hybrid

️✔️3.11

️✔️3.12

️✔️3.9

️✔️2020-09-01-hybrid

️✔️3.11

️✔️3.12

️✔️3.9

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️synapse

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️telemetry

️✔️2018-03-01-hybrid

️✔️3.11

️✔️3.12

️✔️3.9

️✔️2019-03-01-hybrid

️✔️3.11

️✔️3.12

️✔️3.9

️✔️2020-09-01-hybrid

️✔️3.11

️✔️3.12

️✔️3.9

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️util

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

️✔️vm

️✔️2018-03-01-hybrid

️✔️3.11

️✔️3.12

️✔️3.9

️✔️2019-03-01-hybrid

️✔️3.11

️✔️3.12

️✔️3.9

️✔️2020-09-01-hybrid

️✔️3.11

️✔️3.12

️✔️3.9

️✔️latest

️✔️3.11

️✔️3.12

️✔️3.9

[azure-client-tools-bot-prd]

️✔️AzureCLI-BreakingChangeTest

️✔️Non Breaking Changes

[yonzhan]

Add specific logic to fallback to device code in GitHub Codespaces

[sinedied]

Tests are finally green 🙂
Sorry for that, I did not succeed in the running the tests locally, azdev test command wasn't working for me

[sinedied]

@jiasli The PR is ready for review, could you have a look?

This will also solve the same issue in AZD CLI as it uses AZ CLI under the hood

[jiasli]

@sinedied, thanks for your contribution. Device code has some known limitations with Conditional Access policies (#16401), so we prefer users to use auth code flow. See https://learn.microsoft.com/en-us/cli/azure/microsoft-graph-migration#graph-command-fails-with-aadsts50005-or-aadsts53000

Also, as users can use --use-device-code to force az login to use device code, this PR may not be urgent at the moment. We will evaluate this PR with our PMs when time permits. Thanks for your understanding.

[jiasli]

@sinedied, I understand you might be busy working on other tasks and don't have the bandwidth on this PR, so I will close this PR and continue the work in #29826. Thanks for your understanding.

[sinedied]

@jiasli sorry for the delay, I missed the notification last week. My last update I received by mail was that you weren't going to merge it, but if this has changed please reopen this PR and I'll get it updated today

[jiasli]

I have verified the PR works as expected in GitHub Codespaces:

Testing steps:

1. Fork Azure CLI repo: https://github.com/Azure/azure-cli

2. Create a Codepsace on your forked repo:
   

3. Run below commands:

   cd ..
   python3 -m venv env
   . env/bin/activate
   pip install azdev
   azdev setup -c
   az login

[sneakyflint]

Hello - wondering if there would be any consideration given to either reverting this change or adding a CLI flag to bypass this check? az login has worked well in GitHub Codespaces for quite some time in our enterprise - the automatic port forwarding service picks up the port used by the callback server and forwards with private scope:

The exception is when using Codespaces on Web which does not support binding ports to 127.0.0.1 - though this could be worked around by allowing the end user to pass a replacement value for localhost when calling az login.

We have worked around with CODESPACES=false az login for now but wanted to ensure this was flagged.

[jiasli]

az login has worked well in GitHub Codespaces for quite some time in our enterprise - the automatic port forwarding service picks up the port used by the callback server and forwards with private scope:

Are you using a local VS Code to connect to Codespaces?

I can indeed get it working as VS Code automatically maps localhost on the remote container as 127.0.0.1 on the local machine.

This is also documented at https://docs.github.com/en/codespaces/developing-in-a-codespace/forwarding-ports-in-your-codespace#using-command-line-tools-and-rest-clients-to-access-ports

If you forward a private port from the VS Code desktop application, your application will also be available at a localhost port such as 127.0.0.1:4000.

---

The exception is when using Codespaces on Web which does not support binding ports to 127.0.0.1 - though this could be worked around by allowing the end user to pass a replacement value for localhost when calling az login.

No, this can't be done. This explained in #20315 (comment).

[jiasli]

BTW, I encountered a weird issue that the local VS Code somtimes cannot launch a web browser (Edge, Chrome). Instead, it launches a text-based browser in the terminal.

This can be triggered by directly running:

$ python3 -c "import webbrowser; webbrowser.open('https://login.microsoft.com/')"
Unable to connect to VS Code server: Error in request.
Error: connect ENOENT /tmp/vscode-ipc-51da01ec-3078-41e1-944c-868de003c9c7.sock
    at PipeConnectWrap.afterConnect [as oncomplete] (node:net:1607:16) {
  errno: -2,
  code: 'ENOENT',
  syscall: 'connect',
  address: '/tmp/vscode-ipc-51da01ec-3078-41e1-944c-868de003c9c7.sock'
}

[sneakyflint]

az login has worked well in GitHub Codespaces for quite some time in our enterprise - the automatic port forwarding service picks up the port used by the callback server and forwards with private scope:

Are you using a local VS Code to connect to Codespaces?

I can indeed get it working as VS Code automatically maps localhost on the remote container as 127.0.0.1 on the local machine.

This is also documented at https://docs.github.com/en/codespaces/developing-in-a-codespace/forwarding-ports-in-your-codespace#using-command-line-tools-and-rest-clients-to-access-ports

If you forward a private port from the VS Code desktop application, your application will also be available at a localhost port such as 127.0.0.1:4000.

The exception is when using Codespaces on Web which does not support binding ports to 127.0.0.1 - though this could be worked around by allowing the end user to pass a replacement value for localhost when calling az login.

No, this can't be done. This explained in #20315 (comment).

Yes, we are using local VSCode. Makes sense re: the redirect URL issue and we have been able to get by w/ using VSCode desktop or reverting to the device code method manually.

BTW, I encountered a weird issue that the local VS Code somtimes cannot launch a web browser (Edge, Chrome). Instead, it launches a text-based browser in the terminal.

This can be triggered by directly running:

$ python3 -c "import webbrowser; webbrowser.open('https://login.microsoft.com/')"
Unable to connect to VS Code server: Error in request.
Error: connect ENOENT /tmp/vscode-ipc-51da01ec-3078-41e1-944c-868de003c9c7.sock
    at PipeConnectWrap.afterConnect [as oncomplete] (node:net:1607:16) {
  errno: -2,
  code: 'ENOENT',
  syscall: 'connect',
  address: '/tmp/vscode-ipc-51da01ec-3078-41e1-944c-868de003c9c7.sock'
}

Just tried this on my end and it immediately opened a browser window, when running on mcr.microsoft.com/devcontainers/base:ubuntu-22.04. Perhaps an upstream issue with VSCode server/client?

[tallaxes]

FWIW, we are using Codespaces with VSCode extensively, and the old workflow (automatic port forwarding + web browser) was working fine for us. With this fix, we are now discovering that login via device code flow gets somewhat different permissions; in our case breaking az role assignment create - resulting in "AADSTS530003: Your device is required to be managed to access this resource" (possibly due to lack of permissions for ARG from an "unmanaged" VM?)

For now will be using CODESPACES=false az login as a workaround🙂

[jlian]

We have the same issue with @tallaxes. Forcing device code login breaks az connectedk8s connect which gives:

Unable to fetch the Object ID of the Azure AD application used by Azure Arc service. Unable to enable the 'custom-locations' feature. AADSTS530003: Your device is required to be managed to access this resource

And if I try to fetch the object ID, I get Interactive authentication is needed

The workaround with CODESPACES=false az login works, but I really don't want to put this into our public documentation which is supposed to highlight codespaces.