Fix broken az devops auth

[roshan-sy]

Please make sure the code is following contribution guidelines in CONTRIBUTING.md

• : This PR has a corresponding issue open in the Repository.
• : Approach is signed off on the issue.

[gauravsaralMs]

@roshan-sy

• can you take a look at this file https://github.com/Azure/azure-devops-cli-extension/blob/master/azure-devops/azext_devops/azext_metadata.json (and it's history) and see if we should update that as well ?
• can you share the validation done for this pull request ?

[jiasli]

get_raw_token supports user, service principal, managed identity accounts.

By removing user from get_token_from_az_login, get_raw_token will only return token for the currently selected/default account:

1. sub1, user1, from tenant1 - default
2. sub2, user2, from tenant2

This will cause get_raw_token to get a token for user1 in tenant2.

Consider using subscription as the key for get_raw_token.

[roshan-sy]

Tokens are independent of subscriptions. as ADO accounts are not linked to any azure subscriptions.

[jiasli]

I understand, but Azure CLI uses subscription as the primary key. If you don't specify subscription as the key for get_raw_token, unmatched user and tenant may occur.

Here you use subscription only as a placeholder for a user+tenant combination, instead of using the subscription.

[jiasli]

The old implementation of get_access_token_for_resource doesn't work for service principal and managed identity, and that's why it is not recommended and removed in the MSAL migration:

https://github.com/Azure/azure-cli/blob/14cc787d0f58bc649d402b486fdecc5625eee9ac/src/azure-cli-core/azure/cli/core/_profile.py#L531-L535

    def get_access_token_for_resource(self, username, tenant, resource):
        tenant = tenant or 'common'
        _, access_token, _ = self._creds_cache.retrieve_token_for_user(
            username, tenant, resource)
        return access_token

[jiasli]

User/tenant isolation was proposed in Azure/azure-cli#15005. After that, it will make sense to make get_raw_token support user+tenant.

[jiasli]

I don't think it is a good idea to try every Azure CLI account, as this may cause unexpected user credential to be used.

Instead, only the default/selected (subscription, tenant, user) combination should be used to get an access token. If that token doesn't have access, we should explicitly switch account with az account set.

[cveld]

Maybe good next time to have a good PR description. Now it is not clear to me:

• What was the original problem
• What is the proposed solution
• What are the test cases that are run

In my case I am still not able to use AAD authentication against Azure DevOps. Using az cli 2.30.0 and devops extension 0.22. Also see Azure/azure-cli#20529

And ensure that an issue is linked.

---

I just processed the instructions (https://github.com/Azure/azure-devops-cli-extension/blob/master/doc/dev_setup.md) to start developing the extension locally. And this installed version 0.23 which seems to work 🥳

[jiasli]

Maybe good next time to have a good PR description.

Completely agree.