[Key Vault] dSTS authentication fails due to incorrect tenant ID parsing in Key Vault challenge auth

[pvaneck]

The Key Vault challenge authentication policy incorrectly parses the tenant ID from dSTS authority URLs. This causes authentication failures when using KeyVault with dSTS-based endpoints.

dSTS authority URLs have a different structure than standard Entra ID URLs:

• Standard: https://login.microsoft.com/{tenant-id}
• dSTS: https://uswest2-passive-dsts.dsts.core.windows.net/dstsv2/{tenant-id}/

The current code in http_challenge.py extracts the first path segment as the tenant ID:

uri_path = raw_uri_path.lstrip("/")
self.tenant_id = uri_path.split("/", maxsplit=1)[0] or None

For a dSTS authority URL, this incorrectly extracts dstsv2 (a path prefix) instead of the actual tenant GUID.

Affected packages

• azure-keyvault-keys
• azure-keyvault-secrets
• azure-keyvault-certificates
• azure-keyvault-administration
• azure-keyvault-securitydomain

Reproduction

from azure.keyvault.keys._shared.http_challenge import HttpChallenge

tenant_guid = "d01e93db-8e88-4f53-b4fc-8cf680ccf3d1"
dsts_authority = f"https://uswest2-passive-dsts.dsts.core.windows.net/dstsv2/{tenant_guid}"

challenge = HttpChallenge(
    "https://request.uri",
    challenge=f'Bearer authorization="{dsts_authority}", resource=https://some.resource',
)

print(f"Extracted tenant_id: {challenge.tenant_id}")
# Actual:   "dstsv2" 
# Expected: "d01e93db-8e88-4f53-b4fc-8cf680ccf3d1"

---

Related issue: Azure/azure-sdk-for-net#56394