Skip to content

feat(mssql): bundle azure-identity for ActiveDirectoryDefault / AzCli / WorkloadIdentity auth#1755

Merged
dimitri merged 1 commit into
mainfrom
fix/mssql-azure-identity
Jul 6, 2026
Merged

feat(mssql): bundle azure-identity for ActiveDirectoryDefault / AzCli / WorkloadIdentity auth#1755
dimitri merged 1 commit into
mainfrom
fix/mssql-azure-identity

Conversation

@dimitri

@dimitri dimitri commented Jul 6, 2026

Copy link
Copy Markdown
Owner

Closes #1754

What

Add com.azure/azure-identity 1.11.1 to deps.edn so all non-browser-dependent Entra ID authentication modes work out of the box with pgloader v4.

Why

mssql-jdbc 12.6.1 supports ActiveDirectoryDefault, ActiveDirectoryAzCli, and ActiveDirectoryWorkloadIdentity but delegates them to the azure-identity library, which was declared <optional>true</optional> in mssql-jdbc's own POM and was not previously bundled. Users hitting these modes got:

java.lang.NoClassDefFoundError: com/azure/identity/DefaultAzureCredentialBuilder

The ActiveDirectoryDefault mode is the standard developer ergonomic pattern — run az login once, then no credentials appear in the pgloader URL. It also works headlessly in WSL2 (falls back to AzureCliCredential, which shells out to az account get-access-token), unlike ActiveDirectoryInteractive which fails with linux_xdg_open_failed there.

Discovered via a real-world workaround repo (miljodir/DataEngineerPersona#6) that was fetching the 51-jar azure-identity dependency tree manually to paper over the missing dep.

Changes

clojure/deps.edn

Add com.azure/azure-identity {:mvn/version "1.11.1"} — the version mssql-jdbc 12.6.1 was certified against.

The SLF4J version conflict flagged by the downstream workaround (azure-identity pulls in older slf4j-api-1.7.36 transitively) does not affect the uberjar: Maven dependency resolution picks the newer slf4j-api already present via logback-classic.

clojure/test/pgloader/load_file/ast_test.clj

Add test-azure-identity-on-classpath — classpath assertion for DefaultAzureCredentialBuilder, mirroring the existing MSAL4J test from #1753.

docs/ref/mssql.rst

Rewrite the Azure SQL authentication section:

  • Add ActiveDirectoryDefault (developer az login workflow, WSL2-safe), ActiveDirectoryAzCli, and ActiveDirectoryWorkloadIdentity with connection string examples
  • Deprecate ActiveDirectoryPassword: Microsoft has deprecated it due to mandatory MFA enforcement; most modern Entra tenants return AADSTS50076
  • Correct the ActiveDirectoryInteractive note: it works on native Windows / macOS / Linux desktops but fails in WSL2 (linux_xdg_open_failed) and headless environments
  • Add a quick-reference table of all supported auth modes, their use cases, and the required library

Auth modes after this PR

Mode Use case
ActiveDirectoryServicePrincipal CI/CD — app registration (client ID + secret)
ActiveDirectoryManagedIdentity Azure VM / App Service / AKS — no credentials
ActiveDirectoryDefault Developer laptop — az login fallback chain
ActiveDirectoryAzCli Developer laptop — explicit az login token
ActiveDirectoryWorkloadIdentity Kubernetes OIDC workload identity
ActiveDirectoryPassword Deprecated — blocked by MFA enforcement

…orkloadIdentity auth

Closes #1754

mssql-jdbc 12.6.1 supports ActiveDirectoryDefault, ActiveDirectoryAzCli,
and ActiveDirectoryWorkloadIdentity but delegates them to the azure-identity
library (com.azure:azure-identity), which was not previously bundled.  Users
hitting these modes got:

  java.lang.NoClassDefFoundError: com/azure/identity/DefaultAzureCredentialBuilder

Add azure-identity 1.11.1 (the version mssql-jdbc 12.6.1 was certified
against) to deps.edn so all non-browser-dependent Entra ID auth modes work
out of the box.  The SLF4J version conflict flagged by downstream workarounds
(miljodir/DataEngineerPersona#6) does not affect the uberjar: Maven resolves
to the newer slf4j-api already present via logback-classic.

Also update docs/ref/mssql.rst:
- Add ActiveDirectoryDefault (developer az login workflow, WSL2-safe),
  ActiveDirectoryAzCli, ActiveDirectoryWorkloadIdentity with examples
- Deprecation note on ActiveDirectoryPassword (blocked by MFA enforcement
  in most modern Entra tenants, returns AADSTS50076)
- Correct the ActiveDirectoryInteractive note: it works on native Windows /
  macOS / Linux desktops but fails in WSL2 (linux_xdg_open_failed) and
  headless environments; ActiveDirectoryDefault is the practical alternative
- Quick-reference table of all auth modes and their use cases

Add classpath assertion test for DefaultAzureCredentialBuilder, mirroring
the existing MSAL4J test added in #1753.
@dimitri dimitri merged commit 3c90c0d into main Jul 6, 2026
37 checks passed
@dimitri dimitri deleted the fix/mssql-azure-identity branch July 6, 2026 11:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Support for more personal authentication modes for Azure SQL

1 participant