Skip to content

fix: prefer interactive browser auth over device code in scripts/auth.py#45

Closed
suyask-msft wants to merge 1 commit into
mainfrom
feat/auth-interactive-browser-first
Closed

fix: prefer interactive browser auth over device code in scripts/auth.py#45
suyask-msft wants to merge 1 commit into
mainfrom
feat/auth-interactive-browser-first

Conversation

@suyask-msft
Copy link
Copy Markdown
Collaborator

@suyask-msft suyask-msft commented Apr 23, 2026
edited
Loading

Summary

Default auth flow for local development now opens a browser once and completes silently, rather than prompting the user to copy a device code into the browser on every new process. The previous DeviceCodeCredential flow led to multiple code-copy cycles during a single setup in real-world testing, even on machines that had browsers available.

Changes

Priority order in scripts/auth.py

Before:

  1. Service principal (CLIENT_ID + CLIENT_SECRET)
  2. DeviceCodeCredential (always)

After:

  1. Service principal (unchanged)
  2. InteractiveBrowserCredential — default for local dev, opens browser once
  3. DeviceCodeCredential — explicit opt-in via DATAVERSE_AUTH_DEVICE_CODE=1 for headless/CI/SSH

New env var

DATAVERSE_AUTH_DEVICE_CODE=1 — set in the environment (or .env) to force device-code flow. Intended for scenarios where no browser is available.

Error handling

If interactive browser auth fails (e.g., no browser), the error message now explicitly points to DATAVERSE_AUTH_DEVICE_CODE=1 as the fallback.

Token caching unchanged

Both interactive credentials share the same TokenCachePersistenceOptions (OS credential store) and AuthenticationRecord persistence, so:

  • First login: one prompt (browser or device code depending on choice)
  • Subsequent processes: silent refresh via persisted record
  • No change to cache location or behavior

Evidence

During real-world testing, users on Windows development machines saw multiple device-code prompts across several auth.py invocations in a single setup, despite having a working browser. Each prompt required manually copying the code and completing a browser sign-in.

Version bump

1.2.0 → 1.2.1 (PATCH — script-level fix, no skill behavior change, no breaking change for users who already have DATAVERSE_AUTH_DEVICE_CODE=1 or a working token cache)

Test plan

  • Python syntax check (ast.parse) — passes
  • python .github/evals/static_checks.py — passes
  • python .github/evals/version_bump_check.py — passes
  • Manually verify on a Windows dev machine: fresh dv-connect flow opens a browser once, no code-copy prompts
  • Manually verify DATAVERSE_AUTH_DEVICE_CODE=1 forces device code flow
  • Manually verify token cache from InteractiveBrowserCredential is reused by subsequent processes

@suyask-msft @claude
fix: prefer interactive browser auth over device code in scripts/auth.py
50468c9 
Default auth flow for local development now opens a browser once and
completes silently, rather than prompting the user to copy a device code
into the browser on every new process. The previous DeviceCodeCredential
flow led to 3+ code-copy cycles during a single setup in real session
logs, even though the target machines had browsers available.

Changes to scripts/auth.py:
- New priority order: service principal -> InteractiveBrowserCredential
  -> DeviceCodeCredential (opt-in fallback)
- Added DATAVERSE_AUTH_DEVICE_CODE=1 env var as explicit opt-in for
  device-code flow (for headless/CI/SSH environments with no browser)
- Both interactive credentials share the same TokenCachePersistenceOptions
  and AuthenticationRecord, so token caching behavior is unchanged
- If browser auth fails, error messages now suggest the device-code fallback
- get_token() now handles both InteractiveBrowserCredential and
  DeviceCodeCredential for first-login AuthenticationRecord persistence

Version bump: 1.2.0 -> 1.2.1 (PATCH -- script-level fix, no skill behavior
change, no breaking change for users who already had DATAVERSE_AUTH_DEVICE_CODE
or a working token cache).

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
@suyask-msft suyask-msft requested a review from a team as a code owner April 23, 2026 02:13
@suyask-msft
Copy link
Copy Markdown
Collaborator Author

suyask-msft commented Apr 23, 2026

Closing in favor of a more focused fix. The core friction observed in real-world testing turned out to be cross-tenant AuthenticationRecord invalidation (user re-authing every time they switched tenants), not the DeviceCodeCredential vs InteractiveBrowserCredential choice. The smaller, lower-risk fix (per-tenant AuthenticationRecord keying) will land as a separate PR. The broader 'switch credential type' question deserves multi-environment testing before shipping — parking for now.

@suyask-msft suyask-msft mentioned this pull request Apr 23, 2026
Open
6 tasks
@suyask-msft suyask-msft deleted the feat/auth-interactive-browser-first branch April 28, 2026 01:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@suyask-msft