sqlcmd advertises ActiveDirectoryServicePrincipalAccessToken via --authentication-method (see the help string in cmd/sqlcmd/sqlcmd.go around line 454), but the method does not actually work end-to-end.
Root cause
The go-mssqldb azuread connector for this method expects the pre-obtained bearer token to arrive in the connection string as the password. sqlcmd's pkg/sqlcmd/connect.go only attaches url.UserPassword(UserName, Password) to the URL for a specific set of methods (SqlPassword, ActiveDirectoryPassword, ActiveDirectoryServicePrincipal, ActiveDirectoryApplication, ActiveDirectoryClientAssertion). ActiveDirectoryServicePrincipalAccessToken is not in that list, so the value of -P / SQLCMDPASSWORD is silently dropped and the driver receives no token.
Repro
SQLCMDPASSWORD=<a valid AAD access token> sqlcmd -S <server> --authentication-method ActiveDirectoryServicePrincipalAccessToken -U <ignored>
Driver fails because no token was passed.
Suggested fix
Add ActiveDirectoryServicePrincipalAccessToken (and audit other azuread methods for the same gap) to the password-propagation branch in pkg/sqlcmd/connect.go.
Context
Surfaced in #639 while updating README docs to enumerate the supported --authentication-method values.
sqlcmd advertises ActiveDirectoryServicePrincipalAccessToken via --authentication-method (see the help string in cmd/sqlcmd/sqlcmd.go around line 454), but the method does not actually work end-to-end.
Root cause
The go-mssqldb azuread connector for this method expects the pre-obtained bearer token to arrive in the connection string as the password. sqlcmd's pkg/sqlcmd/connect.go only attaches
url.UserPassword(UserName, Password)to the URL for a specific set of methods (SqlPassword,ActiveDirectoryPassword,ActiveDirectoryServicePrincipal,ActiveDirectoryApplication,ActiveDirectoryClientAssertion).ActiveDirectoryServicePrincipalAccessTokenis not in that list, so the value of-P/SQLCMDPASSWORDis silently dropped and the driver receives no token.Repro
Driver fails because no token was passed.
Suggested fix
Add
ActiveDirectoryServicePrincipalAccessToken(and audit other azuread methods for the same gap) to the password-propagation branch inpkg/sqlcmd/connect.go.Context
Surfaced in #639 while updating README docs to enumerate the supported --authentication-method values.