Sign in with Claims Challenge #28193
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: Yeming Liu <[email protected]>
| Thanks for your contribution! The pull request validation has started. Please revisit this comment for updated status. |
|
Updates are aleady reviewed and the PR can be squashed |
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for claims challenge authentication to Connect-AzAccount and improves error handling for MFA policy violations.
- Introduces a new
-ClaimsChallengeparameter and propagates it through authentication flows. - Implements parsing, formatting, and processing of claims challenges in MSAL and HTTP handlers.
- Refines exception types and error messages, including localized resources and updated tests.
Reviewed Changes
Copilot reviewed 17 out of 19 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/Accounts/Authenticators/MsalAccessToken.cs | Implemented IClaimsChallengeProcessor and OnClaimsChallenageAsync. |
| src/Accounts/Authenticators/InteractiveWamAuthenticator.cs | Pass claimsChallenge into TokenRequestContext. |
| src/Accounts/Authenticators/InteractiveUserAuthenticator.cs | Pass claimsChallenge into TokenRequestContext. |
| src/Accounts/Authentication/Utilities/ClaimsChallengeUtilities.cs | Added parsing and formatting utilities for claims challenges. |
| src/Accounts/Authentication/Properties/Resources.resx | Added localized error message for invalid claims challenge format. |
| src/Accounts/Authentication/Factories/AuthenticationFactory.cs | Extended factory overloads to accept claimsChallenge. |
| src/Accounts/Authentication/ClaimsChallengeHandler.cs | Updated HTTP handler to process claims challenges and throw AzPSAuthenticationFailedException. |
| src/Accounts/Authentication/Authentication/Parameters/InteractiveWamParameters.cs | Added ClaimsChallenge property. |
| src/Accounts/Authentication/Authentication/Parameters/InteractiveParameters.cs | Added ClaimsChallenge property. |
| src/Accounts/Authentication/Authentication/IClaimsChallengeProcessor.cs | Updated documentation for OnClaimsChallenageAsync. |
| src/Accounts/Accounts/help/Connect-AzAccount.md | Updated help examples and parameter listings for -ClaimsChallenge. |
| src/Accounts/Accounts/Properties/Resources.resx | Added InvalidClaimsChallenge resource entry. |
| src/Accounts/Accounts/Models/RMProfileClient.cs | Extended AcquireAccessToken and Login to accept claimsChallenge. |
| src/Accounts/Accounts/CommonModule/ContextAdapter.cs | Adapted context authentication to handle claims challenges. |
| src/Accounts/Accounts/ChangeLog.md | Updated changelog for upcoming release. |
| src/Accounts/Accounts/Account/ConnectAzureRmAccount.cs | Added parameter and parsing logic for -ClaimsChallenge. |
| src/Accounts/Accounts.Test/SilentReAuthByTenantCmdletTest.cs | Updated tests to expect AzPSAuthenticationFailedException. |
Files not reviewed (2)
- src/Accounts/Accounts/Properties/Resources.Designer.cs: Language not supported
- src/Accounts/Authentication/Properties/Resources.Designer.cs: Language not supported
Comments suppressed due to low confidence (6)
src/Accounts/Authenticators/MsalAccessToken.cs:136
- The method name 'OnClaimsChallenageAsync' contains a typo (Challenage → Challenge). Consider renaming it to 'OnClaimsChallengeAsync' for clarity.
public async ValueTask<bool> OnClaimsChallenageAsync(HttpRequestMessage request, string claimsChallenge, CancellationToken cancellationToken)
src/Accounts/Authentication/Factories/AuthenticationFactory.cs:224
- [nitpick] Typo in variable name 'authParamters'. It should be 'authParameters' to match standard naming conventions.
var authParamters = GetAuthenticationParameters(tokenCacheProvider, account, environment, tenant, password, promptBehavior, promptAction, claimsChallenge, tokenCache, resourceId);
src/Accounts/Authentication/Authentication/Parameters/InteractiveWamParameters.cs:24
- [nitpick] Add an XML doc-comment describing the purpose of the new
ClaimsChallengeproperty.
public string ClaimsChallenge { get; set; }
src/Accounts/Authentication/Authentication/Parameters/InteractiveParameters.cs:24
- [nitpick] Add an XML doc-comment describing the purpose of the new
ClaimsChallengeproperty.
public string ClaimsChallenge { get; set; }
src/Accounts/Accounts/help/Connect-AzAccount.md:21
- [nitpick] The
[<CommonParameters>]line is detached from the main parameter list. Merge it into the previous line to maintain proper code example formatting.
[<CommonParameters>]
src/Accounts/Accounts/Properties/Resources.resx:640
- [nitpick] The new resource 'InvalidClaimsChallenge' is missing a
<comment>element. Consider adding one to clarify usage or placeholders.
<data name="InvalidClaimsChallenge" xml:space="preserve">
| /// <param name="request"></param> | ||
| /// <param name="claimsChallenge"></param> | ||
| /// <param name="cancellationToken"></param> | ||
| /// <returns>A boolean indicated whether the request should be retried. Throws if the reauth fails.</returns> |
There was a problem hiding this comment.
[nitpick] Grammar in the <returns> comment should use 'indicates' instead of 'indicated' to read: 'A boolean indicates whether…'.
Suggested change
| /// <returns>A boolean indicated whether the request should be retried. Throws if the reauth fails.</returns> | |
| /// <returns>A boolean indicates whether the request should be retried. Throws if the reauth fails.</returns> |
Copilot uses AI. Check for mistakes.
| { | ||
| return Enumerable.Repeat(response, 1) | ||
| .Where(r => r.MatchClaimsChallengePattern()) | ||
| .Select(r => r.Headers.WwwAuthenticate.FirstOrDefault().ToString()) |
There was a problem hiding this comment.
Calling .ToString() on FirstOrDefault() can throw a NullReferenceException when there is no WWW-Authenticate header. Add a filter or null-check before invoking .ToString().
Suggested change
| .Select(r => r.Headers.WwwAuthenticate.FirstOrDefault().ToString()) | |
| .Select(r => r.Headers.WwwAuthenticate.FirstOrDefault()?.ToString() ?? string.Empty) |
Copilot uses AI. Check for mistakes.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This pull request introduces support for claims challenge authentication in the
Connect-AzAccountcmdlet and refines error handling for policy violations related to Multi-Factor Authentication (MFA). Key changes include the addition of a new parameter, improved error messages, and updates to authentication logic across multiple files.Claims Challenge Authentication Enhancements:
-ClaimsChallengeparameter to theConnect-AzAccountcmdlet to support claims challenge authentication for MFA. [1] [2]RMProfileClientandContextAdapterto handle claims challenges, including parsing and processing claims challenge strings. [1] [2]Error Handling Improvements:
AuthenticationFailedExceptionwithAzPSAuthenticationFailedExceptionfor better clarity. [1] [2]Resources.resx. [1] [2]Mandatory Checklist
Please choose the target release of Azure PowerShell. (⚠️ Target release is a different concept from API readiness. Please click below links for details.)
Check this box to confirm: I have read the Submitting Changes section of
CONTRIBUTING.mdand reviewed the following information:ChangeLog.mdfile(s) appropriatelysrc/{{SERVICE}}/{{SERVICE}}/ChangeLog.md.## Upcoming Releaseheader in the past tense.ChangeLog.mdif no new release is required, such as fixing test case only.