[WIP] Fix 2FA enforcement in azd auth login --fresh command #6691

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

Copilot wants to merge 10 commits into main from copilot/vscode-ml5m06i3-9hw7

+36 −11

cli/azd/cmd/auth_login.go

-Original file line number
+Diff line change
@@ Expand Up / @@ -16,6 +16,7 @@ import ( @@
     	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
     	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+    	"github.com/AzureAD/microsoft-authentication-library-for-go/apps/public"
     	"github.com/MakeNowJust/heredoc/v2"
     	"github.com/azure/azure-dev/cli/azd/cmd/actions"
     	"github.com/azure/azure-dev/cli/azd/internal"
@@ Expand Down Expand Up / @@ -79,6 +80,7 @@ type loginFlags struct { @@
     	scopes                 []string
     	claims                 string
     	redirectPort           int
+    	forceLoginPrompt       bool
     	global                 *internal.GlobalCommandOptions
     }
@@ Expand Down Expand Up @@
     		"redirect-port",
 ,
     		"Choose the port to be used as part of the redirect URI during interactive login.")
+    	local.BoolVar(
+    		&lf.forceLoginPrompt,
+    		"fresh",
+    		false,
+    		"Force re-authentication by ignoring any cached credentials. "+
+    			"Use this to ensure 2FA/MFA is re-validated.")
     	if oneauth.Supported {
     		local.BoolVar(&lf.browser, "browser", false, "Authenticate in a web browser instead of an integrated dialog.")
     	}
@@ Expand Down Expand Up / @@ -597,15 +605,18 @@ func (la *loginAction) login(ctx context.Context) error { @@
     	if oneauth.Supported && !la.flags.browser {
     		err = la.authManager.LoginWithOneAuth(ctx, la.flags.tenantID, la.flags.scopes)
     	} else {
-    		_, err = la.authManager.LoginInteractive(ctx, la.flags.scopes, claims,
-    			&auth.LoginInteractiveOptions{
-    				TenantID:     la.flags.tenantID,
-    				RedirectPort: la.flags.redirectPort,
-    				WithOpenUrl: func(url string) error {
-    					openWithDefaultBrowser(ctx, la.console, url)
-    					return nil
-    				},
-    			})
+    		loginOptions := &auth.LoginInteractiveOptions{
+    			TenantID:     la.flags.tenantID,
+    			RedirectPort: la.flags.redirectPort,
+    			WithOpenUrl: func(url string) error {
+    				openWithDefaultBrowser(ctx, la.console, url)
+    				return nil
+    			},
+    		}
+    		if la.flags.forceLoginPrompt {
+    			loginOptions.Prompt = public.PromptLogin
+    		}
+    		_, err = la.authManager.LoginInteractive(ctx, la.flags.scopes, claims, loginOptions)
     	}
     	if err != nil {
     		err = fmt.Errorf("logging in: %w", err)
@@ Expand Down @@

cli/azd/cmd/testdata/TestFigSpec.ts

-Original file line number
+Diff line change
@@ Expand Up / @@ -650,6 +650,10 @@ const completionSpec: Fig.Spec = { @@
     								},
     							],
     						},
+    						{
+    							name: ['--fresh'],
+    							description: 'Force re-authentication by ignoring any cached credentials. Use this to ensure 2FA/MFA is re-validated.',
+    						},
     						{
     							name: ['--managed-identity'],
     							description: 'Use a managed identity to authenticate.',
@@ Expand Down @@

cli/azd/cmd/testdata/TestUsage-azd-auth-login.snap

-Original file line number
+Diff line change
@@ Expand Up / @@ -10,6 +10,7 @@ Flags @@
             --client-id string                     	: The client id for the service principal to authenticate with.
             --client-secret string                 	: The client secret for the service principal to authenticate with. Set to the empty string to read the value from the console.
             --federated-credential-provider string 	: The provider to use to acquire a federated token to authenticate with. Supported values: github, azure-pipelines, oidc
+            --fresh                                	: Force re-authentication by ignoring any cached credentials. Use this to ensure 2FA/MFA is re-validated.
             --managed-identity                     	: Use a managed identity to authenticate.
             --redirect-port int                    	: Choose the port to be used as part of the redirect URI during interactive login.
             --tenant-id string                     	: The tenant id or domain name to authenticate with.
@@ Expand Down @@

cli/azd/go.mod

-Original file line number
+Diff line change
@@ Expand Up / @@ -166,3 +166,5 @@ require ( @@
     	google.golang.org/genproto/googleapis/rpc v0.0.0-20251007200510-49b9836ed3ff // indirect
     	gopkg.in/yaml.v3 v3.0.1 // indirect
     )
+    replace github.com/AzureAD/microsoft-authentication-library-for-go => github.com/vhvb1989/microsoft-authentication-library-for-go v0.0.0-20260202200120-876f224a6905

cli/azd/go.sum

-Original file line number
+Diff line change
@@ Expand Up @@
     github.com/Azure/azure-sdk-for-go/sdk/storage/azfile v1.5.2/go.mod h1:k+mEZ4f1pVqZTRqtSDW2AhZ/3wT5qLpsUA75C/k7dtE=
     github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=
     github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=
-    github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 h1:XRzhVemXdgvJqCH0sFfrBUTnUJSBrBf7++ypk+twtRs=
-    github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
     github.com/MakeNowJust/heredoc/v2 v2.0.1 h1:rlCHh70XXXv7toz95ajQWOWQnN4WNLt0TdpZYIR/J6A=
     github.com/MakeNowJust/heredoc/v2 v2.0.1/go.mod h1:6/2Abh5s+hc3g9nbWLe9ObDIOhaRrqsyY9MWy+4JdRM=
     github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
@@ Expand Down Expand Up @@
     github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
     github.com/tmc/langchaingo v0.1.14 h1:o1qWBPigAIuFvrG6cjTFo0cZPFEZ47ZqpOYMjM15yZc=
     github.com/tmc/langchaingo v0.1.14/go.mod h1:aKKYXYoqhIDEv7WKdpnnCLRaqXic69cX9MnDUk72378=
+    github.com/vhvb1989/microsoft-authentication-library-for-go v0.0.0-20260202200120-876f224a6905 h1:kPN5hqBseNDDXlZxIKWi48WpPwyHcLsPB/5lMiZWNLQ=
+    github.com/vhvb1989/microsoft-authentication-library-for-go v0.0.0-20260202200120-876f224a6905/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
     github.com/wk8/go-ordered-map/v2 v2.1.8 h1:5h/BUHu93oj4gIdvHHHGsScSTMijfx5PeYkE/fJgbpc=
     github.com/wk8/go-ordered-map/v2 v2.1.8/go.mod h1:5nJHM5DyteebpVlHnWMV0rPz6Zp7+xBAnxjb1X5vnTw=
     github.com/x-cray/logrus-prefixed-formatter v0.5.2 h1:00txxvfBM9muc0jiLIEAkAcIMJzfthRT6usrui8uGmg=
@@ Expand Down @@

cli/azd/pkg/auth/manager.go

-Original file line number
+Diff line change
@@ Expand Up / @@ -672,6 +672,9 @@ type LoginInteractiveOptions struct { @@
     	TenantID     string
     	RedirectPort int
     	WithOpenUrl  WithOpenUrl
+    	// Prompt specifies the type of user interaction during login.
+    	// Use public.PromptLogin to force re-authentication and 2FA/MFA validation.
+    	Prompt public.Prompt
     }
     // LoginInteractive opens a browser for authenticate the user.
@@ Expand Down Expand Up / @@ -717,6 +720,10 @@ func (m *Manager) LoginInteractive( @@
     		acquireTokenOptions = append(acquireTokenOptions, public.WithClaims(claims))
     	}
+    	if options.Prompt != "" {
+    		acquireTokenOptions = append(acquireTokenOptions, public.WithPrompt(options.Prompt))
+    	}
     	res, err := m.publicClient.AcquireTokenInteractive(ctx, scopes, acquireTokenOptions...)
     	if err != nil {
     		return nil, err
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[WIP] Fix 2FA enforcement in azd auth login --fresh command #6691

Diff view

Diff view

There are no files selected for viewing

Uh oh!

[WIP] Fix 2FA enforcement in azd auth login --fresh command #6691

Are you sure you want to change the base?

[WIP] Fix 2FA enforcement in azd auth login --fresh command #6691

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!