Token encryption cache - exception handling improvements when attempting to decrypt #30402
Description
Related command
az account show
az account get-access-token
Is your feature request related to a problem? Please describe.
The core problem is the lack of interoperability of encrypted token caches between different OSes.
Related to a bunch of open issues (not limited to):
Azure/azure-sdk-for-net#19167
#21010
#27176
AzureAD/microsoft-authentication-library-for-dotnet#3033
Describe the solution you'd like
When attempting to access/decrypt an encrypted (MSAL) token cache on an unsupported OS, there should be a very clear message explaining the compatibility, and/or linked to a troubleshooting guide.
I'm not asking for a working encrypted token cache solution in this feature/issue, as there are already enough open issues for that opened (see above). I don't feel that those will be solved any time soon. And even if they will be solved, there will always popup new decryption issues somewhere.
Suggested error message would be something like: Encrypted credentials found but not able to decrypt, this would help a ton, because then i know:
- there are actually credentials stored
- there is a problem with the credentials in the way i attempt to use them on the OS
Additional context
Current error when calling az account get-access-token when the cache is encrypted but accessed from an OS that does not support it:
The command failed with an unexpected error. Here is the traceback:
Unable to import module 'gi'
Runtime dependency of PyGObject is missing.
Current error message when using DefaultAzureCredential when the cache is encrypted but accessed from an OS that does not support it:
- EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot
- WorkloadIdentityCredential authentication unavailable. The workload options are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/workloadidentitycredential/troubleshoot
- ManagedIdentityCredential authentication unavailable. No response received from the managed identity endpoint.
- Visual Studio Token provider can't be accessed at /root/.IdentityService/AzureServiceAuth/tokenprovider.json
- Azure CLI authentication failed due to an unknown error. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/azclicredential/troubleshoot ERROR: The command failed with an unexpected error. Here is the traceback:
ERROR: Unable to import module 'gi'
Runtime dependency of PyGObject is missing.
Depends on your Linux distro, you could install it system-wide by something like:
sudo apt install python3-gi python3-gi-cairo gir1.2-secret-1
If necessary, please refer to PyGObject's doc:
https://pygobject.readthedocs.io/en/latest/getting_started.html
Traceback (most recent call last):
File "/opt/az/lib/python3.12/site-packages/msal_extensions/libsecret.py", line 18, in <module>
import gi # https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/Encryption-on-Linux # pylint: disable=line-too-long
^^^^^^^^^
ModuleNotFoundError: No module named 'gi'
etc...
The message when calling az account show is a 200 response with the account details, where it seems there are no problems. It is questionable that it should return a 200, maybe that should throw an error or at the very least a warning, explicitly noting that there is an issue with the current stored MSAL credentials.
Tagging @jiasli as recommended by @rayluo in AzureAD/microsoft-authentication-library-for-dotnet#3033 (comment)