Add MFA support to Identity Pwsh credential (#46480)

g2vinay · web-flow · commit baeaf38509b1 · 2025-08-25T11:20:03.000-07:00
diff --git a/sdk/identity/azure-identity/CHANGELOG.md b/sdk/identity/azure-identity/CHANGELOG.md
@@ -2,6 +2,8 @@
 
 ## 1.18.0-beta.1 (Unreleased)
 
+- Added claims challenge handling support to `AzurePowerShellCredential`. When a token request includes claims, the credential will now throw a `CredentialUnavailableException` with instructions to use Azure PowerShell directly with the appropriate `-ClaimsChallenge` parameter.
+
 ### Features Added
 
 ### Breaking Changes
diff --git a/sdk/identity/azure-identity/src/main/java/com/azure/identity/AzurePowerShellCredential.java b/sdk/identity/azure-identity/src/main/java/com/azure/identity/AzurePowerShellCredential.java
@@ -15,47 +15,53 @@
 import reactor.core.publisher.Mono;
 
 /**
- * <p>The Azure Powershell is a command-line tool that allows users to manage Azure resources from their local machine
- * or terminal. It allows users to
- * <a href="https://learn.microsoft.com/powershell/azure/authenticate-azureps">authenticate interactively</a>
- * as a user and/or a service principal against
- * <a href="https://learn.microsoft.com/entra/fundamentals/">Microsoft Entra ID</a>.
- * The AzurePowershellCredential authenticates in a development environment and acquires a token on behalf of the
- * logged-in user or service principal in Azure Powershell. It acts as the Azure Powershell logged in user or
- * service principal and executes an Azure Powershell command underneath to authenticate the application against
- * Microsoft Entra ID.</p>
- *
- * <h2>Configure AzurePowershellCredential</h2>
- *
- * <p> To use this credential, the developer needs to authenticate locally in Azure Powershell using one of the
- * commands below:</p>
- *
- * <ol>
- *     <li>Run "Connect-AzAccount" in Azure Powershell to authenticate as a user.</li>
- *     <li>Run "Connect-AzAccount -ServicePrincipal -ApplicationId {servicePrincipalId} -Tenant {tenantId}
- *     -CertificateThumbprint {thumbprint} to authenticate as a service principal."</li>
- * </ol>
- *
- * <p>You may need to repeat this process after a certain time period, depending on the refresh token validity in your
- * organization. Generally, the refresh token validity period is a few weeks to a few months. AzurePowershellCredential
- * will prompt you to sign in again.</p>
- *
- * <p><strong>Sample: Construct AzurePowershellCredential</strong></p>
- *
- * <p>The following code sample demonstrates the creation of a {@link com.azure.identity.AzurePowerShellCredential},
- * using the {@link com.azure.identity.AzurePowerShellCredentialBuilder} to configure it. Once this credential is
- * created, it may be passed into the builder of many of the Azure SDK for Java client builders as the 'credential'
- * parameter.</p>
- *
- * <!-- src_embed com.azure.identity.credential.azurepowershellcredential.construct -->
- * <pre>
- * TokenCredential powerShellCredential = new AzurePowerShellCredentialBuilder&#40;&#41;.build&#40;&#41;;
- * </pre>
- * <!-- end com.azure.identity.credential.azurepowershellcredential.construct -->
- *
- * @see com.azure.identity
- * @see AzurePowerShellCredentialBuilder
- */
+* <p>The Azure Powershell is a command-line tool that allows users to manage Azure resources from their local machine
+* or terminal. It allows users to
+* <a href="https://learn.microsoft.com/powershell/azure/authenticate-azureps">authenticate interactively</a>
+* as a user and/or a service principal against
+* <a href="https://learn.microsoft.com/entra/fundamentals/">Microsoft Entra ID</a>.
+* The AzurePowershellCredential authenticates in a development environment and acquires a token on behalf of the
+* logged-in user or service principal in Azure Powershell. It acts as the Azure Powershell logged in user or
+* service principal and executes an Azure Powershell command underneath to authenticate the application against
+* Microsoft Entra ID.</p>
+*
+* <h2>Configure AzurePowershellCredential</h2>
+*
+* <p> To use this credential, the developer needs to authenticate locally in Azure Powershell using one of the
+* commands below:</p>
+*
+* <ol>
+*     <li>Run "Connect-AzAccount" in Azure Powershell to authenticate as a user.</li>
+*     <li>Run "Connect-AzAccount -ServicePrincipal -ApplicationId {servicePrincipalId} -Tenant {tenantId}
+*     -CertificateThumbprint {thumbprint} to authenticate as a service principal."</li>
+* </ol>
+*
+* <p>You may need to repeat this process after a certain time period, depending on the refresh token validity in your
+* organization. Generally, the refresh token validity period is a few weeks to a few months. AzurePowershellCredential
+* will prompt you to sign in again.</p>
+*
+* <h2>Claims Challenges</h2>
+*
+* <p>Claims challenges are not supported by AzurePowerShellCredential. If a token request includes claims,
+* a {@link CredentialUnavailableException} will be thrown with instructions to use Azure PowerShell
+* directly with the appropriate -ClaimsChallenge parameter.</p>
+*
+* <p><strong>Sample: Construct AzurePowershellCredential</strong></p>
+*
+* <p>The following code sample demonstrates the creation of a {@link com.azure.identity.AzurePowerShellCredential},
+* using the {@link com.azure.identity.AzurePowerShellCredentialBuilder} to configure it. Once this credential is
+* created, it may be passed into the builder of many of the Azure SDK for Java client builders as the 'credential'
+* parameter.</p>
+*
+* <!-- src_embed com.azure.identity.credential.azurepowershellcredential.construct -->
+* <pre>
+* TokenCredential powerShellCredential = new AzurePowerShellCredentialBuilder&#40;&#41;.build&#40;&#41;;
+* </pre>
+* <!-- end com.azure.identity.credential.azurepowershellcredential.construct -->
+*
+* @see com.azure.identity
+* @see AzurePowerShellCredentialBuilder
+*/
 @Immutable
 public class AzurePowerShellCredential implements TokenCredential {
     private static final ClientLogger LOGGER = new ClientLogger(AzurePowerShellCredential.class);
diff --git a/sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClient.java b/sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClient.java
@@ -434,6 +434,13 @@ public Mono<AccessToken> authenticateWithOBO(TokenRequestContext request) {
 
     private Mono<AccessToken> getAccessTokenFromPowerShell(TokenRequestContext request,
         PowershellManager powershellManager) {
+        // Check for claims challenge - if claims are provided, this credential cannot handle them
+        if (request.getClaims() != null && !request.getClaims().trim().isEmpty()) {
+            String errorMessage = buildPowerShellClaimsChallengeErrorMessage(request);
+            return Mono.error(LoggingUtil.logCredentialUnavailableException(LOGGER, options,
+                new CredentialUnavailableException(errorMessage)));
+        }
+
         String scope = ScopeUtil.scopesToResource(request.getScopes());
         try {
             ScopeUtil.validateScope(scope);
@@ -474,6 +481,22 @@ private Mono<AccessToken> getAccessTokenFromPowerShell(TokenRequestContext reque
         });
     }
 
+    private String buildPowerShellClaimsChallengeErrorMessage(TokenRequestContext request) {
+        StringBuilder connectAzCommand
+            = new StringBuilder("Connect-AzAccount -ClaimsChallenge '").append(request.getClaims().replace("'", "''"))  // Escape single quotes for PowerShell
+                .append("'");
+
+        // Add tenant if available
+        String tenant = IdentityUtil.resolveTenantId(tenantId, request, options);
+        if (!CoreUtils.isNullOrEmpty(tenant) && !tenant.equals(IdentityUtil.DEFAULT_TENANT)) {
+            connectAzCommand.append(" -Tenant ").append(tenant);
+        }
+
+        return String.format(
+            "Failed to get token. Claims challenges are not supported by AzurePowerShellCredential. Run %s to handle the claims challenge.",
+            connectAzCommand.toString());
+    }
+
     /**
      * Asynchronously acquire a token from Active Directory with a client secret.
      *
diff --git a/sdk/identity/azure-identity/src/test/java/com/azure/identity/AzurePowerShellCredentialTest.java b/sdk/identity/azure-identity/src/test/java/com/azure/identity/AzurePowerShellCredentialTest.java
@@ -9,6 +9,8 @@
 import com.azure.identity.util.TestUtils;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
 import org.mockito.MockedConstruction;
 import reactor.core.publisher.Mono;
 import reactor.test.StepVerifier;
@@ -68,4 +70,101 @@ public void azurePowerShellCredentialNotInstalledException() {
             Assertions.assertNotNull(identityClientMock);
         }
     }
+
+    @Test
+    public void testClaimsChallengeThrowsCredentialUnavailableException() {
+        // Test with claims provided
+        TokenRequestContext requestWithClaims
+            = new TokenRequestContext().addScopes("https://graph.microsoft.com/.default")
+                .setClaims("{\"access_token\":{\"essential\":true}}");
+
+        AzurePowerShellCredential credential = new AzurePowerShellCredentialBuilder().build();
+
+        // Test async version
+        StepVerifier.create(credential.getToken(requestWithClaims))
+            .expectErrorMatches(throwable -> throwable instanceof CredentialUnavailableException
+                && throwable.getMessage().contains("Claims challenges are not supported")
+                && throwable.getMessage().contains("Connect-AzAccount -ClaimsChallenge")
+                && throwable.getMessage().contains("access_token"))
+            .verify();
+    }
+
+    @Test
+    public void testPowerShellClaimsChallengeWithTenantAndScopes() {
+        TokenRequestContext requestWithClaims = new TokenRequestContext()
+            .addScopes("https://graph.microsoft.com/.default", "https://vault.azure.net/.default")
+            .setClaims("{\"access_token\":{\"essential\":true}}")
+            .setTenantId("tenant-id-123");
+
+        AzurePowerShellCredential credential = new AzurePowerShellCredentialBuilder().tenantId("tenant-id-123").build();
+
+        // Test that error message includes tenant and mentions scopes
+        StepVerifier.create(credential.getToken(requestWithClaims))
+            .expectErrorMatches(throwable -> throwable instanceof CredentialUnavailableException
+                && throwable.getMessage().contains("-Tenant tenant-id-123"))
+            .verify();
+    }
+
+    @ParameterizedTest
+    @ValueSource(strings = { "", "   ", "\t", "\n" })
+    public void testEmptyClaimsDoesNotThrowException(String claims) {
+        TokenRequestContext request
+            = new TokenRequestContext().addScopes("https://graph.microsoft.com/.default").setClaims(claims);
+
+        // Mock successful token acquisition for empty claims
+        try (MockedConstruction<IdentityClient> identityClientMock
+            = mockConstruction(IdentityClient.class, (identityClient, context) -> {
+                when(identityClient.authenticateWithAzurePowerShell(request))
+                    .thenReturn(TestUtils.getMockAccessToken("token", OffsetDateTime.now().plusHours(1)));
+            })) {
+
+            AzurePowerShellCredential credential = new AzurePowerShellCredentialBuilder().build();
+
+            // Should not throw exception for empty/whitespace claims
+            StepVerifier.create(credential.getToken(request))
+                .expectNextMatches(accessToken -> "token".equals(accessToken.getToken()))
+                .verifyComplete();
+            Assertions.assertNotNull(identityClientMock);
+        }
+    }
+
+    @Test
+    public void testNullClaimsDoesNotThrowException() {
+        TokenRequestContext request
+            = new TokenRequestContext().addScopes("https://graph.microsoft.com/.default").setClaims(null);
+
+        // Mock successful token acquisition for null claims
+        try (MockedConstruction<IdentityClient> identityClientMock
+            = mockConstruction(IdentityClient.class, (identityClient, context) -> {
+                when(identityClient.authenticateWithAzurePowerShell(request))
+                    .thenReturn(TestUtils.getMockAccessToken("token", OffsetDateTime.now().plusHours(1)));
+            })) {
+
+            AzurePowerShellCredential credential = new AzurePowerShellCredentialBuilder().build();
+
+            // Should not throw exception for null claims
+            StepVerifier.create(credential.getToken(request))
+                .expectNextMatches(accessToken -> "token".equals(accessToken.getToken()))
+                .verifyComplete();
+            Assertions.assertNotNull(identityClientMock);
+        }
+    }
+
+    @Test
+    public void testClaimsChallengeEscapesSingleQuotes() {
+        // Test with claims that contain single quotes (needs proper PowerShell escaping)
+        TokenRequestContext requestWithClaims
+            = new TokenRequestContext().addScopes("https://graph.microsoft.com/.default")
+                .setClaims("{\"access_token\":{\"claim\":\"value's test\"}}");
+
+        AzurePowerShellCredential credential = new AzurePowerShellCredentialBuilder().build();
+
+        // Test that single quotes are properly escaped for PowerShell
+        StepVerifier.create(credential.getToken(requestWithClaims))
+            .expectErrorMatches(throwable -> throwable instanceof CredentialUnavailableException
+                && throwable.getMessage().contains("Connect-AzAccount -ClaimsChallenge")
+                && throwable.getMessage().contains("value''s test")  // Single quote should be escaped to ''
+            )
+            .verify();
+    }
 }
