Refine claims challenge handling to ignore whitespace-only claims and add comprehensive tests

Co-authored-by: xiangyan99 <[email protected]>

Author: Copilot

sdk/identity/azure-identity/azure/identity/_credentials/azure_cli.py

@@ -113,7 +113,7 @@ def get_token(
         :raises ~azure.core.exceptions.ClientAuthenticationError: the credential invoked the Azure CLI but didn't
           receive an access token.
         """
-        if claims:
+        if claims and claims.strip():
             raise CredentialUnavailableError(f"Fail to get token, please run az login --claims-challenge {claims}")
 
         options: TokenRequestOptions = {}
@@ -144,7 +144,7 @@ def get_token_info(self, *scopes: str, options: Optional[TokenRequestOptions] =
         :raises ~azure.core.exceptions.ClientAuthenticationError: the credential invoked the Azure CLI but didn't
           receive an access token.
         """
-        if options and options.get("claims"):
+        if options and options.get("claims") and options.get("claims").strip():
             claims = options["claims"]
             raise CredentialUnavailableError(f"Fail to get token, please run az login --claims-challenge {claims}")
 

sdk/identity/azure-identity/azure/identity/aio/_credentials/azure_cli.py

@@ -104,7 +104,7 @@ async def get_token(
         :raises ~azure.core.exceptions.ClientAuthenticationError: the credential invoked the Azure CLI but didn't
           receive an access token.
         """
-        if claims:
+        if claims and claims.strip():
             raise CredentialUnavailableError(f"Fail to get token, please run az login --claims-challenge {claims}")
 
         # only ProactorEventLoop supports subprocesses on Windows (and it isn't the default loop on Python < 3.8)
@@ -139,7 +139,7 @@ async def get_token_info(self, *scopes: str, options: Optional[TokenRequestOptio
         :raises ~azure.core.exceptions.ClientAuthenticationError: the credential invoked the Azure CLI but didn't
           receive an access token.
         """
-        if options and options.get("claims"):
+        if options and options.get("claims") and options.get("claims").strip():
             claims = options["claims"]
             raise CredentialUnavailableError(f"Fail to get token, please run az login --claims-challenge {claims}")
 

sdk/identity/azure-identity/tests/test_cli_credential.py

@@ -432,6 +432,10 @@ def test_empty_claims_does_not_raise_error(get_token_method):
                 # Test with None explicitly
                 token = AzureCliCredential().get_token("scope", claims=None)
                 assert token.token == "token"
+                
+                # Test with whitespace-only string
+                token = AzureCliCredential().get_token("scope", claims="   ")
+                assert token.token == "token"
             else:  # get_token_info
                 # Test with None options
                 token = AzureCliCredential().get_token_info("scope")
@@ -448,3 +452,7 @@ def test_empty_claims_does_not_raise_error(get_token_method):
                 # Test with empty string claims in options 
                 token = AzureCliCredential().get_token_info("scope", options={"claims": ""})
                 assert token.token == "token"
+                
+                # Test with whitespace-only claims in options
+                token = AzureCliCredential().get_token_info("scope", options={"claims": "   "})
+                assert token.token == "token"

sdk/identity/azure-identity/tests/test_cli_credential_async.py

@@ -434,6 +434,10 @@ async def test_empty_claims_does_not_raise_error(get_token_method):
                 # Test with None explicitly
                 token = await AzureCliCredential().get_token("scope", claims=None)
                 assert token.token == "access-token"
+                
+                # Test with whitespace-only string
+                token = await AzureCliCredential().get_token("scope", claims="   ")
+                assert token.token == "access-token"
             else:  # get_token_info
                 # Test with None options
                 token = await AzureCliCredential().get_token_info("scope")
@@ -450,3 +454,7 @@ async def test_empty_claims_does_not_raise_error(get_token_method):
                 # Test with empty string claims in options 
                 token = await AzureCliCredential().get_token_info("scope", options={"claims": ""})
                 assert token.token == "access-token"
+                
+                # Test with whitespace-only claims in options
+                token = await AzureCliCredential().get_token_info("scope", options={"claims": "   "})
+                assert token.token == "access-token"