[Identity] Refactor broker logic (#42375)

We want to attempt silent auth regardless of platform. If silent auth is
not supported, MSAL will return an error response that we can propagate
to the user.

- `use_default_broker_account` applies on all platforms
- If interactive fallback is disabled, then we won't attempt interactive
  login.
- Browser-based fallback is still attempted on non-Windows/WSL
  environments (maintaining current behavior).

Signed-off-by: Paul Van Eck <[email protected]>

Author: pvaneck

sdk/identity/azure-identity-broker/CHANGELOG.md

@@ -1,14 +1,10 @@
 # Release History
 
-## 1.3.0b3 (Unreleased)
+## 1.3.0 (2025-08-07)
 
 ### Features Added
 
-### Breaking Changes
-
-### Bugs Fixed
-
-### Other Changes
+- Allow silent authentication attempts on all platforms. Previously, `use_default_broker_account=True` in `InteractiveBrowserBrokerCredential` only applied to Windows/WSL. ([#42375](https://github.com/Azure/azure-sdk-for-python/pull/42375))
 
 ## 1.3.0b2 (2025-07-17)
 

sdk/identity/azure-identity-broker/azure/identity/broker/_browser.py

@@ -88,79 +88,70 @@ def _request_token(self, *scopes: str, **kwargs: Any) -> Dict:
         claims = kwargs.get("claims")
         pop = kwargs.get("pop")
         app = cast(msal.PublicClientApplication, self._get_app(**kwargs))
-        port = self._parsed_url.port if self._parsed_url else None
         auth_scheme = None
         if pop:
             auth_scheme = msal.PopAuthScheme(
                 http_method=pop["resource_request_method"], url=pop["resource_request_url"], nonce=pop["nonce"]
             )
-        if sys.platform.startswith("win") or is_wsl():
-            result = {}
-            if self._use_default_broker_account:
-                try:
-                    result = app.acquire_token_interactive(
-                        scopes=scopes_list,
-                        login_hint=self._login_hint,
-                        claims_challenge=claims,
-                        timeout=self._timeout,
-                        prompt=msal.Prompt.NONE,
-                        port=port,
-                        parent_window_handle=self._parent_window_handle,
-                        enable_msa_passthrough=self._enable_msa_passthrough,
-                        auth_scheme=auth_scheme,
-                    )
-                    if "access_token" in result:
-                        return result
-                except socket.error:
-                    pass
 
+        result = {}
+
+        # Try silent authentication first if use_default_broker_account is enabled.
+        if self._use_default_broker_account:
+            try:
+                result = self._attempt_token_acquisition(app, scopes_list, claims, auth_scheme, msal.Prompt.NONE)
+                if "access_token" in result:
+                    return result
+            except Exception as ex:  # pylint: disable=broad-except
                 if self._disable_interactive_fallback:
-                    self._check_result(result)
+                    raise CredentialUnavailableError(
+                        message="Failed to authenticate user with default broker account."
+                    ) from ex
+
+            # Raise on error if interactive fallback is disabled.
+            if self._disable_interactive_fallback:
+                self._check_result(result)
 
+        # If we reach here, we need to try interactive authentication.
+        if not self._disable_interactive_fallback:
             try:
-                result = app.acquire_token_interactive(
-                    scopes=scopes_list,
-                    login_hint=self._login_hint,
-                    claims_challenge=claims,
-                    timeout=self._timeout,
-                    prompt="select_account",
-                    port=port,
-                    parent_window_handle=self._parent_window_handle,
-                    enable_msa_passthrough=self._enable_msa_passthrough,
-                    auth_scheme=auth_scheme,
+                result = self._attempt_token_acquisition(
+                    app, scopes_list, claims, auth_scheme, msal.Prompt.SELECT_ACCOUNT
                 )
             except socket.error as ex:
                 raise CredentialUnavailableError(message="Couldn't start an HTTP server.") from ex
-
-            self._check_result(result)
-        else:
-            try:
-                result = app.acquire_token_interactive(
-                    scopes=scopes_list,
-                    login_hint=self._login_hint,
-                    claims_challenge=claims,
-                    timeout=self._timeout,
-                    prompt="select_account",
-                    port=port,
-                    parent_window_handle=self._parent_window_handle,
-                    enable_msa_passthrough=self._enable_msa_passthrough,
-                    auth_scheme=auth_scheme,
-                )
-            except Exception:  # pylint: disable=broad-except
-                app = cast(msal.PublicClientApplication, self._disable_broker_on_app(**kwargs))
-                result = app.acquire_token_interactive(
-                    scopes=scopes_list,
-                    login_hint=self._login_hint,
-                    claims_challenge=claims,
-                    timeout=self._timeout,
-                    prompt="select_account",
-                    port=port,
-                    parent_window_handle=self._parent_window_handle,
-                    enable_msa_passthrough=self._enable_msa_passthrough,
-                )
+            except Exception as ex:  # pylint: disable=broad-except
+                # Fallback to non-broker app only on non-Windows/WSL platforms.
+                if not (sys.platform.startswith("win") or is_wsl()):
+                    app = cast(msal.PublicClientApplication, self._disable_broker_on_app(**kwargs))
+                    result = self._attempt_token_acquisition(app, scopes_list, claims, None, msal.Prompt.SELECT_ACCOUNT)
+                else:
+                    raise CredentialUnavailableError(message="Failed to authenticate user with broker account.") from ex
             self._check_result(result)
+
         return result
 
+    def _attempt_token_acquisition(
+        self,
+        app: msal.PublicClientApplication,
+        scopes_list: list,
+        claims: Any,
+        auth_scheme: Any,
+        prompt: str,
+    ) -> Dict:
+        port = self._parsed_url.port if self._parsed_url else None
+        return app.acquire_token_interactive(
+            scopes=scopes_list,
+            login_hint=self._login_hint,
+            claims_challenge=claims,
+            timeout=self._timeout,
+            prompt=prompt,
+            port=port,
+            parent_window_handle=self._parent_window_handle,
+            enable_msa_passthrough=self._enable_msa_passthrough,
+            auth_scheme=auth_scheme,
+        )
+
     def _check_result(self, result: Dict[str, Any]) -> None:
         if "access_token" not in result and "error_description" in result:
             if within_dac.get():

sdk/identity/azure-identity-broker/azure/identity/broker/_version.py

@@ -2,4 +2,4 @@
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 # ------------------------------------
-VERSION = "1.3.0b3"
+VERSION = "1.3.0"

sdk/identity/azure-identity-broker/setup.py

@@ -41,7 +41,7 @@
     url="https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/identity/azure-identity-broker",
     keywords="azure, azure sdk",
     classifiers=[
-        "Development Status :: 4 - Beta",
+        "Development Status :: 5 - Production/Stable",
         "Programming Language :: Python",
         "Programming Language :: Python :: 3 :: Only",
         "Programming Language :: Python :: 3",
@@ -63,6 +63,6 @@
     python_requires=">=3.9",
     install_requires=[
         "azure-identity<2.0.0,>=1.18.0",
-        "msal[broker]>=1.33.0b1,<2",
+        "msal[broker]>=1.33.0,<2",
     ],
 )