feat: support MFA enforcement for CLI (#14626)

* feat: support mfa setup flow for 401 in vsc atk

* feat: display friendly msg for cli since cli doesnt support mfa enforcement yet

* feat: block users for vs atk since vs doesnt support mfa enforcement yet

* feat: adapt interface to support mfa enforcement for cli

* feat: support clamis-challenge parameter

* feat: pass claims challenge in interactive flow

* fix: ut

* test: add ut to fix code coverage

* fix: alert

Author: HuihuiWu-Microsoft

packages/api/src/utils/login.ts

@@ -2,7 +2,7 @@
 // Licensed under the MIT license.
 "use strict";
 
-import { TokenCredential } from "@azure/core-auth";
+import { AccessToken } from "@azure/core-auth";
 import { ok, Result } from "neverthrow";
 import { FxError } from "../error";
 
@@ -57,6 +57,19 @@ export type AzureCredential =
       certificatePath: string;
     };
 
+export interface ITeamsFxTokenCredential {
+  /**
+   * Gets the token provided by this credential.
+   *
+   * @param scopes - The list of scopes for which the token will have access. wwwAuthenticate is passed to handle 401 error due to MFA enforcement
+   * @param options - The options used to configure any requests this TokenCredential implementation might make.
+   */
+  getToken(
+    scopes: string | string[] | AuthenticationWWWAuthenticateRequest,
+    options?: any
+  ): Promise<AccessToken | null>;
+}
+
 export interface AuthenticationWWWAuthenticateRequest {
   /**
    * The raw WWW-Authenticate header value that triggered this challenge.
@@ -69,7 +82,7 @@ export interface AuthenticationWWWAuthenticateRequest {
    * Optional scopes for the session. If not provided, the authentication provider
    * may use default scopes or extract them from the challenge.
    */
-  readonly scopes?: readonly string[];
+  readonly scopes?: string[];
 }
 
 /**
@@ -84,14 +97,14 @@ export interface AzureAccountProvider {
   getIdentityCredentialAsync(
     showDialog?: boolean,
     authenticationSessionRequest?: AuthenticationWWWAuthenticateRequest
-  ): Promise<TokenCredential | undefined>;
+  ): Promise<ITeamsFxTokenCredential | undefined>;
 
   /**
    * To support credential per action feature, caller can specify credential info for on demand
    * This method will be optional until V3 first release, after that it will be changed to required
    * @param credential
    */
-  getIdentityCredential?(credential: AzureCredential): Promise<TokenCredential | undefined>;
+  getIdentityCredential?(credential: AzureCredential): Promise<ITeamsFxTokenCredential | undefined>;
 
   /**
    * Azure sign out
@@ -101,7 +114,7 @@ export interface AzureAccountProvider {
    * Switch to specified tenant for current user account
    * @param tenantId id of tenant that user wants to switch to
    */
-  switchTenant(tenantId: string): Promise<Result<TokenCredential, FxError>>;
+  switchTenant(tenantId: string): Promise<Result<ITeamsFxTokenCredential, FxError>>;
   /**
    * Add update account info callback
    * @param name callback name

packages/cli/src/commands/models/accountLoginAzure.ts

@@ -43,6 +43,12 @@ export const accountLoginAzureCommand: CLICommand = {
       type: "string",
       default: "",
     },
+    {
+      name: "claims-challenge",
+      description: commands["auth.login.azure"].options["claims-challenge"],
+      type: "string",
+      default: "",
+    },
   ],
   examples: [
     {
@@ -75,7 +81,8 @@ export const accountLoginAzureCommand: CLICommand = {
       args.tenant as string,
       isSP,
       args.username as string,
-      args.password as string
+      args.password as string,
+      args["claims-challenge"] as string
     );
     return ok(undefined);
   },

packages/cli/src/commands/models/accountShow.ts

@@ -75,14 +75,15 @@ class AccountUtils {
     tenantId = "",
     isServicePrincipal = false,
     userName = "",
-    password = ""
+    password = "",
+    claimsChallenge = ""
   ): Promise<boolean> {
     let azureProvider = getAzureProvider();
     if (isServicePrincipal === true || (await AzureTokenCIProvider.load())) {
       await AzureTokenCIProvider.init(userName, password, tenantId);
       azureProvider = AzureTokenCIProvider;
     }
-    const result = await azureProvider.getJsonObject(true, tenantId);
+    const result = await azureProvider.getJsonObject(true, tenantId, claimsChallenge);
     if (result) {
       if (tenantId) {
         await azureProvider.switchTenant(tenantId);

packages/cli/src/commonlib/azureLogin.ts

@@ -11,6 +11,7 @@ import {
   AzureAccountProvider,
   ConfigFolderName,
   FxError,
+  ITeamsFxTokenCredential,
   LogLevel as LLevel,
   ok,
   OptionItem,
@@ -66,6 +67,7 @@ function getConfig(tenantId?: string) {
     auth: {
       clientId: "7ea7c24c-b1f6-4a20-9d11-9ae12e9e7ac0",
       authority: authority,
+      clientCapabilities: ["CP1"],
     },
     system: {
       loggerOptions: {
@@ -89,7 +91,7 @@ function getConfig(tenantId?: string) {
 // @ts-ignore
 const memoryDictionary: { [tenantId: string]: MemoryCache } = {};
 
-class TeamsFxTokenCredential implements TokenCredential {
+class TeamsFxTokenCredential implements ITeamsFxTokenCredential {
   private codeFlowInstance: CodeFlowLogin;
   private tenantId: string;
 
@@ -103,17 +105,11 @@ class TeamsFxTokenCredential implements TokenCredential {
   }
 
   async getToken(
-    scopes: string | string[],
-    options?: GetTokenOptions | undefined
+    scopes: string | string[] | AuthenticationWWWAuthenticateRequest,
+    options?: any
   ): Promise<AccessToken | null> {
-    let myScopes: string[] = [];
-    if (typeof scopes === "string") {
-      myScopes = [scopes];
-    } else {
-      myScopes = scopes;
-    }
     const tokenRes: Result<string, FxError> = await this.codeFlowInstance.getTokenByScopes(
-      myScopes,
+      scopes,
       true,
       this.tenantId
     );
@@ -180,14 +176,19 @@ export class AzureAccountManager extends login implements AzureAccountProvider {
   getIdentityCredentialAsync(
     showDialog = true,
     authenticationSessionRequest?: AuthenticationWWWAuthenticateRequest
-  ): Promise<TokenCredential | undefined> {
+  ): Promise<TeamsFxTokenCredential | undefined> {
     if (authenticationSessionRequest && authenticationSessionRequest.wwwAuthenticate) {
+      const claimsChallenge = parseChallenges(authenticationSessionRequest.wwwAuthenticate).claims;
+      CLILogProvider.necessaryLog(
+        LLevel.Warning,
+        `Run the command below to authenticate interactively; additional arguments may be added as needed:\n atk auth login --claims-challenge ${claimsChallenge}`
+      );
       throw new MFARequiredError(cliSource);
     }
     return Promise.resolve(AzureAccountManager.teamsFxTokenCredential);
   }
 
-  async switchTenant(tenantId: string): Promise<Result<TokenCredential, FxError>> {
+  async switchTenant(tenantId: string): Promise<Result<TeamsFxTokenCredential, FxError>> {
     await saveTenantId(accountName, tenantId);
     return Promise.resolve(ok(AzureAccountManager.teamsFxTokenCredential));
   }
@@ -254,10 +255,11 @@ export class AzureAccountManager extends login implements AzureAccountProvider {
 
   async getJsonObject(
     showDialog = true,
-    tenantId?: string
+    tenantId?: string,
+    claimsChallenge?: string
   ): Promise<Record<string, unknown> | undefined> {
     const token = await AzureAccountManager.codeFlowInstance.getTokenByScopes(
-      AzureScopes,
+      claimsChallenge ? { scopes: AzureScopes, wwwAuthenticate: claimsChallenge } : AzureScopes,
       true,
       tenantId
     );
@@ -564,6 +566,7 @@ async function listAll<T>(
 import AzureLoginCI from "./azureLoginCI";
 import AzureAccountProviderUserPassword from "./azureLoginUserPassword";
 import { cliSource } from "../constants";
+import { parseChallenges } from "./common/utils";
 
 // todo delete ciEnabled
 const azureLogin = !ui.interactive

packages/cli/src/commonlib/azureLoginCI.ts

@@ -17,6 +17,7 @@ import {
   SubscriptionInfo,
   signedIn,
   signedOut,
+  ITeamsFxTokenCredential,
 } from "@microsoft/teamsfx-api";
 import { LoginStatus, login } from "./common/login";
 
@@ -32,7 +33,7 @@ import { ConvertTokenToJson } from "./codeFlowLogin";
  * Prepare for service principal login, not fully implemented
  */
 export class AzureAccountManager extends login implements AzureAccountProvider {
-  static tokenCredential: TokenCredential;
+  static tokenCredential: ITeamsFxTokenCredential;
 
   private static subscriptionId: string | undefined;
 
@@ -91,7 +92,7 @@ export class AzureAccountManager extends login implements AzureAccountProvider {
     return false;
   }
 
-  async getIdentityCredentialAsync(): Promise<TokenCredential | undefined> {
+  async getIdentityCredentialAsync(): Promise<ITeamsFxTokenCredential | undefined> {
     await this.load();
     if (AzureAccountManager.tokenCredential == undefined) {
       if (await fs.pathExists(AzureAccountManager.secret)) {
@@ -125,7 +126,7 @@ export class AzureAccountManager extends login implements AzureAccountProvider {
     return true;
   }
 
-  switchTenant(tenantId: string): Promise<Result<TokenCredential, FxError>> {
+  switchTenant(tenantId: string): Promise<Result<ITeamsFxTokenCredential, FxError>> {
     return Promise.resolve(ok(AzureAccountManager.tokenCredential));
   }
 

packages/cli/src/commonlib/codeFlowLogin.ts

@@ -2,7 +2,16 @@
 // Licensed under the MIT license.
 
 import { AccountInfo, Configuration, PublicClientApplication, TokenCache } from "@azure/msal-node";
-import { FxError, LogLevel, Result, SystemError, UserError, err, ok } from "@microsoft/teamsfx-api";
+import {
+  AuthenticationWWWAuthenticateRequest,
+  FxError,
+  LogLevel,
+  Result,
+  SystemError,
+  UserError,
+  err,
+  ok,
+} from "@microsoft/teamsfx-api";
 import { Mutex } from "async-mutex";
 import * as crypto from "crypto";
 import express from "express";
@@ -28,15 +37,9 @@ import {
   saveAccountId,
   saveTenantId,
 } from "./cacheAccess";
-import {
-  MFACode,
-  azureLoginMessage,
-  env,
-  m365LoginMessage,
-  sendFileTimeout,
-} from "./common/constant";
+import { azureLoginMessage, env, m365LoginMessage, sendFileTimeout } from "./common/constant";
 import CliCodeLogInstance from "./log";
-import { featureFlagManager, FeatureFlags } from "@microsoft/teamsfx-core";
+import { decodeClaimsChallenge } from "./common/utils";
 
 export class ErrorMessage {
   static readonly loginFailureTitle = "LoginFail";
@@ -106,10 +109,22 @@ export class CodeFlowLogin {
     }
   }
 
-  async login(scopes: Array<string>, tenantId?: string): Promise<string> {
+  async login(
+    requestScopes: Array<string> | AuthenticationWWWAuthenticateRequest,
+    tenantId?: string
+  ): Promise<string> {
     CliTelemetry.sendTelemetryEvent(TelemetryEvent.AccountLoginStart, {
       [TelemetryProperty.AccountType]: this.accountName,
     });
+    let scopes: string[];
+    let claim = undefined;
+    if (typeof requestScopes === "object" && "wwwAuthenticate" in requestScopes) {
+      scopes = requestScopes.scopes ?? [];
+      claim = decodeClaimsChallenge(requestScopes.wwwAuthenticate);
+    } else {
+      scopes = requestScopes;
+    }
+
     const codeVerifier = CodeFlowLogin.toBase64UrlEncoding(
       crypto.randomBytes(32).toString("base64")
     );
@@ -143,6 +158,7 @@ export class CodeFlowLogin {
       redirectUri: `http://localhost:${serverPort}`,
       prompt: "select_account",
       authority: authority,
+      claims: claim,
     };
 
     let deferredRedirect: Deferred<string>;
@@ -265,7 +281,7 @@ export class CodeFlowLogin {
   }
 
   async getTokenByScopes(
-    scopes: Array<string>,
+    scopes: string | string[] | AuthenticationWWWAuthenticateRequest,
     refresh = true,
     tenantId?: string
   ): Promise<Result<string, FxError>> {
@@ -276,10 +292,23 @@ export class CodeFlowLogin {
     if (!tenantId) {
       tenantId = await loadTenantId(this.accountName);
     }
+
     if (!this.account) {
-      const accessToken = await this.login(scopes, tenantId);
+      const accessToken = await this.login(
+        typeof scopes === "string" ? [scopes] : scopes,
+        tenantId
+      );
       return ok(accessToken);
     } else {
+      let myScopes: string[] = [];
+      if (typeof scopes === "string") {
+        myScopes = [scopes];
+      } else if (typeof scopes === "object" && "wwwAuthenticate" in scopes) {
+        myScopes = (scopes as AuthenticationWWWAuthenticateRequest).scopes ?? [];
+      } else {
+        myScopes = scopes;
+      }
+
       let tenantedAccount: AccountInfo | undefined = undefined;
       if (tenantId) {
         const allAccounts = await this.msalTokenCache.getAllAccounts();
@@ -289,7 +318,7 @@ export class CodeFlowLogin {
       try {
         const res = await this.pca.acquireTokenSilent({
           account: this.account,
-          scopes: scopes,
+          scopes: myScopes,
           forceRefresh: tenantedAccount ? false : true,
           authority: tenantId
             ? env.activeDirectoryEndpointUrl + tenantId
@@ -313,7 +342,7 @@ export class CodeFlowLogin {
         }
         await this.logout();
         if (refresh) {
-          const accessToken = await this.login(scopes, tenantId);
+          const accessToken = await this.login(myScopes, tenantId);
           return ok(accessToken);
         }
         return err(LoginCodeFlowError(error));

packages/cli/src/commonlib/common/utils.ts

@@ -0,0 +1,21 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+export function parseChallenges(header: string) {
+  const schemeSeparator = header.indexOf(" ");
+  const challenges = header.substring(schemeSeparator + 1).split(",");
+  const challengeMap: { [key: string]: string } = {};
+
+  challenges.forEach((challenge) => {
+    const [key, value] = challenge.split("=");
+    challengeMap[key.trim()] = decodeURI(value.replace(/['"]+/g, ""));
+  });
+  return challengeMap;
+}
+
+export function decodeClaimsChallenge(encodedClaims: string): string | undefined {
+  try {
+    return Buffer.from(encodedClaims, "base64").toString("utf8");
+  } catch (e) {}
+  return undefined;
+}

packages/cli/src/resource/commands.json

@@ -28,7 +28,8 @@
       "tenant": "Authenticate with a specific Microsoft Entra tenant.",
       "service-principal": "Authenticate Azure with a credential representing a service principal",
       "username": "Client ID for service principal",
-      "password": "Provide client secret or a pem file with key and public certificate."
+      "password": "Provide client secret or a pem file with key and public certificate.",
+      "claims-challenge": "Base64-encoded claims challenge requested by a resource API in the WWW-Authenticate header."
     }
   },
   "auth.login.m365": {