Integrate Broker Auth in VS Code Auth Flow. (Azure#45715)

Author: g2vinay

sdk/identity/azure-identity/CHANGELOG.md

@@ -2,8 +2,11 @@
 
 ## 1.17.0-beta.1 (Unreleased)
 
+
 ### Features Added
 
+- **Visual Studio Code Credential** has been re-enabled and now supports **broker authentication** using the Azure account signed in via Visual Studio Code. [#45715](https://github.com/Azure/azure-sdk-for-java/pull/45715)
+
 ### Breaking Changes
 
 #### Behavioral Breaking Changes

sdk/identity/azure-identity/README.md

@@ -162,6 +162,37 @@ public void createDefaultAzureCredentialForIntelliJ() {
 }
 ```
 
+### Authenticate Using Visual Studio Code with `DefaultAzureCredential`
+
+To authenticate using Visual Studio Code, ensure you have signed in through the **Azure Resources** extension. The signed-in user is then picked up automatically by `DefaultAzureCredential` in the Azure SDK for Java.
+
+#### Prerequisites
+
+- [Azure Resources Extension](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azureresourcegroups) is installed in Visual Studio Code.
+- You are signed in using the `Azure: Sign In` command in VS Code.
+- Your project includes the [`azure-identity-borker`](https://search.maven.org/artifact/com.azure/azure-identity-broker) package.
+
+#### Example: Use `DefaultAzureCredential` with Key Vault
+
+The following example demonstrates authenticating the `SecretClient` from the [`azure-security-keyvault-secrets`](https://learn.microsoft.com/java/api/overview/azure/security-keyvault-secrets-readme?view=azure-java-stable) client library using `DefaultAzureCredential`:
+
+```java
+/**
+ * DefaultAzureCredential uses the signed-in user from Visual Studio Code
+ * via the Azure Resources extension.
+ */
+public void createDefaultAzureCredentialForVSCode() {
+    DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder()
+        .build();
+
+    // Azure SDK client builders accept the credential as a parameter
+    SecretClient client = new SecretClientBuilder()
+        .vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
+        .credential(defaultCredential)
+        .buildClient();
+    }
+```
+
 ## Managed Identity support
 
 The [Managed identity authentication](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview) is supported indirectly via `DefaultAzureCredential` or directly via `ManagedIdentityCredential` for the following Azure Services:

sdk/identity/azure-identity/src/main/java/com/azure/identity/DefaultAzureCredentialBuilder.java

@@ -304,6 +304,9 @@ private ArrayList<TokenCredential> getCredentialsChain() {
             output.add(new AzureCliCredential(tenantId, identityClientOptions.clone()));
             output.add(new AzurePowerShellCredential(tenantId, identityClientOptions.clone()));
             output.add(new AzureDeveloperCliCredential(tenantId, identityClientOptions.clone()));
+            if (IdentityUtil.isVsCodeBrokerAuthAvailable()) {
+                output.add(new VisualStudioCodeCredential(tenantId, identityClientOptions.clone()));
+            }
         }
 
         return output;

sdk/identity/azure-identity/src/main/java/com/azure/identity/VisualStudioCodeCredential.java

@@ -6,47 +6,40 @@
 import com.azure.core.credential.AccessToken;
 import com.azure.core.credential.TokenCredential;
 import com.azure.core.credential.TokenRequestContext;
-import com.azure.core.exception.ClientAuthenticationException;
 import com.azure.core.util.CoreUtils;
 import com.azure.core.util.logging.ClientLogger;
-import com.azure.identity.implementation.IdentityClient;
-import com.azure.identity.implementation.IdentityClientBuilder;
 import com.azure.identity.implementation.IdentityClientOptions;
-import com.azure.identity.implementation.MsalToken;
-import com.azure.identity.implementation.VisualStudioCacheAccessor;
 import com.azure.identity.implementation.util.LoggingUtil;
 import reactor.core.publisher.Mono;
 
-import java.util.Map;
-import java.util.concurrent.atomic.AtomicReference;
+import static com.azure.identity.implementation.util.IdentityUtil.isVsCodeBrokerAuthAvailable;
+import static com.azure.identity.implementation.util.IdentityUtil.loadVSCodeAuthRecord;
 
 /**
- * <p>Enables authentication to Microsoft Entra ID as the user signed in to Visual Studio Code via
- * the 'Azure Account' extension.</p>
+ * Enables authentication to Microsoft Entra ID using the user account signed in through the
+ * <a href="https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azureresourcegroups">
+ * Azure Resources</a> extension in Visual Studio Code.
  *
- * <p>It's a <a href="https://github.com/Azure/azure-sdk-for-java/issues/27364">known issue</a> that this credential
- * doesn't work with <a href="https://marketplace.visualstudio.com/items?itemName=ms-vscode.azure-account">Azure
- * Account extension</a> versions newer than <strong>0.9.11</strong>. A long-term fix to this problem is in progress.
- * In the meantime, consider authenticating with {@link AzureCliCredential}.</p>
+ * <p><b>Prerequisites:</b></p>
+ * <ol>
+ *   <li>Install the
+ *     <a href="https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azureresourcegroups">
+ *     Azure Resources</a> extension in Visual Studio Code and sign in using the <b>Azure: Sign In</b> command.</li>
+ *   <li>Add the
+ *     <a href="https://central.sonatype.com/artifact/com.azure/azure-identity-broker">
+ *     azure-identity-broker</a> dependency to your project's build configuration.</li>
+ * </ol>
  *
  * @see com.azure.identity
  * @see VisualStudioCodeCredentialBuilder
- *
- * @deprecated This credential is deprecated because the VS Code Azure Account extension on which this credential
- * relies has been deprecated. Users should use other dev-time credentials, such as {@link AzureCliCredential},
- * {@link AzureDeveloperCliCredential}, {@link AzurePowerShellCredential} or {@link IntelliJCredential} for their
- * local development needs. See <a href="https://github.com/microsoft/vscode-azure-account/issues/964">this issue</a>
- * for Azure Account extension deprecation notice.
  */
-@Deprecated
 public class VisualStudioCodeCredential implements TokenCredential {
-    private final IdentityClient identityClient;
-    private final AtomicReference<MsalToken> cachedToken;
-    private final String cloudInstance;
     private static final ClientLogger LOGGER = new ClientLogger(VisualStudioCodeCredential.class);
-
-    private static final String TROUBLESHOOTING
-        = "VisualStudioCodeCredential is affected by known issues. See https://aka.ms/azsdk/java/identity/troubleshoot#troubleshoot-visualstudiocodecredential-authentication-issues for more information.";
+    private static final String VSCODE_CLIENT_ID = "aebc6443-996d-45c2-90f0-388ff96faa56";
+    private static final String BROKER_BUILDER_CLASS
+        = "com.azure.identity.broker.InteractiveBrowserBrokerCredentialBuilder";
+    private final IdentityClientOptions clientOptions;
+    private final String tenant;
 
     /**
      * Creates a public class VisualStudioCodeCredential implements TokenCredential with the given tenant and
@@ -56,60 +49,57 @@ public class VisualStudioCodeCredential implements TokenCredential {
      * @param identityClientOptions the options for configuring the identity client
      */
     VisualStudioCodeCredential(String tenantId, IdentityClientOptions identityClientOptions) {
-
-        IdentityClientOptions options
-            = (identityClientOptions == null ? new IdentityClientOptions() : identityClientOptions);
-        String tenant;
-
-        VisualStudioCacheAccessor accessor = new VisualStudioCacheAccessor();
-        Map<String, String> userSettings = accessor.getUserSettingsDetails();
-
-        cloudInstance = userSettings.get("cloud");
-        if (CoreUtils.isNullOrEmpty(options.getAuthorityHost())) {
-            options.setAuthorityHost(accessor.getAzureAuthHost(cloudInstance));
-        }
+        clientOptions = (identityClientOptions == null ? new IdentityClientOptions() : identityClientOptions);
 
         if (!CoreUtils.isNullOrEmpty(tenantId)) {
             tenant = tenantId;
         } else {
-            tenant = userSettings.getOrDefault("tenant", "common");
+            tenant = null;
         }
-
-        identityClient = new IdentityClientBuilder().tenantId(tenant)
-            .clientId("aebc6443-996d-45c2-90f0-388ff96faa56")
-            .identityClientOptions(options)
-            .build();
-
-        this.cachedToken = new AtomicReference<>();
     }
 
     @Override
     public Mono<AccessToken> getToken(TokenRequestContext request) {
         return Mono.defer(() -> {
-            if (cachedToken.get() != null) {
-                return identityClient.authenticateWithPublicClientCache(request, cachedToken.get().getAccount())
-                    .onErrorResume(t -> Mono.empty());
+            TokenCredential brokerAuthCredential = getBrokerAuthCredential(VSCODE_CLIENT_ID);
+            if (brokerAuthCredential != null) {
+                return brokerAuthCredential.getToken(request);
             } else {
-                return Mono.empty();
+                return Mono
+                    .error(new CredentialUnavailableException("Visual Studio Code Authentication is not available."
+                        + " Ensure you have azure-identity-broker dependency added to your application."
+                        + " Then ensure, you have signed into Azure via VS Code and have Azure Resources Extension installed in VS Code."));
             }
-        })
-            .switchIfEmpty(Mono.defer(() -> identityClient.authenticateWithVsCodeCredential(request, cloudInstance)))
-            .map(msalToken -> {
-                cachedToken.set(msalToken);
-                return (AccessToken) msalToken;
-            })
-            .doOnNext(token -> LoggingUtil.logTokenSuccess(LOGGER, request))
-            .doOnError(error -> {
-                Throwable other = null;
-                if (error instanceof CredentialUnavailableException) {
-                    other = new CredentialUnavailableException(TROUBLESHOOTING, error);
+        }).doOnNext(token -> LoggingUtil.logTokenSuccess(LOGGER, request)).doOnError(error -> {
+            LoggingUtil.logTokenError(LOGGER, clientOptions, request, error);
+        });
+    }
 
-                } else if (error instanceof ClientAuthenticationException) {
-                    other = new ClientAuthenticationException(TROUBLESHOOTING, null, error);
-                } else {
-                    other = error;
-                }
-                LoggingUtil.logTokenError(LOGGER, identityClient.getIdentityClientOptions(), request, other);
-            });
+    TokenCredential getBrokerAuthCredential(String clientId) {
+        if (!isVsCodeBrokerAuthAvailable()) {
+            return null;
+        }
+        try {
+            Class<?> builderClass = Class.forName(BROKER_BUILDER_CLASS);
+            Object builder = builderClass.getConstructor().newInstance();
+            AuthenticationRecord authenticationRecord = loadVSCodeAuthRecord();
+            builderClass.getMethod("setWindowHandle", long.class).invoke(builder, 0);
+            InteractiveBrowserCredentialBuilder browserCredentialBuilder
+                = (InteractiveBrowserCredentialBuilder) builder;
+            browserCredentialBuilder.clientId(clientId);
+            browserCredentialBuilder.authenticationRecord(authenticationRecord);
+            if (CoreUtils.isNullOrEmpty(tenant)) {
+                builderClass.getMethod("tenantId", String.class).invoke(builder, authenticationRecord.getTenantId());
+            } else {
+                builderClass.getMethod("tenantId", String.class).invoke(builder, tenant);
+            }
+            return browserCredentialBuilder.build();
+        } catch (ClassNotFoundException e) {
+            // Broker not on classpath
+            return null;
+        } catch (Exception e) {
+            throw LOGGER.logExceptionAsError(
+                new CredentialUnavailableException("Failed to create VisualStudioCodeCredential dynamically", e));
+        }
     }
 }

sdk/identity/azure-identity/src/main/java/com/azure/identity/VisualStudioCodeCredentialBuilder.java

@@ -13,20 +13,23 @@
 /**
  * Fluent credential builder for instantiating a {@link VisualStudioCodeCredential}.
  *
- * <p>It's a <a href="https://github.com/Azure/azure-sdk-for-java/issues/27364">known issue</a> that this credential
- * doesn't work with <a href="https://marketplace.visualstudio.com/items?itemName=ms-vscode.azure-account">Azure
- * Account extension</a> versions newer than <strong>0.9.11</strong>. A long-term fix to this problem is in progress.
- * In the meantime, consider authenticating with {@link AzureCliCredential}.</p>
+ * Enables authentication to Microsoft Entra ID using the user account signed in through the
+ * <a href="https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azureresourcegroups">
+ * Azure Resources</a> extension in Visual Studio Code.
+ *
+ * <p><b>Prerequisites:</b></p>
+ * <ol>
+ *   <li>Install the
+ *     <a href="https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azureresourcegroups">
+ *     Azure Resources</a> extension in Visual Studio Code and sign in using the <b>Azure: Sign In</b> command.</li>
+ *   <li>Add the
+ *     <a href="https://central.sonatype.com/artifact/com.azure/azure-identity-broker">
+ *     azure-identity-broker</a> dependency to your project's build configuration.</li>
+ * </ol>
  *
  * @see VisualStudioCodeCredential
  *
- * @deprecated This credential is deprecated because the VS Code Azure Account extension on which this credential
- * relies has been deprecated. Users should use other dev-time credentials, such as {@link AzureCliCredential},
- * {@link AzureDeveloperCliCredential}, {@link AzurePowerShellCredential} or {@link IntelliJCredential} for their
- * local development needs. See <a href="https://github.com/microsoft/vscode-azure-account/issues/964">this issue</a>
- * for Azure Account extension deprecation notice.
  */
-@Deprecated
 public class VisualStudioCodeCredentialBuilder extends CredentialBuilderBase<VisualStudioCodeCredentialBuilder> {
     private static final ClientLogger LOGGER = new ClientLogger(VisualStudioCodeCredentialBuilder.class);
 

sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClient.java

@@ -819,7 +819,8 @@ public Mono<MsalToken> authenticateWithBrowserInteraction(TokenRequestContext re
         // a null account to MSAL. If that fails, show the dialog.
 
         return getPublicClientInstance(request).getValue().flatMap(pc -> {
-            if (options.isBrokerEnabled() && options.useDefaultBrokerAccount()) {
+            if (options.isBrokerEnabled()
+                && (options.useDefaultBrokerAccount() || options.getAuthenticationRecord() != null)) {
                 return Mono.fromFuture(() -> acquireTokenFromPublicClientSilently(request, pc, null, false))
                     // The error case here represents the silent acquisition failing. There's nothing actionable and
                     // in this case the fallback path of showing the dialog will capture any meaningful error and share it.

sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentitySyncClient.java

@@ -323,7 +323,8 @@ public MsalToken authenticateWithBrowserInteraction(TokenRequestContext request,
         // If the broker is enabled, try to get the token for the default account by passing
         // a null account to MSAL. If that fails, show the dialog.
         MsalToken token = null;
-        if (options.isBrokerEnabled() && options.useDefaultBrokerAccount()) {
+        if (options.isBrokerEnabled()
+            && (options.useDefaultBrokerAccount() || options.getAuthenticationRecord() != null)) {
             try {
                 token = acquireTokenFromPublicClientSilently(request, pc, null, false);
             } catch (Exception e) {

sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/util/IdentityUtil.java

@@ -9,6 +9,7 @@
 import com.azure.core.util.Configuration;
 import com.azure.core.util.CoreUtils;
 import com.azure.core.util.logging.ClientLogger;
+import com.azure.identity.AuthenticationRecord;
 import com.azure.identity.BrowserCustomizationOptions;
 import com.azure.identity.implementation.IdentityClientOptions;
 import com.azure.json.JsonProviders;
@@ -20,12 +21,17 @@
 import java.io.InputStream;
 import java.io.IOException;
 import java.io.UncheckedIOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 
 public final class IdentityUtil {
+    public static final Path VSCODE_AUTH_RECORD_PATH = Paths.get(System.getProperty("user.home"), ".azure",
+        "ms-azuretools.vscode-azureresourcegroups", "authRecord.json");
     private static final ClientLogger LOGGER = new ClientLogger(IdentityUtil.class);
     public static final String AZURE_ADDITIONALLY_ALLOWED_TENANTS = "AZURE_ADDITIONALLY_ALLOWED_TENANTS";
     public static final String ALL_TENANTS = "*";
@@ -171,4 +177,30 @@ public static boolean isWindowsPlatform() {
     public static boolean isLinuxPlatform() {
         return System.getProperty("os.name").contains("Linux");
     }
+
+    public static boolean isVsCodeBrokerAuthAvailable() {
+        try {
+            // 1. Check if Broker dependency is available
+            Class.forName("com.azure.identity.broker.InteractiveBrowserBrokerCredentialBuilder");
+
+            // 2. Check if VS Code broker auth record file exists
+            File authRecordFile = VSCODE_AUTH_RECORD_PATH.toFile();
+
+            return authRecordFile.exists() && authRecordFile.isFile();
+        } catch (ClassNotFoundException e) {
+            return false; // Broker not present
+        }
+    }
+
+    public static AuthenticationRecord loadVSCodeAuthRecord() throws IOException {
+        // Resolve the full path to authRecord.json
+        File file = VSCODE_AUTH_RECORD_PATH.toFile();
+        if (!file.exists()) {
+            return null;
+        }
+        // Read file content
+        InputStream json = Files.newInputStream(VSCODE_AUTH_RECORD_PATH);
+        // Deserialize to AuthenticationRecord
+        return AuthenticationRecord.deserialize(json);
+    }
 }

sdk/identity/azure-identity/src/test/java/com/azure/identity/VisualStudioCodeCredentialTest.java

@@ -0,0 +1,24 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.identity;
+
+import com.azure.core.credential.TokenRequestContext;
+import org.junit.jupiter.api.Test;
+import reactor.test.StepVerifier;
+
+public class VisualStudioCodeCredentialTest {
+    @Test
+    public void testInValidStateVsCode() {
+        // setup
+        TokenRequestContext request
+            = new TokenRequestContext().addScopes("https://vault.azure.net/.default").setTenantId("newTenant");
+
+        VisualStudioCodeCredential credential = new VisualStudioCodeCredentialBuilder().tenantId("tenant").build();
+        StepVerifier.create(credential.getToken(request))
+            .expectErrorMatches(e -> e instanceof CredentialUnavailableException
+                && (e.getMessage().startsWith("Visual Studio Code Authentication is not available. Ensure you have")))
+            .verify();
+    }
+
+}