Add federate credential support for Azure DevOps MCP

[Juliehzl]

Summary

Implement support for federated application credential authentication using managed identity for Azure DevOps MCP Server. This enhancement allows users to authenticate using a managed identity's access token as a client assertion, providing a more secure and scalable authentication method for Azure-hosted scenarios. Using a User-Assigned Managed Identity with Federated Identity Credentials (FIC) configured to an App Registration in the same production tenant to access Azure DevOps is recommended approach according to https://eng.ms/docs/more/engineering-tenant-esme/tsgs/app-migration.

Problem

Currently, the Azure DevOps MCP Server supports environment variable tokens, Azure CLI authentication, and interactive OAuth authentication. However, there's no support for federated application credentials with managed identity, which is a recommended pattern for Azure-hosted applications that need to authenticate to Azure DevOps without storing long-lived secrets.

Solution

Add a new FederatedApplicationCredential class that implements the TokenCredential interface from @azure/identity following offical https://dev.azure.com/mseng/AzureDevOps/_wiki/wikis/AzureDevOps.wiki/38147/SPs-Federated-Credentials. This class:

• Uses a managed identity to obtain an exchange token for the api://AzureADTokenExchange/.default scope
• Uses this exchange token as a client assertion for a ClientAssertionCredential
• Integrates seamlessly with the existing createAuthenticator function

How to use

The implementation checks for these environment variables to determine when to use federated credentials:

• AZURE_FEDERATED_TENANT_ID: Azure tenant ID (can be overridden by parameter)
• AZURE_MSI_CLIENT_ID: Managed identity client ID
• AZURE_APP_CLIENT_ID: Application client ID for the target application

[danhellem]

I don't think this is currently planned for our local MCP Server. But I will let @aaudzei review and respond