Enable token encryption when running on Linux

[NileshGhodekar]

Related command

az login

Is your feature request related to a problem? Please describe.

Azure CLI has not yet enable token encryption when running on Linux even when MSAL now has implemented support for this.

Describe the solution you'd like

Azure CLI should store the token cache encrypted instead if plaintext on Linux

Describe alternatives you've considered

The current solution is to depend on file permissions 600 set the by CLI on the token cache file. However, encrypting it as well will improve the security posture.

Additional context

This is essentially the follow up on thread https://github.com/AzureAD/microsoft-authentication-extensions-for-python/issues/106

[yonzhan]

@jiasli for awareness

[jiasli]

Enabling token encryption on Linux is a truly complex topic. We previously discussed with MSLA owner @rayluo heavily on this topic. The packaging on Linux is very challenging. In short:

1. Encryption on Linux is done via PyGObject which requires GUI.
2. As our build pipeline uses docker containers without GUI, installing PyGObject itself is complex in containers without GUI.
3. Even if we can build the packages successfully, installing the underlying GUI binary dependencies on user’s machine can be very complex and platform dependent - Debian, Ubuntu, Fedora, CentOS Stream, RHEL, etc.
4. Installing a whole GUI environment will significantly increase the size of Azure CLI installation, which is already pretty big (https://github.com/Azure/azure-cli/issues/7387).

Enabling token encryption on MacOS was attempted in https://github.com/Azure/azure-cli/pull/20636, but didn't finish.

[rayluo]

The encryption is provided by MSAL EXtensions.

1. Encryption on Linux is done via PyGObject which requires GUI.

I am not entirely sure about that one. As mentioned in the Q&A at the bottom of this MSAL EX wiki page, we have been able to get rid of the dependency of GTK, although we currently still install libcairo which is a graphic library. Bottom line, we were able to wrap the MSAL EX into a docker image for our unit testing. Does a docker container count as a non-GUI environment?

Perhaps we can try a proof-of-concept Azure CLI docker image built on top of MSAL EX image.

[jiasli]

Linux is a little bit different from Windows.

As explained in https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/Encryption-on-Linux

Encryption on Linux is available by using libsecret to connect to secret service running on your Linux machine.

Secret service is only available when running in a desktop environment. It won't be available when remotely connected to a Linux machine, such as via an SSH connection.

Plain-text fall back would be the only option here. That is probably OK, because if the remote machine you are SSHing into is a backend server, it is by definition a "confidential client" in OAuth2 terminology, it is considered as a secure and safe environment that can store secrets there.