[BUG] AzureCliCrededentials json format changed

[riezebosch]

Describe the bug A clear and concise description of what the bug is.

The format of the json files that are used by azure-cli to store the access tokens has changed. Therefore the AzureCliCredentials fails to parse the tokens that are used for logging in using a service principal.

$ az --version
azure-cli                         2.39.0

core                              2.39.0
telemetry                          1.0.6 *

Dependencies:
msal                            1.18.0b1
azure-mgmt-resource             21.1.0b1

Python location '/opt/homebrew/Cellar/azure-cli/2.39.0/libexec/bin/python'
Extensions directory '/Users/mriezebosch/.azure/cliextensions'

Python (Darwin) 3.10.6 (main, Aug 11 2022, 13:36:31) [Clang 13.1.6 (clang-1316.0.21.2.5)]

Legal docs and information: aka.ms/AzureCliLegal

Old format & location:

cat ~/.azure/accessTokens.json 
[
    {
        "servicePrincipalTenant": "** GUID **",
        "servicePrincipalId": "** GUID **",
        "accessToken": "** TOKEN **"
    }
]

New format & location:

cat ~/.azure/service_principal_entries.json 
[
    {
        "tenant": "** GUID **,
        "client_id": "** GUID **",
        "client_secret": "** TOKEN **"
    }
]#                                                     

Exception or Stack Trace Add the exception log and stack trace if available

To Reproduce Steps to reproduce the behavior:

1. Upgrade azure-cli
2. az logout (to clear the ~/.azure folder)
3. az login --service-principal -u '** GUID **' -p '** TOKEN **' --tenant '** GUID **'
4. Use AzureCliCredentials.Create()

Code Snippet Add the code snippet that causes the issue.

Expected behavior A clear and concise description of what you expected to happen.

Screenshots If applicable, add screenshots to help explain your problem.

Setup (please complete the following information):

• OS: [e.g. iOS]
• IDE : [e.g. IntelliJ]
• Version of the Library used

Microsoft.Azure.Management.Fluent@1.38.1

Additional context Add any other context about the problem here. https://github.com/Azure/azure-libraries-for-net/blob/master/src/ResourceManagement/ResourceManager/Authentication/AzureCliCredentials.cs#L45

Information Checklist Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

• [x] Bug Description Added
• [x] Repro Steps Added
• [x] Setup information Added

[weidongxu-microsoft]

new CLI should be on MSAL, but this lib stays at ADAL.

The lib is in maintenance mode, and to be deprecated.

Please plan switch to https://aka.ms/azsdk/dotnet/mgmt

[riezebosch]

For this particular issue I don't think it is ADAL/MSAL related. The AzureCliCredentials class just uses the credentials cached by azure-cli. I've seen the new SDK using the cli directly for that, and this lib has its built-in parser.

[rvdginste]

@riezebosch

I had an issue with the AzureCliCredentials and wanted to check the source code. I looked at the implementation here and thought I'd bumped into the unsupported old json issue, but I was actually using the newer library Azure.Identity. The implementation in here (old) directly reads the json file, but the implementation in Azure.Identity directly calls the Azure cli and does not have the issue.

See https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/Credentials/AzureCliCredential.cs

[weidongxu-microsoft]

Azure.Identity should work fine (unless there is bug).

Yes, the current solution would be call CLI and let it fetch the result. However, I am not sure whether it works same, if CLI is an old version (before they've moved to MSAL).

@riezebosch

As mentioned by @rvdginste, the JSON format changed (or even file location). Whether it is ADAL/MSAL is now internal to CLI. But as said, this lib is likely to be deprecated soon, and we are not adding new features.

[riezebosch]

I understand, but now people depending on this library find their software being in an unusable state since it no longer works with an updated azure-cli.

It is possible to combine the credentials provided byAzure.Identity with this library?