Closed jiasli closed 2 years ago
The underlying Device Code Flow specs never defines a scope
(or resource
, for that matter) in the second leg. The ADAL Python's API surface happened to contain a resource
parameter for the second step. That was a design mistake.
MSAL Python avoids this mistake by not accepting a scope
parameter in the second step at all.
Thanks for reporting this. The workaround in ADAL Python is "do not use the resource
parameter in the second step". And the better solution is to "migrate to MSAL Python", which Azure CLI will do soon. I'll still have to mark this as WontFix here.
Thanks you so much @rayluo. I am only opening this issue for others who bump into it.
https://github.com/Azure/azure-cli/blob/14cc787d0f58bc649d402b486fdecc5625eee9ac/src/azure-cli-core/azure/cli/core/_profile.py#L936-L938
Azure CLI
https://containerregistry.azure.net
as resource toacquire_user_code
https://management.core.windows.net
as resource toacquire_token_with_device_code
In the second step, the date sent to https://login.microsoftonline.com/common/oauth2/token is confirmed to be
But the returned token entry has
This results in Azure CLI command failure:
This breaks conditional access MFA scenario.
According to https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code#authenticating-the-user, it looks like
scope
/resource
is not supported by the service API at all. In other words, we cannot alterresource
in step 2.