Skip to content

[Identity] Updated proper claims encoding #35855

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Sep 8, 2025
Merged

[Identity] Updated proper claims encoding #35855

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ec3dd48
updated claims
minhanh-phan Sep 5, 2025
2827441
update change log
minhanh-phan Sep 5, 2025
24046be
Updated docs
minhanh-phan Sep 8, 2025
11080e2
Remove change log entry
minhanh-phan Sep 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion sdk/identity/identity/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@

### Other Changes

- `AzureCliCredential`, `AzurePowerShellCredential`, and `AzureDeveloperCliCredential` now raise `CredentialUnavailableError` when `claims` are provided to `getToken`, as these credentials do not support claims challenges. The error message includes instructions for handling claims authentication scenarios. [#35493](https://github.com/Azure/azure-sdk-for-js/pull/35493)
- `AzureCliCredential`, `AzurePowerShellCredential`, and `AzureDeveloperCliCredential` now raise `CredentialUnavailableError` when `claims` are provided to `getToken`, as these credentials do not support claims challenges. The error message includes instructions for handling claims authentication scenarios. [#35493](https://github.com/Azure/azure-sdk-for-js/pull/35493) & [#35855](https://github.com/Azure/azure-sdk-for-js/pull/35855)

## 4.11.1 (2025-08-05)

Expand Down
3 changes: 2 additions & 1 deletion sdk/identity/identity/src/credentials/azureCliCredential.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,8 @@ export class AzureCliCredential implements TokenCredential {
const scope = typeof scopes === "string" ? scopes : scopes[0];
const claimsValue = options.claims;
if (claimsValue && claimsValue.trim()) {
let loginCmd = `az login --claims-challenge ${claimsValue} --scope ${scope}`;
const encodedClaims = btoa(claimsValue);
let loginCmd = `az login --claims-challenge ${encodedClaims} --scope ${scope}`;

const tenantIdFromOptions = options.tenantId;
if (tenantIdFromOptions) {
Expand Down
3 changes: 2 additions & 1 deletion sdk/identity/identity/src/credentials/azureDeveloperCliCredential.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,8 @@ export const developerCliCredentialInternals = {

let claimsSections: string[] = [];
if (claims) {
claimsSections = ["--claims", claims];
const encodedClaims = btoa(claims);
claimsSections = ["--claims", encodedClaims];
}
return new Promise((resolve, reject) => {
try {
Expand Down
3 changes: 2 additions & 1 deletion sdk/identity/identity/src/credentials/azurePowerShellCredential.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -219,7 +219,8 @@ export class AzurePowerShellCredential implements TokenCredential {

const claimsValue = options.claims;
if (claimsValue && claimsValue.trim()) {
let loginCmd = `Connect-AzAccount -ClaimsChallenge ${claimsValue}`;
const encodedClaims = btoa(claimsValue);
let loginCmd = `Connect-AzAccount -ClaimsChallenge ${encodedClaims}`;

const tenantIdFromOptions = options.tenantId;
if (tenantIdFromOptions) {
Expand Down
6 changes: 4 additions & 2 deletions sdk/identity/identity/test/internal/node/azureCliCredential.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,7 @@ describe("AzureCliCredential (internal)", function () {
it("throws an expected error when claims challenge is provided", async function () {
const credential = new AzureCliCredential();
const claimsChallenge = "fakeClaimChallenge";
const encodedClaims = btoa(claimsChallenge);
const scope = "https://service/.default";

let error: Error | null = null;
Expand All @@ -181,13 +182,14 @@ describe("AzureCliCredential (internal)", function () {
assert.equal(error?.name, "CredentialUnavailableError");
assert.equal(
error?.message,
`${azureCliPublicErrorMessages.claim} az login --claims-challenge ${claimsChallenge} --scope ${scope}`,
`${azureCliPublicErrorMessages.claim} az login --claims-challenge ${encodedClaims} --scope ${scope}`,
);
});

it("throws an expected error when claims challenge is provided with tenant", async function () {
const credential = new AzureCliCredential();
const claimsChallenge = "fakeClaimChallenge";
const encodedClaims = btoa(claimsChallenge);
const tenantId = "12345678-1234-1234-1234-123456789012";
const scope = "https://service/.default";

Expand All @@ -205,7 +207,7 @@ describe("AzureCliCredential (internal)", function () {
assert.equal(error?.name, "CredentialUnavailableError");
assert.equal(
error?.message,
`${azureCliPublicErrorMessages.claim} az login --claims-challenge ${claimsChallenge} --scope ${scope} --tenant ${tenantId}`,
`${azureCliPublicErrorMessages.claim} az login --claims-challenge ${encodedClaims} --scope ${scope} --tenant ${tenantId}`,
);
});

Expand Down
9 changes: 6 additions & 3 deletions sdk/identity/identity/test/internal/node/azureDeveloperCliCredential.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,21 +154,23 @@ describe("AzureDeveloperCliCredential (internal)", function () {
stdout = '{"token": "token","expiresOn": "1900/01/01T00:00:00Z"}';
stderr = "";
const claimsChallenge = "fakeClaimChallenge";
const encodedClaims = btoa(claimsChallenge);
const scope = "https://service/.default";

const credential = new AzureDeveloperCliCredential();
const actualToken = await credential.getToken(scope, { claims: claimsChallenge });

assert.equal(actualToken!.token, "token");
assert.deepEqual(azdCommands, [
`azd auth token --output json --no-prompt --scope ${scope} --claims ${claimsChallenge}`,
`azd auth token --output json --no-prompt --scope ${scope} --claims ${encodedClaims}`,
]);
});

it("get access token with claims challenge and tenantId", async function () {
stdout = '{"token": "token","expiresOn": "1900/01/01T00:00:00Z"}';
stderr = "";
const claimsChallenge = "fakeClaimChallenge";
const encodedClaims = btoa(claimsChallenge);
const tenantId = "12345678-1234-1234-1234-123456789012";
const scope = "https://service/.default";

Expand All @@ -180,22 +182,23 @@ describe("AzureDeveloperCliCredential (internal)", function () {

assert.equal(actualToken!.token, "token");
assert.deepEqual(azdCommands, [
`azd auth token --output json --no-prompt --scope ${scope} --tenant-id ${tenantId} --claims ${claimsChallenge}`,
`azd auth token --output json --no-prompt --scope ${scope} --tenant-id ${tenantId} --claims ${encodedClaims}`,
]);
});

it("get access token with claims challenge and multiple scopes", async function () {
stdout = '{"token": "token","expiresOn": "1900/01/01T00:00:00Z"}';
stderr = "";
const claimsChallenge = "fakeClaimChallenge";
const encodedClaims = btoa(claimsChallenge);
const scopes = ["https://service/.default", "https://management.azure.com/.default"];

const credential = new AzureDeveloperCliCredential();
const actualToken = await credential.getToken(scopes, { claims: claimsChallenge });

assert.equal(actualToken!.token, "token");
assert.deepEqual(azdCommands, [
`azd auth token --output json --no-prompt --scope ${scopes[0]} --scope ${scopes[1]} --claims ${claimsChallenge}`,
`azd auth token --output json --no-prompt --scope ${scopes[0]} --scope ${scopes[1]} --claims ${encodedClaims}`,
]);
});

Expand Down
6 changes: 4 additions & 2 deletions sdk/identity/identity/test/internal/node/azurePowerShellCredential.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,7 @@ describe("AzurePowerShellCredential", function () {
it("throws an expected error when claims challenge is provided", async function () {
const credential = new AzurePowerShellCredential();
const claimsChallenge = "urn:microsoft:req1";
const encodedClaims = btoa(claimsChallenge);

let error: Error | null = null;
try {
Expand All @@ -98,13 +99,14 @@ describe("AzurePowerShellCredential", function () {
assert.equal(error?.name, "CredentialUnavailableError");
assert.equal(
error?.message,
`${powerShellPublicErrorMessages.claim} Connect-AzAccount -ClaimsChallenge ${claimsChallenge}`,
`${powerShellPublicErrorMessages.claim} Connect-AzAccount -ClaimsChallenge ${encodedClaims}`,
);
});

it("throws an expected error when claims challenge is provided with tenant", async function () {
const credential = new AzurePowerShellCredential();
const claimsChallenge = "urn:microsoft:req1";
const encodedClaims = btoa(claimsChallenge);
const tenantId = "12345678-1234-1234-1234-123456789012";

let error: Error | null = null;
Expand All @@ -121,7 +123,7 @@ describe("AzurePowerShellCredential", function () {
assert.equal(error?.name, "CredentialUnavailableError");
assert.equal(
error?.message,
`${powerShellPublicErrorMessages.claim} Connect-AzAccount -ClaimsChallenge ${claimsChallenge} -Tenant ${tenantId}`,
`${powerShellPublicErrorMessages.claim} Connect-AzAccount -ClaimsChallenge ${encodedClaims} -Tenant ${tenantId}`,
);
});

Expand Down