[Identity] Enable brokered auth in DAC

Signed-off-by: Paul Van Eck <paulvaneck@microsoft.com>

Author: pvaneck

sdk/identity/azure-identity/CHANGELOG.md

@@ -8,7 +8,7 @@
   - Valid values are `EnvironmentCredential`, `WorkloadIdentityCredential`, `ManagedIdentityCredential`, `AzureCliCredential`, `AzurePowershellCredential`, `AzureDeveloperCliCredential`, and `InteractiveBrowserCredential`. ([#41709](https://github.com/Azure/azure-sdk-for-python/pull/41709))
 - Re-enabled `VisualStudioCodeCredential` - Previously deprecated `VisualStudioCodeCredential` has been re-implemented to work with the VS Code Azure Resources extension instead of the deprecated Azure Account extension. This requires the `azure-identity-broker` package to be installed for authentication. ([#41822](https://github.com/Azure/azure-sdk-for-python/pull/41822))
   - `VisualStudioCodeCredential` is now included in the `DefaultAzureCredential` token chain by default.
-
+- `DefaultAzureCredential` now supports authentication with the currently signed-in Windows account, provided the `azure-identity-broker` package is installed. This auth mechanism is added at the end of the `DefaultAzureCredential` credential chain.  ([#40335](https://github.com/Azure/azure-sdk-for-python/pull/40335))
 
 ### Breaking Changes
 

sdk/identity/azure-identity/azure/identity/_credentials/broker.py

@@ -0,0 +1,78 @@
+# ------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+# ------------------------------------
+import sys
+from typing import Any
+
+import msal
+from azure.core.credentials import AccessToken, AccessTokenInfo, SupportsTokenInfo
+from .._exceptions import CredentialUnavailableError
+from .._internal.utils import get_broker_credential, is_wsl
+
+
+class BrokerCredential(SupportsTokenInfo):
+    """A broker credential that handles prerequisite checking and falls back appropriately.
+
+    This credential checks if the azure-identity-broker package is available and the platform
+    is supported. If both conditions are met, it uses the real broker credential. Otherwise,
+    it raises CredentialUnavailableError with an appropriate message.
+    """
+
+    def __init__(self, **kwargs: Any) -> None:
+
+        self._tenant_id = kwargs.pop("tenant_id", None)
+        self._client_id = kwargs.pop("client_id", None)
+        self._broker_credential = None
+        self._unavailable_message = None
+
+        # Check prerequisites and initialize the appropriate credential
+        broker_credential_class = get_broker_credential()
+        if broker_credential_class and (sys.platform.startswith("win") or is_wsl()):
+            # The silent auth flow for brokered auth is available on Windows/WSL with the broker package
+            try:
+                broker_credential_args = {
+                    "tenant_id": self._tenant_id,
+                    "parent_window_handle": msal.PublicClientApplication.CONSOLE_WINDOW_HANDLE,
+                    "use_default_broker_account": True,
+                    **kwargs,
+                }
+                if self._client_id:
+                    broker_credential_args["client_id"] = self._client_id
+                self._broker_credential = broker_credential_class(**broker_credential_args)
+            except Exception as ex:  # pylint: disable=broad-except
+                self._unavailable_message = f"InteractiveBrowserBrokerCredential initialization failed: {ex}"
+        else:
+            # Determine the specific reason for unavailability
+            if broker_credential_class is None:
+                self._unavailable_message = (
+                    "InteractiveBrowserBrokerCredential unavailable. "
+                    "The 'azure-identity-broker' package is required to use brokered authentication."
+                )
+            else:
+                self._unavailable_message = (
+                    "InteractiveBrowserBrokerCredential unavailable. "
+                    "Brokered authentication is only supported on Windows and WSL platforms."
+                )
+
+    def get_token(self, *scopes: str, **kwargs: Any) -> AccessToken:
+        if self._broker_credential:
+            return self._broker_credential.get_token(*scopes, **kwargs)
+        raise CredentialUnavailableError(message=self._unavailable_message)
+
+    def get_token_info(self, *scopes: str, **kwargs: Any) -> AccessTokenInfo:
+        if self._broker_credential:
+            return self._broker_credential.get_token_info(*scopes, **kwargs)
+        raise CredentialUnavailableError(message=self._unavailable_message)
+
+    def __enter__(self) -> "BrokerCredential":
+        if self._broker_credential:
+            self._broker_credential.__enter__()
+        return self
+
+    def __exit__(self, *args):
+        if self._broker_credential:
+            self._broker_credential.__exit__(*args)
+
+    def close(self) -> None:
+        self.__exit__()

sdk/identity/azure-identity/azure/identity/_credentials/default.py

@@ -8,8 +8,9 @@
 
 from azure.core.credentials import AccessToken, AccessTokenInfo, TokenRequestOptions, SupportsTokenInfo, TokenCredential
 from .._constants import EnvironmentVariables
-from .._internal import get_default_authority, normalize_authority, within_dac, process_credential_exclusions
+from .._internal.utils import get_default_authority, normalize_authority, within_dac, process_credential_exclusions
 from .azure_powershell import AzurePowerShellCredential
+from .broker import BrokerCredential
 from .browser import InteractiveBrowserCredential
 from .chained import ChainedTokenCredential
 from .environment import EnvironmentCredential
@@ -42,6 +43,9 @@ class DefaultAzureCredential(ChainedTokenCredential):
     5. The identity currently logged in to the Azure CLI.
     6. The identity currently logged in to Azure PowerShell.
     7. The identity currently logged in to the Azure Developer CLI.
+    8. Brokered authentication. On Windows and WSL, this uses an authentication broker such as
+       Web Account Manager (WAM). On other platforms or when the azure-identity-broker package is not installed,
+       this credential will raise CredentialUnavailableError.
 
     This default behavior is configurable with keyword arguments.
 
@@ -64,6 +68,9 @@ class DefaultAzureCredential(ChainedTokenCredential):
         **False**.
     :keyword bool exclude_interactive_browser_credential: Whether to exclude interactive browser authentication (see
         :class:`~azure.identity.InteractiveBrowserCredential`). Defaults to **True**.
+    :keyword bool exclude_broker_credential: Whether to exclude the broker credential from the credential chain.
+        Defaults to **False**. When False, the broker credential is always included in the chain but will raise
+        CredentialUnavailableError if the azure-identity-broker package is not installed.
     :keyword str interactive_browser_tenant_id: Tenant ID to use when authenticating a user through
         :class:`~azure.identity.InteractiveBrowserCredential`. Defaults to the value of environment variable
         AZURE_TENANT_ID, if any. If unspecified, users will authenticate in their home tenants.
@@ -147,6 +154,7 @@ def __init__(self, **kwargs: Any) -> None:  # pylint: disable=too-many-statement
             },
             "visual_studio_code": {
                 "exclude_param": "exclude_visual_studio_code_credential",
+                "env_name": "visualstudiocodecredential",
                 "default_exclude": False,
             },
             "cli": {
@@ -169,6 +177,11 @@ def __init__(self, **kwargs: Any) -> None:  # pylint: disable=too-many-statement
                 "env_name": "interactivebrowsercredential",
                 "default_exclude": True,
             },
+            "broker": {
+                "exclude_param": "exclude_broker_credential",
+                "env_name": "interactivebrowserbrokercredential",
+                "default_exclude": False,
+            },
         }
 
         # Extract user-provided exclude flags and set defaults
@@ -192,6 +205,7 @@ def __init__(self, **kwargs: Any) -> None:  # pylint: disable=too-many-statement
         exclude_developer_cli_credential = exclude_flags["developer_cli"]
         exclude_powershell_credential = exclude_flags["powershell"]
         exclude_interactive_browser_credential = exclude_flags["interactive_browser"]
+        exclude_broker_credential = exclude_flags["broker"]
 
         credentials: List[SupportsTokenInfo] = []
         within_dac.set(True)
@@ -242,6 +256,12 @@ def __init__(self, **kwargs: Any) -> None:  # pylint: disable=too-many-statement
                 )
             else:
                 credentials.append(InteractiveBrowserCredential(tenant_id=interactive_browser_tenant_id, **kwargs))
+        if not exclude_broker_credential:
+            broker_credential_args = {"tenant_id": interactive_browser_tenant_id, **kwargs}
+            if interactive_browser_client_id:
+                broker_credential_args["client_id"] = interactive_browser_client_id
+            credentials.append(BrokerCredential(**broker_credential_args))
+
         within_dac.set(False)
         super(DefaultAzureCredential, self).__init__(*credentials)
 

sdk/identity/azure-identity/azure/identity/_internal/utils.py

@@ -3,6 +3,7 @@
 # Licensed under the MIT License.
 # ------------------------------------
 import os
+import platform
 import logging
 from contextvars import ContextVar
 from string import ascii_letters, digits
@@ -209,3 +210,11 @@ def get_broker_credential() -> Optional[type]:
         return InteractiveBrowserBrokerCredential
     except ImportError:
         return None
+
+
+def is_wsl() -> bool:
+    # This is how MSAL checks for WSL.
+    uname = platform.uname()
+    platform_name = getattr(uname, "system", uname[0]).lower()
+    release = getattr(uname, "release", uname[2]).lower()
+    return platform_name == "linux" and "microsoft" in release

sdk/identity/azure-identity/tests/test_default.py

@@ -3,6 +3,7 @@
 # Licensed under the MIT License.
 # ------------------------------------
 import os
+import sys
 
 from azure.core.credentials import AccessToken, AccessTokenInfo
 from azure.identity import (
@@ -19,6 +20,7 @@
 from azure.identity._credentials.azure_cli import AzureCliCredential
 from azure.identity._credentials.azd_cli import AzureDeveloperCliCredential
 from azure.identity._credentials.managed_identity import ManagedIdentityCredential
+from azure.identity._internal.utils import is_wsl
 import pytest
 from urllib.parse import urlparse
 
@@ -175,12 +177,25 @@ def assert_credentials_not_present(chain, *excluded_credential_classes):
     credential = DefaultAzureCredential(exclude_developer_cli_credential=True)
     assert_credentials_not_present(credential, AzureDeveloperCliCredential)
 
+    # test excluding broker credential
+    credential = DefaultAzureCredential(exclude_broker_credential=True)
+    from azure.identity._credentials.broker import BrokerCredential
+
+    assert_credentials_not_present(credential, BrokerCredential)
+
     # interactive auth is excluded by default
     credential = DefaultAzureCredential(exclude_interactive_browser_credential=False)
     actual = {c.__class__ for c in credential.credentials}
     default = {c.__class__ for c in DefaultAzureCredential().credentials}
     assert actual - default == {InteractiveBrowserCredential}
 
+    # broker credential is included by default
+    credential = DefaultAzureCredential()
+    from azure.identity._credentials.broker import BrokerCredential
+
+    actual = {c.__class__ for c in credential.credentials}
+    assert BrokerCredential in actual, "BrokerCredential should be included in DefaultAzureCredential by default"
+
 
 @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS)
 def test_shared_cache_tenant_id(get_token_method):
@@ -432,3 +447,33 @@ def test_validate_cloud_shell_credential_in_dac():
         DefaultAzureCredential(identity_config={"client_id": "foo"})
         DefaultAzureCredential(identity_config={"object_id": "foo"})
         DefaultAzureCredential(identity_config={"resource_id": "foo"})
+
+
+@pytest.mark.skipif(not sys.platform.startswith("win") and not is_wsl(), reason="tests Windows-specific behavior")
+def test_broker_credential():
+    """Test that DefaultAzureCredential uses the broker credential when available"""
+    with patch("azure.identity.broker.InteractiveBrowserBrokerCredential") as mock_credential:
+        credential = DefaultAzureCredential()
+        # The broker credential should be in the chain
+        broker_credentials = [c for c in credential.credentials if c.__class__.__name__ == "BrokerCredential"]
+        assert len(broker_credentials) == 1, "BrokerCredential should be in the chain"
+    # InteractiveBrowserBrokerCredential should be instantiated by BrokerCredential
+    assert mock_credential.call_count > 1, "InteractiveBrowserBrokerCredential should be instantiated"
+
+
+def test_broker_credential_requirements_not_installed():
+    """Test that DefaultAzureCredential includes BrokerCredential even when broker package is not installed"""
+
+    # Mock the get_broker_credential function to return None (simulating package not installed)
+    with patch.dict("sys.modules", {"azure.identity.broker": None}):
+        credential = DefaultAzureCredential()
+        # The broker credential should still be in the chain
+        broker_credentials = [c for c in credential.credentials if c.__class__.__name__ == "BrokerCredential"]
+        assert (
+            len(broker_credentials) == 1
+        ), "BrokerCredential should be in the chain even when broker package is not installed"
+
+        # Test that the broker credential raises CredentialUnavailableError
+        broker_cred = broker_credentials[0]
+        with pytest.raises(CredentialUnavailableError) as exc_info:
+            broker_cred.get_token_info("https://management.azure.com/.default")