SDK should have a way to return 401 response body

[jiasli]

Is your feature request related to a problem? Please describe.
When a mgmt-plane request gets blocked by MFA policy, only the claims challenge from WWW-Authenticate header is passed to get_token_info via options['claims'].

The response body of the 401 response is discarded as Body is streamable:

cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/9fb3fda4-e572-422a-a972-1011d3593176/resourceGroups/testpolicy1/providers/Microsoft.KeyVault/vaults/kv06171?api-version=2023-02-01'
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
...

cli.azure.cli.core.sdk.policies: Response status: 401
cli.azure.cli.core.sdk.policies: Response headers:
...
cli.azure.cli.core.sdk.policies:     'WWW-Authenticate': 'Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", error="insufficient_claims", claims="eyJhY2Nlc3NfdG9rZW4iOnsiYWNycyI6eyJlc3NlbnRpYWwiOnRydWUsInZhbHVlcyI6WyJwMSJdfX19"'
...
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: Body is streamable

However, the response body contains detailed information on the policy that rejected the request. The response body should be displayed to the user.

Describe the solution you'd like
SDK should have a way to pass the 401 response body to the credential that implements get_token_info so that it can display the response body accordingly.

For example, get_token_info's options can have a new field called body that contains the 401 response body.

Describe alternatives you've considered
N/A

Additional context

• {Auth} Add --claims-challenge to the re-authentication message azure-cli#31699 (comment)
• [Core] Investigate default on_challenge implementation in auth policies #31215
• Azure CLI supported the new get_token_info token protocol in {Auth} Support get_token_info protocol azure-cli#30928

[pvaneck]

Can you confirm my understanding of your scenario?

1. A request is made to an Azure Service which returns a 401 Unauthorized with an error message in the response body about the MFA policy.
2. The get_token_info call with claims in on_challenge is successful and yields a new token in the authorization header.
3. A request is sent to the service with this new auth token, but this still fails due to MFA, returning an error response that is propagated to the user, but this error doesn't have the info about the MFA policy. (Is this correct?)

[jiasli]

2. The get_token_info call with claims in on_challenge is successful and yields a new token in the authorization header.

Azure CLI's implementation of calling get_token_info with claims will perform a ATS (acquire token silently) and fail with AADSTS50079. Step 3 will not occur.

Azure CLI currently uses ARMChallengeAuthenticationPolicy from azure-mgmt-core==1.5.0. The ARMChallengeAuthenticationPolicy from azure-mgmt-core==1.5.0 does not handle exceptions during on_challenge and fails immediately if ATS (acquire token silently) throws exception:

azure-sdk-for-python/sdk/core/azure-mgmt-core/azure/mgmt/core/policies/_authentication.py

Line 74 in f306890

self.authorize_request(request, *self._scopes, claims=claims)

This has been changed in #38703. ARMChallengeAuthenticationPolicy now fully inherits from BearerTokenCredentialPolicy and returns the 401 response only when on_challenge fails:

azure-sdk-for-python/sdk/core/azure-core/azure/core/pipeline/policies/_authentication.py

Lines 211 to 212 in c048b77

	except Exception: # pylint:disable=broad-except
	return False

azure-sdk-for-python/sdk/core/azure-core/azure/core/pipeline/policies/_authentication.py

Line 181 in c048b77

return response

However, this change is not released. Action item for SDK team: Please release the change of ARMChallengeAuthenticationPolicy in a new azure-mgmt-core, so that Azure CLI can start using this code.

Even after that, the new ARMChallengeAuthenticationPolicy may not fully satisfy Azure CLI’s needs: During on_challenge, Azure CLI will try to perform ATS (acquire token silently) without telling the user why and fails. In the future, we may perform ATI (acquire token interactively) during on_challenge and on_challenge will succeed. In such case, the 401 response body is still hidden.

A better approach I can think of is to pass the 401 response body in get_token_info’s option dict together with the claims challenge so that Azure CLI can show it before ATS, telling the user why we are attempting ATS as WARNING. If that fails, we tell the user the Entra error AADSTS50079 as WARNING and show the 401 response as ERROR. In the future, if we want to perform ATI during on_challenge, we can also tell the user why we need to do so.

I understand get_token_info is only available in Python SDK, and Azure CLI has started the migration to get_token_info, so this might be easy for Python SDK and Azure CLI. However, other language SDKs are still using get_token and it might be difficult to add additional arguments to get_token, so this design needs to be discussed with other language SDKs.

[joshfree]

Related Support ARM Step-up Authentication Challenge for MFA Starting September 1st · Issue #962 · Azure/azure-sdk-for-python-pr