Implement `azure-identity`'s multi-tenant authentication API

[jiasli]

Context

azure-identity introduced its new multi-tenant authentication API get_token(tenant_id=...):

• Update Multi-Tenant support to incorporate Arch Board Feedback azure-sdk-for-python#20940

Meanwhile, before this is implemented, Azure CLI developed its own multi-tenant authentication implementation using CredentialAdaptor.get_auxiliary_tokens (#19853):

azure-cli/src/azure-cli-core/azure/cli/core/commands/client_factory.py

Lines 180 to 189 in 110f7b4

	# Track 2 currently lacks the ability to take external credentials.
	# https://github.com/Azure/azure-sdk-for-python/issues/8313
	# As a temporary workaround, manually add external tokens to 'x-ms-authorization-auxiliary' header.
	# https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/authenticate-multi-tenant
	if hasattr(cred, "get_auxiliary_tokens"):
	aux_tokens = cred.get_auxiliary_tokens(*scopes)
	if aux_tokens:
	# Hard-code scheme to 'Bearer' as _BearerTokenCredentialPolicyBase._update_headers does.
	client_kwargs['headers']['x-ms-authorization-auxiliary'] = \
	', '.join("Bearer {}".format(token.token) for token in aux_tokens)

This makes CredentialAdaptor.get_token incompatible with azure-identity's InteractiveCredential.get_token which takes tenant_id and resolves it at

https://github.com/Azure/azure-sdk-for-python/blob/01d0b99e53a1995b39e59649bf3d550dc5408875/sdk/identity/azure-identity/azure/identity/_internal/msal_credentials.py#L62

    def _get_app(self, **kwargs):
        # type: (**Any) -> msal.ClientApplication
        tenant_id = resolve_tenant(self._tenant_id, **kwargs)

TODO

CredentialAdaptor.get_token should be able to take tenant_id.

References

• {Keyvault} Pin azure-keyvault-keys==4.5.0b4 #20880
• az keyvault key create fails: Session.request() got an unexpected keyword argument 'tenant_id' #20856

[jiasli]

@rayluo, do you think if it is possible for MSAL to accept tenant_id in acquire_token_silent_with_error, as in Azure CLI's implementation, get_token is just a wrapper of acquire_token_silent_with_error:

azure-cli/src/azure-cli-core/azure/cli/core/auth/msal_authentication.py

Lines 56 to 60 in d7e5ede

	def get_token(self, *scopes, **kwargs):
	# scopes = ['https://pas.windows.net/CheckMyAccess/Linux/.default']
	logger.debug("UserCredential.get_token: scopes=%r, kwargs=%r", scopes, kwargs)
	result = self.acquire_token_silent_with_error(list(scopes), self._account, **kwargs)

[jiasli]

Another possible solution is we simply discard tenant_id in get_token, just as what we are doing right now - Azure CLI uses the current subscription for authentication. The down-side is that if the keyvault doesn't belong to the current subscription, authentication will fail:

> az keyvault key create --name "key1" --protection software --ops encrypt decrypt --vault-name "jlkv1"
(Unauthorized) AKV10032: Invalid issuer. Expected one of https://sts.windows.net/54826b22-38d6-4fb2-bad9-b7b93a3e9c5a/, https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/, https://sts.windows.net/e2d54eb5-3869-4f70-8578-dee5fc7331f4/, found https://sts.windows.net/ca97aaa0-5a12-4ae3-8929-c8fb57dd93d6/.
Code: Unauthorized
Message: AKV10032: Invalid issuer. Expected one of https://sts.windows.net/54826b22-38d6-4fb2-bad9-b7b93a3e9c5a/, https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/, https://sts.windows.net/e2d54eb5-3869-4f70-8578-dee5fc7331f4/, found https://sts.windows.net/ca97aaa0-5a12-4ae3-8929-c8fb57dd93d6/.

[microsoft-github-policy-service]

🔔 Routing this issue to @act-platform-engineering-squad.