az ssh cert fails when brokered authentication is enabled on Windows

[Chro108]

Describe the bug

The az ssh cert command fails when brokered authentication is enabled on Windows. Although a browser window opens successfully for login, the command crashes with a ValueError related to parent_window_handle. It seems Azure CLI is unable to handle the broker flow correctly in a console environment.

Disabling the broker manually using az config set core.enable_broker_on_windows=false allows the command to run without issue.

This was working fine until yesterday, no changes were made to the system, CLI, or scripts. Suddenly, the command started failing with this broker error.

Related command

az ssh cert --public-key-file %userprofile%.ssh\keys\id_rsa.pub --file %userprofile%.ssh\keys\id_rsa-aadcert.pub

Errors

(pii). Status: Response_Status.Status_InteractionRequired, Error code: 3399614476, Tag: 557973645

The default web browser has been opened at https://login.microsoftonline.com/cd0e7002-8ec7-4d13-8260-e0deef3da5ab/oauth2/v2.0/authorize for scope 'https://pas.windows.net/CheckMyAccess/Linux/.default'. Please continue the login in the web browser.
The command failed with an unexpected error. Here is the traceback:
parent_window_handle is required when you opted into using broker. You need to provide the window handle of your GUI application, or use msal.PublicClientApplication.CONSOLE_WINDOW_HANDLE when and only when your application is a console app.
Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/msal_credentials.py", line 68, in get_token
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/util.py", line 149, in check_result
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/util.py", line 53, in aad_error_handler
azure.cli.core.azclierror.AuthenticationError: (pii). Status: Response_Status.Status_InteractionRequired, Error code: 3399614476, Tag: 557973645

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 666, in execute
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 733, in _run_jobs_serially
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 703, in _run_job
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 336, in call
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
File "C:\Users%userprofile%.azure\cliextensions\ssh\azext_ssh\custom.py", line 128, in ssh_cert
cert_file, _ = _get_and_write_certificate(cmd, public_key_file, cert_path, ssh_client_folder)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\12650.azure\cliextensions\ssh\azext_ssh\custom.py", line 232, in _get_and_write_certificate
certificatedata = credential.get_token(*scopes, data=data)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/credential_adaptor.py", line 66, in get_token
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/credential_adaptor.py", line 38, in _get_token
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/msal_credentials.py", line 84, in get_token
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 2112, in acquire_token_interactive
ValueError: parent_window_handle is required when you opted into using broker. You need to provide the window handle of your GUI application, or use msal.PublicClientApplication.CONSOLE_WINDOW_HANDLE when and only when your application is a console app.
To check existing issues, please visit: https://github.com/Azure/azure-cli/issues

Issue script & Debug output

az ssh cert --public-key-file %userprofile%.ssh\keys\id_rsa.pub --file %userprofile%.ssh\keys\id_rsa-aadcert.pub

Workaround that solved the issue:

az config set core.enable_broker_on_windows=false
az account clear
az login

Expected behavior

The command should complete successfully without requiring the user to disable the broker. Azure CLI should detect it's running in a console environment and fall back automatically or pass the correct console window handle internally.

Environment Summary

azure-cli 2.67.0 *

core 2.67.0 *
telemetry 1.1.0

Extensions:
ssh 2.0.6

Dependencies:
msal 1.31.0
azure-mgmt-resource 23.1.1

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users%userprofile%.azure\cliextensions'

Python (Windows) 3.12.7 (tags/v3.12.7:0b05ead, Oct 1 2024, 03:06:41) [MSC v.1941 64 bit (AMD64)]

Legal docs and information: aka.ms/AzureCliLegal

Additional context

No response

[azure-client-tools-bot-prd]

Hi @Chro108,

2.67.0 is not the latest Azure CLI(2.71.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

[yonzhan]

Thank you for opening this issue, we will look into it.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• az ssh vm fails with "parent_window_handle is required" error, only on some Windows VMs #30519

Powered by issue-sentinel