auth: Support azure-pipelines for --federated-credential-provider

This change adds `azure-pipelines` as a supported value for the
`--federated-credential-provider` switch of `azd auth login`. This
provider can be used to do OIDC based login within the context of a
job running in Azure Pipelines.

When using this provider, `azd` uses the `AzurePipelinesCredential`
type to manage the OIDC dance. In addition to the client and tenant id
of the service principal you plan to authenticate with, we also need
the "service connection id" (this is the ID of the object created in
Azure Pipelines that contains the connection information) and the
system access token which is the security token for the running build
(it's what is used to authenticate to the OIDC endpoint that is being
run inside the pipeline which we use to fetch the federated
credential).  The client and tenant ids can be provided on the command
line, via the existing `--client-id` and `--tenant-id` switches, or,
when `azure-pipelines` is the `federated-credential-provider`, they
can be read from the `AZURESUBSCRIPTION_CLIENT_ID` and
`AZURESUBSCRIPTION_TEANT_ID` system environment varaibles.  The
service connection ID and acceess token are read from the
`AZURESUBSCRIPTION_SERVICE_CONNECTION_ID` and `SYSTEM_ACCESSTOKEN`
environment variaibles.

These system environment variables correspond to what the `AzureCLI@2`
sets when passing the `azureSubscription` parameter (after translating
the service connection name to a service connection ID, which is
handy) allowing something like this to work:

```yaml
- task: AzureCLI@2
  inputs:
    azureSubscription: azconnection
    scriptType: bash
    scriptLocation: inlineScript
    inlineScript: |
      azd auth login --federated-credential-provider "azure-pipelines"
      azd up
```

Note that while the AzureCLI task is used above, it's only used for
setting these environment variables and doing the service connection
name to id translation.  You could do something like the following
instead:

```yaml
- bash: |
    azd auth login --federated-credential-provider "azure-pipelines"
    azd up
  env:
    AZURE_SUBSCRIPTION_CLIENT_ID: "Your Client ID"
    AZURE_SUBSCRIPTION_TENANT_ID: "Your Tenant ID"
    AZURE_SUBSCRIPTION_SERVICE_CONNECTION_ID: "Your Service Connection ID"
    SYSTEM_ACCESSTOKEN: $(System.AccessToken)
```

And things will work as well. This can be useful in cases where you
can use the `AzureCLI@2` task directly.

We can consider writing our own task as some point as well.

Contributes To #4341

cli/azd/.vscode/cspell-azd-dictionary.txt

@@ -1,5 +1,6 @@
 AADSTS
 ABRT
+ACCESSTOKEN
 aiomysql
 aiopg
 alphafeatures
@@ -50,6 +51,7 @@ AZURECLI
 azureedge
 azureml
 azurestaticapps
+AZURESUBSCRIPTION
 azuretools
 azureutil
 azureyaml

cli/azd/cmd/auth_login.go

@@ -34,6 +34,25 @@ import (
 // The parent of the login command.
 const loginCmdParentAnnotation = "loginCmdParent"
 
+// azurePipelinesClientIDEnvVarName is the name of the environment variable that contains the client ID for the principal
+// to use when authenticating with Azure Pipelines via OIDC. It is set by both the AzureCLI@2 and AzurePowerShell@5 tasks
+// when using a service connection or can be set manually when not using these tasks.
+const azurePipelinesClientIDEnvVarName = "AZURESUBSCRIPTION_CLIENT_ID"
+
+// azurePipelinesTenantIDEnvVarName is the name of the environment variable that contains the tenant ID for the principal
+// to use when authenticating with Azure Pipelines via OIDC. It is set by both the AzureCLI@2 and AzurePowerShell@5 tasks
+// when using a service connection or can be set manually when not using these tasks.
+const azurePipelinesTenantIDEnvVarName = "AZURESUBSCRIPTION_TENANT_ID"
+
+// AzurePipelinesServiceConnectionNameEnvVarName is the name of the environment variable that contains the name of the
+// service connection to use when authenticating with Azure Pipelines via OIDC. It is set by both the AzureCLI@2 and
+// AzurePowerShell@5 tasks when using a service connection or can be set manually when not using these tasks.
+const azurePipelinesServiceConnectionIDEnvVarName = "AZURESUBSCRIPTION_SERVICE_CONNECTION_ID"
+
+// azurePipelinesProvider is the name of the federated token provider to use when authenticating with Azure Pipelines via
+// OIDC.
+const azurePipelinesProvider string = "azure-pipelines"
+
 type authLoginFlags struct {
 	loginFlags
 }
@@ -389,6 +408,18 @@ func runningOnCodespacesBrowser(ctx context.Context, commandRunner exec.CommandR
 }
 
 func (la *loginAction) login(ctx context.Context) error {
+	if la.flags.federatedTokenProvider == azurePipelinesProvider {
+		if la.flags.clientID == "" {
+			log.Printf("setting client id from environment variable %s", azurePipelinesClientIDEnvVarName)
+			la.flags.clientID = os.Getenv(azurePipelinesClientIDEnvVarName)
+		}
+
+		if la.flags.tenantID == "" {
+			log.Printf("setting tenant id from environment variable %s", azurePipelinesClientIDEnvVarName)
+			la.flags.tenantID = os.Getenv(azurePipelinesTenantIDEnvVarName)
+		}
+	}
+
 	if la.flags.managedIdentity {
 		if _, err := la.authManager.LoginWithManagedIdentity(
 			ctx, la.flags.clientID,
@@ -451,9 +482,22 @@ func (la *loginAction) login(ctx context.Context) error {
 			); err != nil {
 				return fmt.Errorf("logging in: %w", err)
 			}
-		case la.flags.federatedTokenProvider != "":
-			if _, err := la.authManager.LoginWithServicePrincipalFederatedTokenProvider(
-				ctx, la.flags.tenantID, la.flags.clientID, la.flags.federatedTokenProvider,
+		case la.flags.federatedTokenProvider == "github":
+			if _, err := la.authManager.LoginWithGitHubFederatedTokenProvider(
+				ctx, la.flags.tenantID, la.flags.clientID,
+			); err != nil {
+				return fmt.Errorf("logging in: %w", err)
+			}
+		case la.flags.federatedTokenProvider == azurePipelinesProvider:
+			serviceConnectionID := os.Getenv(azurePipelinesServiceConnectionIDEnvVarName)
+
+			if serviceConnectionID == "" {
+				return fmt.Errorf("must set %s for azure-pipelines federated token provider",
+					azurePipelinesServiceConnectionIDEnvVarName)
+			}
+
+			if _, err := la.authManager.LoginWithAzurePipelinesFederatedTokenProvider(
+				ctx, la.flags.tenantID, la.flags.clientID, serviceConnectionID,
 			); err != nil {
 				return fmt.Errorf("logging in: %w", err)
 			}

cli/azd/pkg/auth/manager.go

@@ -53,6 +53,16 @@ const useAzCliAuthKey = "auth.useAzCliAuth"
 // auth related configuration information (e.g. the home account id of the current user). This information is not secret.
 const authConfigFileName = "auth.json"
 
+// azurePipelinesSystemAccessTokenEnvVarName is the name of the environment variable that contains the system access token
+// used to auth against the ODIC endpoint for Azure Pipelines. It needs to be set by the task that runs the azd command by
+// adding `SYSTEM_ACCESSTOKEN: $(System.AccessToken)` to the `env` section of the task configuration.
+const azurePipelinesSystemAccessTokenEnvVarName = "SYSTEM_ACCESSTOKEN"
+
+// errNoSystemAccessTokenEnvVar is returned when the System.AccessToken environment variable is not set.
+var errNoSystemAccessTokenEnvVar = fmt.Errorf(
+	"system access token not found, ensure the System.AccessToken value is mapped to an environment variable named %s",
+	azurePipelinesSystemAccessTokenEnvVarName)
+
 // HttpClient interface as required by MSAL library.
 type HttpClient interface {
 	// Do sends an HTTP request and returns an HTTP response.
@@ -312,11 +322,6 @@ func (m *Manager) CredentialForCurrentUser(
 		}
 		return m.newCredentialFromManagedIdentity(clientID)
 	} else if currentUser.TenantID != nil && currentUser.ClientID != nil {
-		ps, err := m.loadSecret(*currentUser.TenantID, *currentUser.ClientID)
-		if err != nil {
-			return nil, fmt.Errorf("loading secret: %w: %w", err, ErrNoCurrentUser)
-		}
-
 		// by default we used the stored tenant (i.e. the one provided with the tenant id parameter when a user ran
 		// `azd auth login`), but we allow an override using the options bag, when
 		// TenantID is non-empty and PreferFallbackTenant is not true.
@@ -326,13 +331,18 @@ func (m *Manager) CredentialForCurrentUser(
 			tenantID = options.TenantID
 		}
 
+		ps, err := m.loadSecret(*currentUser.TenantID, *currentUser.ClientID)
+		if err != nil {
+			return nil, fmt.Errorf("loading secret: %w: %w", err, ErrNoCurrentUser)
+		}
+
 		if ps.ClientSecret != nil {
 			return m.newCredentialFromClientSecret(tenantID, *currentUser.ClientID, *ps.ClientSecret)
 		} else if ps.ClientCertificate != nil {
 			return m.newCredentialFromClientCertificate(tenantID, *currentUser.ClientID, *ps.ClientCertificate)
 		} else if ps.FederatedAuth != nil && ps.FederatedAuth.TokenProvider != nil {
 			return m.newCredentialFromFederatedTokenProvider(
-				tenantID, *currentUser.ClientID, *ps.FederatedAuth.TokenProvider)
+				tenantID, *currentUser.ClientID, *ps.FederatedAuth.TokenProvider, ps.FederatedAuth.ServiceConnectionID)
 		}
 	}
 
@@ -518,35 +528,62 @@ func (m *Manager) newCredentialFromFederatedTokenProvider(
 	tenantID string,
 	clientID string,
 	provider federatedTokenProvider,
+	serviceConnectionID *string,
 ) (azcore.TokenCredential, error) {
-	if provider != gitHubFederatedAuth {
-		return nil, fmt.Errorf("unsupported federated token provider: '%s'", string(provider))
-	}
-	options := &azidentity.ClientAssertionCredentialOptions{
-		ClientOptions: azcore.ClientOptions{
-			Transport: m.httpClient,
-			// TODO: Inject client options instead? this can be done if we're OK
-			// using the default user agent string.
-			Cloud: m.cloud.Configuration,
-		},
-	}
-	cred, err := azidentity.NewClientAssertionCredential(
-		tenantID,
-		clientID,
-		func(ctx context.Context) (string, error) {
-			federatedToken, err := m.ghClient.TokenForAudience(ctx, "api://AzureADTokenExchange")
-			if err != nil {
-				return "", fmt.Errorf("fetching federated token: %w", err)
-			}
+	clientOptions := azcore.ClientOptions{
+		Transport: m.httpClient,
+		// TODO: Inject client options instead? this can be done if we're OK
+		// using the default user agent string.
+		Cloud: m.cloud.Configuration,
+	}
+
+	switch provider {
+	case gitHubFederatedTokenProvider:
+		cred, err := azidentity.NewClientAssertionCredential(
+			tenantID,
+			clientID,
+			func(ctx context.Context) (string, error) {
+				federatedToken, err := m.ghClient.TokenForAudience(ctx, "api://AzureADTokenExchange")
+				if err != nil {
+					return "", fmt.Errorf("fetching federated token: %w", err)
+				}
 
-			return federatedToken, nil
-		},
-		options)
-	if err != nil {
-		return nil, fmt.Errorf("creating credential: %w", err)
-	}
+				return federatedToken, nil
+			},
+			&azidentity.ClientAssertionCredentialOptions{
+				ClientOptions: clientOptions,
+			})
+		if err != nil {
+			return nil, fmt.Errorf("creating credential: %w", err)
+		}
 
-	return cred, nil
+		return cred, nil
+
+	case azurePipelinesFederatedTokenProvider:
+		systemAccessToken := os.Getenv(azurePipelinesSystemAccessTokenEnvVarName)
+		if systemAccessToken == "" {
+			return nil, errNoSystemAccessTokenEnvVar
+		}
+
+		// Guard against the case where the service connection ID is not set because someone manually edited the json
+		// files managed by `azd auth login`.
+		if serviceConnectionID == nil {
+			return nil, errors.New("service connection ID not found, please run `azd auth login` to authenticate")
+		}
+
+		cred, err := azidentity.NewAzurePipelinesCredential(
+			tenantID, clientID, *serviceConnectionID, systemAccessToken, &azidentity.AzurePipelinesCredentialOptions{
+				ClientOptions: clientOptions,
+			},
+		)
+		if err != nil {
+			return nil, fmt.Errorf("creating credential: %w: %w", err, ErrNoCurrentUser)
+		}
+
+		return cred, nil
+	default:
+		return nil, fmt.Errorf("unsupported federated token provider: '%s'", string(provider))
+	}
 }
 
 func (m *Manager) newCredentialFromCloudShell() (azcore.TokenCredential, error) {
@@ -755,10 +792,10 @@ func (m *Manager) LoginWithServicePrincipalCertificate(
 	return cred, nil
 }
 
-func (m *Manager) LoginWithServicePrincipalFederatedTokenProvider(
-	ctx context.Context, tenantId, clientId, provider string,
+func (m *Manager) LoginWithGitHubFederatedTokenProvider(
+	ctx context.Context, tenantId, clientId string,
 ) (azcore.TokenCredential, error) {
-	cred, err := m.newCredentialFromFederatedTokenProvider(tenantId, clientId, federatedTokenProvider(provider))
+	cred, err := m.newCredentialFromFederatedTokenProvider(tenantId, clientId, gitHubFederatedTokenProvider, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -768,7 +805,7 @@ func (m *Manager) LoginWithServicePrincipalFederatedTokenProvider(
 		clientId,
 		&persistedSecret{
 			FederatedAuth: &federatedAuth{
-				TokenProvider: &gitHubFederatedAuth,
+				TokenProvider: &gitHubFederatedTokenProvider,
 			},
 		},
 	); err != nil {
@@ -778,6 +815,41 @@ func (m *Manager) LoginWithServicePrincipalFederatedTokenProvider(
 	return cred, nil
 }
 
+func (m *Manager) LoginWithAzurePipelinesFederatedTokenProvider(
+	ctx context.Context, tenantID string, clientID string, serviceConnectionID string,
+) (azcore.TokenCredential, error) {
+	systemAccessToken := os.Getenv(azurePipelinesSystemAccessTokenEnvVarName)
+
+	if systemAccessToken == "" {
+		return nil, errNoSystemAccessTokenEnvVar
+	}
+
+	options := &azidentity.AzurePipelinesCredentialOptions{
+		ClientOptions: azcore.ClientOptions{
+			Transport: m.httpClient,
+			// TODO: Inject client options instead? this can be done if we're OK
+			// using the default user agent string.
+			Cloud: m.cloud.Configuration,
+		},
+	}
+
+	cred, err := azidentity.NewAzurePipelinesCredential(tenantID, clientID, serviceConnectionID, systemAccessToken, options)
+	if err != nil {
+		return nil, fmt.Errorf("creating credential: %w", err)
+	}
+
+	if err := m.saveLoginForServicePrincipal(tenantID, clientID, &persistedSecret{
+		FederatedAuth: &federatedAuth{
+			TokenProvider:       &azurePipelinesFederatedTokenProvider,
+			ServiceConnectionID: &serviceConnectionID,
+		},
+	}); err != nil {
+		return nil, err
+	}
+
+	return cred, nil
+}
+
 // Logout signs out the current user and removes any cached authentication information
 func (m *Manager) Logout(ctx context.Context) error {
 	act, err := m.getSignedInAccount(ctx)
@@ -1017,7 +1089,8 @@ type persistedSecret struct {
 
 // federated auth token providers
 var (
-	gitHubFederatedAuth federatedTokenProvider = "github"
+	gitHubFederatedTokenProvider         federatedTokenProvider = "github"
+	azurePipelinesFederatedTokenProvider federatedTokenProvider = "azure-pipelines"
 )
 
 // token provider for federated auth
@@ -1027,6 +1100,9 @@ type federatedTokenProvider string
 type federatedAuth struct {
 	// The auth token provider. Tokens are obtained by calling the provider as needed.
 	TokenProvider *federatedTokenProvider `json:"tokenProvider,omitempty"`
+	// The ID of the service connection to use for Azure Pipelines federated auth. This is only set when the TokenProvider
+	// is "azure-pipelines".
+	ServiceConnectionID *string `json:"serviceConnectionId,omitempty"`
 }
 
 // userProperties is the model type for the value we store in the user's config. It is logically a discriminated union of

cli/azd/pkg/auth/manager_test.go

@@ -150,9 +150,7 @@ func TestServicePrincipalLoginFederatedTokenProvider(t *testing.T) {
 		cloud: cloud.AzurePublic(),
 	}
 
-	cred, err := m.LoginWithServicePrincipalFederatedTokenProvider(
-		context.Background(), "testClientId", "testTenantId", "github",
-	)
+	cred, err := m.LoginWithGitHubFederatedTokenProvider(context.Background(), "testClientId", "testTenantId")
 
 	require.NoError(t, err)
 	require.IsType(t, new(azidentity.ClientAssertionCredential), cred)

go.mod

@@ -4,8 +4,8 @@ go 1.23
 
 require (
 	github.com/AlecAivazis/survey/v2 v2.3.2
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.12.0
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/apimanagement/armapimanagement v1.0.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/appconfiguration/armappconfiguration v1.0.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/appcontainers/armappcontainers/v3 v3.0.0-beta.1
@@ -68,13 +68,13 @@ require (
 	go.opentelemetry.io/otel/trace v1.8.0
 	go.uber.org/atomic v1.9.0
 	go.uber.org/multierr v1.8.0
-	golang.org/x/sys v0.21.0
+	golang.org/x/sys v0.25.0
 	gopkg.in/dnaeon/go-vcr.v3 v3.1.2
 )
 
 require (
 	github.com/Azure/azure-pipeline-go v0.2.1 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.9.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v0.8.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
@@ -99,10 +99,10 @@ require (
 	go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.8.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.8.0 // indirect
 	go.opentelemetry.io/proto/otlp v0.18.0 // indirect
-	golang.org/x/crypto v0.24.0 // indirect
-	golang.org/x/net v0.26.0 // indirect
-	golang.org/x/term v0.21.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/crypto v0.27.0 // indirect
+	golang.org/x/net v0.29.0 // indirect
+	golang.org/x/term v0.24.0 // indirect
+	golang.org/x/text v0.18.0 // indirect
 	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
 	google.golang.org/grpc v1.56.3 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect