Skip to content

feat: Add Azure CLI auth source (POC)#265

Open
shirasassoon wants to merge 1 commit into
microsoft:mainfrom
shirasassoon:feature/azure-cli-auth-poc
Open

feat: Add Azure CLI auth source (POC)#265
shirasassoon wants to merge 1 commit into
microsoft:mainfrom
shirasassoon:feature/azure-cli-auth-poc

Conversation

@shirasassoon

Copy link
Copy Markdown
Contributor

Add azure_cli as a new identity type that delegates token acquisition to Azure CLI via azure-identity's AzureCliCredential. This allows tools calling fab to reuse an existing az login session instead of requiring a separate interactive fab auth login.

Changes:

  • Add 'azure_cli' to AUTH_KEYS identity type allow-list
  • Add _acquire_token_from_azure_cli() using AzureCliCredential
  • Add --azure-cli flag to fab auth login
  • Add 'Azure CLI' option to interactive login menu
  • Show auth_source in fab auth status output
  • Add azure-identity>=1.15.0 dependency
  • Add 12 unit tests covering dispatch, scopes, errors, sanitization

Security: error messages are sanitized to never leak token content.

Add azure_cli as a new identity type that delegates token acquisition
to Azure CLI via azure-identity's AzureCliCredential. This allows
tools calling fab to reuse an existing az login session instead of
requiring a separate interactive fab auth login.

Changes:
- Add 'azure_cli' to AUTH_KEYS identity type allow-list
- Add _acquire_token_from_azure_cli() using AzureCliCredential
- Add --azure-cli flag to fab auth login
- Add 'Azure CLI' option to interactive login menu
- Show auth_source in fab auth status output
- Add azure-identity>=1.15.0 dependency
- Add 12 unit tests covering dispatch, scopes, errors, sanitization

Security: error messages are sanitized to never leak token content.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 15, 2026 10:46
@shirasassoon
shirasassoon requested a review from a team as a code owner July 15, 2026 10:46

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a new authentication source (azure_cli) to Fabric CLI, delegating token acquisition to Azure CLI (via azure-identity’s AzureCliCredential) so fab can reuse an existing az login session. It also wires the new auth source into fab auth login (flag + interactive option) and exposes the selected auth source in fab auth status.

Changes:

  • Add azure_cli as an allowed identity type and implement Azure CLI token acquisition in FabAuth.
  • Add --azure-cli flag plus an “Azure CLI” interactive login option; include auth_source in auth status output.
  • Add azure-identity>=1.15.0 dependency and a new unit test module for Azure CLI auth.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
tests/test_core/test_fab_auth_azure_cli.py Adds unit tests for the new Azure CLI auth flow, scopes, and error sanitization.
src/fabric_cli/parsers/fab_auth_parser.py Adds --azure-cli to fab auth login and updates examples.
src/fabric_cli/core/fab_constant.py Extends identity type allow-list to include azure_cli.
src/fabric_cli/core/fab_auth.py Implements set_azure_cli() and _acquire_token_from_azure_cli() and dispatches in acquire_token().
src/fabric_cli/commands/auth/fab_auth.py Wires Azure CLI auth into login flows and adds auth_source to status output.
pyproject.toml Adds the azure-identity runtime dependency required for AzureCliCredential.

Comment on lines +442 to +446
tenant_id = self.get_tenant_id()
try:
credential = AzureCliCredential(tenant_id=tenant_id) if tenant_id else AzureCliCredential()
# AzureCliCredential.get_token expects scopes as positional args
azure_token = credential.get_token(scope[0])
Comment on lines +436 to +440
raise FabricCLIError(
"Azure CLI auth requires the 'azure-identity' package. "
"Install it with: pip install azure-identity",
status_code=con.ERROR_AUTHENTICATION_FAILED,
)
Comment on lines +31 to +33
if getattr(args, "azure_cli", False):
FabAuth().set_access_mode("azure_cli", args.tenant)
FabAuth().set_azure_cli(args.tenant)
Comment on lines +27 to +36
@pytest.fixture
def auth_instance(temp_dir_fixture):
"""Get a fresh FabAuth instance."""
# Clear singleton for test isolation
FabAuth.__wrapped__ = None # type: ignore
from fabric_cli.core import fab_auth as fab_auth_module

if FabAuth in fab_auth_module.singleton.__wrapped__: # type: ignore
del fab_auth_module.singleton.__wrapped__[FabAuth] # type: ignore
return FabAuth()
Comment on lines +39 to +56
@pytest.fixture
def fresh_auth(temp_dir_fixture, monkeypatch):
"""Get a fresh FabAuth instance with singleton cleared."""
# Reset singleton instances dict
import fabric_cli.core.fab_auth as auth_module

# Access the closure variable of the singleton decorator
singleton_instances = auth_module.singleton.__code__.co_consts # noqa
# Simpler approach: just patch the module-level reference
monkeypatch.setattr(
"fabric_cli.core.fab_auth.FabAuth.__init__.__globals__",
{},
raising=False,
)
# Re-instantiate
auth = FabAuth.__new__(FabAuth)
auth.__init__()
return auth
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants