Add APIs to programatically change Tenant ID and Cloud

[fjakobs]

For the Databricks Extension for VSCode, we would like to have a programmatic way to change the Cloud and the Tenant ID.

We are currently resorting to these hacks:

    private async setTenantId(): Promise<void> {
        const config: WorkspaceConfiguration =
            workspace.getConfiguration("azure");

        await config.update(
            "tenant",
            this.tenantId,
            ConfigurationTarget.Workspace
        );

        await commands.executeCommand("azure-account.login");
    }

    private async setCloud(): Promise<boolean> {
        const cloud = this.getAzureCloud(this.host);

        const config: WorkspaceConfiguration =
            workspace.getConfiguration("azure");
        if (config.get("cloud") !== cloud) {
            await commands.executeCommand("azure-account.logout", true);
            await config.update("cloud", cloud, ConfigurationTarget.Workspace);
            await commands.executeCommand("azure-account.login");
            return false;
        }
        return true;
    }

This kind of works but it's ugly and we have no way to get any feedback if the command succeeded.

[fjakobs]

CC @isidorn, @binderjoe

[isidorn]

@fjakobs thanks for the ping.
Looks like a duplicate of microsoft/vscode#115626

fyi @TylerLeonhardt

[TylerLeonhardt]

The DataBricks extension uses the Azure Account extension for Auth, so I can't help too much here. I'll defer to @bwateratmsft. That said, in the built-in Microsoft auth extension, you can do this with a special scope we introduced. It's something I wanna change in the future for something more supported, but anyway.

[bwateratmsft]

In the near future we plan to deprecate the Azure Account extension in favor of the built-in authentication provider. We intend to create an NPM package that will do essentially the same thing the Azure Account extension is doing, and we'll leave the Azure Account extension available as long as possible (but the ADAL shutdown deadline can't be pushed back forever...).

I'll include some control of tenant selection and cloud in that library's design.

[fjakobs]

@bwateratmsft Do you have a rough timeline for the library that uses the building authentication provider? I might just wait for that if it is not too far out.

[bwateratmsft]

I'm hoping to get it done in the next month or so.

[bwateratmsft]

Here's the PR, by the way: microsoft/vscode-azuretools#1461

[fjakobs]

@bwateratmsft I see that the PR has been merged. Is it ready for me to try out? Also is there any kind of documentation or an example that I can look at?

[bwateratmsft]

The package is available on NPM, it contains documentation on the (relatively few) methods available. https://www.npmjs.com/package/@microsoft/vscode-azext-azureauth

There's a more complex example: microsoft/vscode-azureresourcegroups#707
I'll look around for a simple example or just make one...

[bwateratmsft]

It contains an API for changing the cloud but not tenant. We tried to make it so that when you signed in, all subscriptions across all tenants accessible to that account would be shown.

[bwateratmsft]

A very simple example:

import { AzureSubscription, VSCodeAzureSubscriptionProvider } from '@microsoft/vscode-azext-azureauth';

const subscriptionProvider = new VSCodeAzureSubscriptionProvider();

if (!await subscriptionProvider.isSignedIn()) {
    await subscriptionProvider.signIn();
}

const subscriptions = await subscriptionProvider.getSubscriptions();

for (const subscription of subscriptions) {
    // ...
}

[fjakobs]

Fantastic, thanks a lot.

[fjakobs]

I got a bit further but now I'm stuck configuring an app ID. For Azure Databricks we need to get a token for the app ID 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d and I can't figure out how to do this with that library.

What I need is the equivalent of az account get-access-token --resource 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d.

I've tried

const session = await subscription.authentication.getSession([appId]);

but then I was getting this error when using the Azure Databricks APIs:

'Error 400 io.jsonwebtoken.IncorrectClaimException: Expected aud claim to be: 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d, but was: https://management.azure.com.'

[bwateratmsft]

@TylerLeonhardt is it possible to get a token for a specific app using the auth provider?

[TylerLeonhardt]

Yeah see this comment:

microsoft/vscode#115626 (comment)

Basically you wanna do VSCODE_CLIENT_ID:<GUID> as one of the scopes

[bwateratmsft]

@fjakobs can you try that?

const session = await subscription.authentication.getSession(['VSCODE_CLIENT_ID:2ff814a6-3304-4ab8-85cb-cd0e6f879c1d']);

[fjakobs]

This doesn't work either. When I call getSession like that is still get a session that doesn't have the required scopes:

'https://management.azure.com/.default'
'VSCODE_TENANT:<XXX>'

@TylerLeonhardt searching for VSCODE_CLIENT_ID in node_modules doesn't give any results. I assume I'm not hitting that code path.

[bwateratmsft]

Since your auth case is somewhat specialized you may want to just directly use the Microsoft auth provider, https://code.visualstudio.com/api/references/vscode-api#authentication and https://github.com/microsoft/vscode/tree/main/extensions/microsoft-authentication have some more information on that.

[fjakobs]

I think I'm stuck. using the Mircosoft auth directly with this code:

const session = await authentication.getSession("microsoft", [`VSCODE_CLIENT_ID:2ff814a6-3304-4ab8-85cb-cd0e6f879c1d`], {forceNewSession: true});

I'm getting

Since AzureDatabricks is an enterprise application I have also no way to change the redirect. Any ideas?

[bwateratmsft]

@TylerLeonhardt this is beyond my expertise, do you know how to configure things?

[fjakobs]

I was able to get it to work with a bit of hacking with the azure-account extension but then I couldn't get China to work.

https://github.com/databricks/databricks-vscode/pull/538/files#diff-21b56f855403d4486bb9dae3c0bd1ce7e8c1d5d6470d05fa9145a530a462036aR287-R329

So in principle it should be possible.