{Core} Decouple get_raw_token from SDK token protocol
#31063
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
️✔️AzureCLI-FullTest
|
|
Hi @jiasli, |
️✔️AzureCLI-BreakingChangeTest
|
Collaborator
|
Thank you for your contribution! We will review the pull request and get back to you soon. |
|
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR. Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
|
microsoft-github-policy-service
bot
requested review from
yonzhan and
zhoxing-ms
microsoft-github-policy-service
bot
added
ARM
jiasli
requested review from
bebound,
calvinhzy,
evelyn-ys,
jsntcy,
kairu-ms and
necusjz
as code owners
Contributor
There was a problem hiding this comment.
Pull Request Overview
Decouples get_raw_token from the Python SDK’s token protocol by calling MSAL’s acquire_token directly and replacing the private timestamp helper with a public now_timestamp.
- Exposed and renamed
_now_timestamptonow_timestamp, updating all references (including tests). - Removed
CredentialAdaptoringet_raw_tokenand updated token‐building logic to use MSAL’sexpires_in. - Updated tests to mock the new
now_timestampfunction.
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/azure-cli-core/azure/cli/core/auth/util.py | Renamed _now_timestamp to now_timestamp and updated its call sites. |
| src/azure-cli-core/azure/cli/core/auth/credential_adaptor.py | Updated import and usage of now_timestamp in AccessTokenInfo builder. |
| src/azure-cli-core/azure/cli/core/_profile.py | Switched get_raw_token to use cred.acquire_token and now_timestamp, removed CredentialAdaptor. |
| src/azure-cli-core/azure/cli/core/tests/test_profile.py | Renamed test helper _now_timestamp_mock to now_timestamp_mock and patched accordingly. |
|
|
||
|
|
||
| def _now_timestamp(): | ||
| def now_timestamp(): |
There was a problem hiding this comment.
Insert an additional blank line above this function so there are two blank lines between top-level definitions, per the style guide.
Member
Author
There was a problem hiding this comment.
There are already 2 blank lines.
jiasli
commented
Jun 19, 2025
| expires_on = now_timestamp() + msal_token[EXPIRES_IN] | ||
| expiresOn = datetime.datetime.fromtimestamp(expires_on).strftime("%Y-%m-%d %H:%M:%S.%f") | ||
|
|
||
| token_entry = { |
Member
Author
There was a problem hiding this comment.
token_entry is actually a remnant of ADAL, but replacing it with msal_token will be a breaking change.
msal_token contains:
{
"access_token": "...",
"token_type": "Bearer",
"expires_in": 4678,
"token_source": "cache"
}
evelyn-ys
approved these changes
Jun 23, 2025
bebound
approved these changes
Jun 23, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related command
az account get-access-tokenDescription
get_raw_tokenstarted to use Python SDK'sget_tokenprotocol since #19853. Because importingazure.core.credentials.AccessTokenis expensive, #19898 defined our ownAccessToken.After #31577 dropped
MSIAuthenticationWrapperwhich only supportsget_tokenprotocol, there is no need forget_raw_tokento useget_tokenprotocol.In this PR,
get_raw_tokendirectly callsacquire_tokenon MSAL credentials, instead ofget_tokenprotocol.Actually, the function name
acquire_tokenwas used during the ADAL age.For user credential, CLI calls ADAL's
acquire_token:azure-cli/src/azure-cli-core/azure/cli/core/_profile.py
Line 1115 in 5540253
For service credential, Azure CLI calls
azure-cli/src/azure-cli-core/azure/cli/core/_profile.py
Line 1144 in 5540253
which internally calls ADAL's
acquire_token_with_client_credentialsandacquire_token_with_client_certificate:azure-cli/src/azure-cli-core/azure/cli/core/_profile.py
Line 1248 in 5540253
azure-cli/src/azure-cli-core/azure/cli/core/_profile.py
Line 1249 in 5540253
MSAL provides:
azure-cli/src/azure-cli-core/azure/cli/core/auth/msal_credentials.py
Line 56 in 4177017
azure-cli/src/azure-cli-core/azure/cli/core/auth/msal_credentials.py
Line 110 in 4177017
azure-cli/src/azure-cli-core/azure/cli/core/auth/msal_credentials.py
Line 154 in 4177017
Bringing
acquire_tokenback is a Renaissance and a memory of the past.Testing Guide