[authentication] | Enable broker based authentication on macOS. Set enable_broker_on_mac config to True

.github/actions/env-setup/action.yml

@@ -24,7 +24,7 @@ runs:
     - name: Install azdev
       shell: bash
       run: | 
-        python -m pip install --upgrade pip
+        python -m pip install --upgrade pip "setuptools>=78"
         set -ev
         python -m venv env
         chmod +x env/bin/activate

src/azure-cli-core/azure/cli/core/_profile.py

@@ -970,8 +970,10 @@ def _create_identity_instance(cli_ctx, authority, tenant_id=None, client_id=None
 
     # On Windows, use core.enable_broker_on_windows=false to disable broker (WAM) for authentication.
     enable_broker_on_windows = cli_ctx.config.getboolean('core', 'enable_broker_on_windows', fallback=True)
+    # On macOS, broker authentication is opt-in. Use core.enable_broker_on_mac=true to enable it.
+    enable_broker_on_mac = cli_ctx.config.getboolean('core', 'enable_broker_on_mac', fallback=False)
     from .telemetry import set_broker_info
-    set_broker_info(enable_broker_on_windows)
+    set_broker_info(enable_broker_on_windows, enable_broker_on_mac)
 
     # PREVIEW: In Azure Stack environment, use core.instance_discovery=false to disable MSAL's instance discovery.
     instance_discovery = cli_ctx.config.getboolean('core', 'instance_discovery', True)
@@ -980,4 +982,5 @@ def _create_identity_instance(cli_ctx, authority, tenant_id=None, client_id=None
                     encrypt=encrypt,
                     use_msal_http_cache=use_msal_http_cache,
                     enable_broker_on_windows=enable_broker_on_windows,
+                    enable_broker_on_mac=enable_broker_on_mac,
                     instance_discovery=instance_discovery)

src/azure-cli-core/azure/cli/core/auth/identity.py

@@ -58,7 +58,7 @@ class Identity:  # pylint: disable=too-many-instance-attributes
     _service_principal_store_instance = None
 
     def __init__(self, authority, tenant_id=None, client_id=None, encrypt=False, use_msal_http_cache=True,
-                 enable_broker_on_windows=None, instance_discovery=None):
+                 enable_broker_on_windows=None, enable_broker_on_mac=None, instance_discovery=None):
         """
         :param authority: Authentication authority endpoint. For example,
             - AAD: https://login.microsoftonline.com
@@ -74,6 +74,7 @@ def __init__(self, authority, tenant_id=None, client_id=None, encrypt=False, use
         self._encrypt = encrypt
         self._use_msal_http_cache = use_msal_http_cache
         self._enable_broker_on_windows = enable_broker_on_windows
+        self._enable_broker_on_mac = enable_broker_on_mac
         self._instance_discovery = instance_discovery
 
         # Build the authority in MSAL style
@@ -111,9 +112,10 @@ def _msal_app_kwargs(self):
     @property
     def _msal_public_app_kwargs(self):
         """kwargs for creating PublicClientApplication."""
-        # enable_broker_on_windows can only be used on PublicClientApplication.
+        # enable_broker_on_windows and enable_broker_on_mac can only be used on PublicClientApplication.
         return {**self._msal_app_kwargs,
                 "enable_broker_on_windows": self._enable_broker_on_windows,
+                "enable_broker_on_mac": self._enable_broker_on_mac,
                 "enable_pii_log": True}
 
     @property

src/azure-cli-core/azure/cli/core/telemetry.py

@@ -77,6 +77,7 @@ def __init__(self, correlation_id=None, application=None):
         self.user_agent = None
         # authentication-related
         self.enable_broker_on_windows = None
+        self.enable_broker_on_mac = None
         self.msal_telemetry = None
         self.login_experience_v2 = None
 
@@ -237,6 +238,7 @@ def _get_azure_cli_properties(self):
         set_custom_properties(result, 'SecretNames', ','.join(self.secret_names or []))
         # authentication-related
         set_custom_properties(result, 'EnableBrokerOnWindows', str(self.enable_broker_on_windows))
+        set_custom_properties(result, 'EnableBrokerOnMac', str(self.enable_broker_on_mac))
         set_custom_properties(result, 'MsalTelemetry', self.msal_telemetry)
         set_custom_properties(result, 'LoginExperienceV2', str(self.login_experience_v2))
 
@@ -483,9 +485,10 @@ def set_region_identified(region_input, region_identified):
 
 # region authentication-related
 @decorators.suppress_all_exceptions()
-def set_broker_info(enable_broker_on_windows):
-    # Log the value of `enable_broker_on_windows`
+def set_broker_info(enable_broker_on_windows, enable_broker_on_mac=None):
+    # Log the value of `enable_broker_on_windows` and `enable_broker_on_mac`
     _session.enable_broker_on_windows = enable_broker_on_windows
+    _session.enable_broker_on_mac = enable_broker_on_mac
 
 
 @decorators.suppress_all_exceptions()

src/azure-cli-core/azure/cli/core/tests/test_profile.py

@@ -11,7 +11,7 @@
 from copy import deepcopy
 from unittest import mock
 
-from azure.cli.core._profile import (Profile, SubscriptionFinder, _attach_token_tenant,
+from azure.cli.core._profile import (Profile, SubscriptionFinder, _attach_token_tenant, _create_identity_instance,
                                      _transform_subscription_for_multiapi,
                                      _TENANT_LEVEL_ACCOUNT_NAME)
 from azure.cli.core.auth.util import AccessToken
@@ -1396,6 +1396,28 @@ def test_logout_all(self, logout_all_users_mock, logout_all_service_principal_mo
         logout_all_users_mock.assert_called_once()
         logout_all_service_principal_mock.assert_called_once()
 
+    @mock.patch('azure.cli.core.auth.identity.Identity', autospec=True)
+    def test_create_identity_instance_broker_on_mac_default_opt_in(self, identity_mock):
+        # Verify that broker on macOS is opt-in: default is False unless user sets
+        # core.enable_broker_on_mac=true. See CLIPS#55.
+        cli = DummyCli()
+        _create_identity_instance(cli, authority='https://login.microsoftonline.com')
+        _, kwargs = identity_mock.call_args
+        self.assertEqual(kwargs['enable_broker_on_mac'], False)
+        # Windows broker remains opt-out (default True).
+        self.assertEqual(kwargs['enable_broker_on_windows'], True)
+
+    @mock.patch('azure.cli.core.auth.identity.Identity', autospec=True)
+    def test_create_identity_instance_broker_on_mac_opt_in_enabled(self, identity_mock):
+        cli = DummyCli()
+        cli.config.set_value('core', 'enable_broker_on_mac', 'true')
+        try:
+            _create_identity_instance(cli, authority='https://login.microsoftonline.com')
+        finally:
+            cli.config.remove_option('core', 'enable_broker_on_mac')
+        _, kwargs = identity_mock.call_args
+        self.assertEqual(kwargs['enable_broker_on_mac'], True)
+
     @mock.patch('azure.cli.core._profile.SubscriptionFinder._create_subscription_client', autospec=True)
     @mock.patch('azure.cli.core.auth.identity.Identity.get_user_credential', autospec=True)
     def test_refresh_accounts_one_user_account(self, get_user_credential_mock, create_subscription_client_mock):

src/azure-cli-core/setup.py

@@ -55,8 +55,8 @@
     'knack~=0.11.0',
     'microsoft-security-utilities-secret-masker~=1.0.0b4',
     'msal-extensions==1.3.1',
-    'msal[broker]==1.35.1; sys_platform == "win32"',
-    'msal==1.35.1; sys_platform != "win32"',
+    'msal[broker]==1.35.1; sys_platform == "win32" or sys_platform == "darwin"',
+    'msal==1.35.1; sys_platform != "win32" and sys_platform != "darwin"',
     'packaging>=20.9',
     'pkginfo>=1.5.0.1',
     # psutil can't install on cygwin: https://github.com/Azure/azure-cli/issues/9399

src/azure-cli/requirements.py3.MacOS.txt

@@ -0,0 +1,138 @@
+antlr4-python3-runtime==4.13.1
+applicationinsights==0.11.9
+argcomplete==3.5.2
+asn1crypto==0.24.0
+azure-appconfiguration==1.7.2
+azure-batch==15.0.0b1
+azure-cli-core==2.84.0
+azure-cli-telemetry==1.1.0
+azure-cli==2.84.0
+azure-common==1.1.22
+azure-core==1.38.0
+azure-cosmos==3.2.0
+azure-data-tables==12.4.0
+azure-datalake-store==1.0.1
+azure-keyvault-administration==4.4.0
+azure-keyvault-certificates==4.7.0
+azure-keyvault-keys==4.11.0
+azure-keyvault-secrets==4.7.0
+azure-keyvault-securitydomain==1.0.0b1
+azure-mgmt-advisor==9.0.0
+azure-mgmt-apimanagement==4.0.0
+azure-mgmt-appconfiguration==6.0.0b1
+azure-mgmt-appcontainers==2.0.0
+azure-mgmt-applicationinsights==1.0.0
+azure-mgmt-authorization==5.0.0b1
+azure-mgmt-batch==17.3.0
+azure-mgmt-batchai==7.0.0b1
+azure-mgmt-billing==6.0.0
+azure-mgmt-botservice==2.0.0b3
+azure-mgmt-cdn==12.0.0
+azure-mgmt-cognitiveservices==14.1.0
+azure-mgmt-compute==34.1.0
+azure-mgmt-containerinstance==10.2.0b1
+azure-mgmt-containerregistry==14.1.0b1
+azure-mgmt-containerservice==40.2.0
+azure-mgmt-core==1.6.0
+azure-mgmt-cosmosdb==9.9.0
+azure-mgmt-datalake-nspkg==3.0.1
+azure-mgmt-datalake-store==1.1.0b1
+azure-mgmt-datamigration==10.0.0
+azure-mgmt-eventgrid==10.2.0b2
+azure-mgmt-eventhub==12.0.0b1
+azure-mgmt-extendedlocation==1.0.0b2
+azure-mgmt-hdinsight==9.1.0b2
+azure-mgmt-imagebuilder==1.3.0
+azure-mgmt-iotcentral==10.0.0b1
+azure-mgmt-iothub==5.0.0b1
+azure-mgmt-iothubprovisioningservices==1.1.0
+azure-mgmt-keyvault==13.0.0
+azure-mgmt-loganalytics==13.0.0b4
+azure-mgmt-managementgroups==1.0.0
+azure-mgmt-maps==2.0.0
+azure-mgmt-marketplaceordering==1.1.0
+azure-mgmt-media==9.0.0
+azure-mgmt-monitor==7.0.0b1
+azure-mgmt-msi==7.1.0
+azure-mgmt-netapp==10.1.0
+azure-mgmt-policyinsights==1.1.0b4
+azure-mgmt-postgresqlflexibleservers==3.0.0b1
+azure-mgmt-privatedns==1.0.0
+azure-mgmt-rdbms==10.2.0b17
+azure-mgmt-mysqlflexibleservers==1.1.0b2
+azure-mgmt-recoveryservices==4.0.0
+azure-mgmt-recoveryservicesbackup==9.2.0
+azure-mgmt-redhatopenshift~=3.0.0
+azure-mgmt-redis==14.5.0
+azure-mgmt-resource==24.0.0
+azure-mgmt-resource-deployments==1.0.0b1
+azure-mgmt-resource-deploymentscripts==1.0.0b1
+azure-mgmt-resource-deploymentstacks==1.0.0
+azure-mgmt-resource-templatespecs==1.0.0b1
+azure-mgmt-search==9.0.0
+azure-mgmt-security==6.0.0
+azure-mgmt-servicebus==10.0.0b1
+azure-mgmt-servicefabric==2.1.0
+azure-mgmt-servicefabricmanagedclusters==2.1.0b1
+azure-mgmt-servicelinker==1.2.0b3
+azure-mgmt-sql==4.0.0b22
+azure-mgmt-signalr==2.0.0b2
+azure-mgmt-sqlvirtualmachine==1.0.0b5
+azure-mgmt-storage==24.0.0
+azure-mgmt-synapse==2.1.0b5
+azure-mgmt-trafficmanager==1.0.0
+azure-mgmt-web==9.0.0
+azure-monitor-query==1.2.0
+azure-nspkg==3.0.2
+azure-storage-common==1.4.2
+azure-storage-blob==12.28.0b1
+azure-storage-file-datalake==12.23.0b1
+azure-storage-file-share==12.24.0b1
+azure-storage-queue==12.15.0b1
+azure-synapse-accesscontrol==0.5.0
+azure-synapse-artifacts==0.21.0
+azure-synapse-managedprivateendpoints==0.4.0
+azure-synapse-spark==0.7.0
+bcrypt==3.2.0
+certifi==2024.7.4
+cffi==2.0.0
+chardet==5.2.0
+colorama==0.4.6
+cryptography==44.0.1
+fabric==3.2.2
+humanfriendly==10.0
+idna==3.7
+invoke==2.2.0
+isodate==0.6.1
+javaproperties==0.5.1
+jmespath==0.9.5
+jsondiff==2.0.0
+knack==0.11.0
+msal-extensions==1.2.0
+msal[broker]==1.35.0b1
+msrest==0.7.1
+oauthlib==3.2.2
+packaging==25.0
+paramiko==3.5.0
+pbr==7.0.3
+pkginfo==1.8.2
+portalocker==2.3.2
+psutil==6.1.0
+pycomposefile==0.0.34
+PyGithub==1.55
+PyJWT==2.10.1
+PyNaCl==1.6.2
+pyOpenSSL==25.0.0
+PySocks==1.7.1
+python-dateutil==2.8.0
+requests-oauthlib==1.2.0
+requests==2.32.4
+scp==0.13.2
+semver==3.0.4
+six==1.16.0
+sshtunnel==0.1.5
+tabulate==0.8.9
+urllib3==2.6.3
+wcwidth==0.1.7
+websocket-client==1.8.0
+xmltodict==0.12.0