auth: authentication.getSession doesn't respect scopes argument

[alexweininger]

The implementation returns the same session regardless of what scopes are passed to getSession().

vscode-azuretools/auth/src/VSCodeAzureSubscriptionProvider.ts

Line 262 in 51c5c77

getSession: () => session // Rewrapped to make TS not confused about the weird initialization pattern

[alexweininger]

This needs to be reopened because the fix #1597 had to be reverted since it caused many downstream issues. We need to reimplement a fix for this to unblock a couple of other extensions.

See #1745

[mikeburgh]

I found a way to work around this if someone needs it while this is being worked on.

Looking at the fix, I found you can use the built in getSession method, and along with the scopes you need, add in VSCODE_TENANT:{tenantId}

For example:
vscode.authentication.getSession('microsoft',['https://management.core.windows.net/.default','VSCODE_TENANT:xxx-xxx-yyy-yyy']

The access token in the session you get back will then work with the associated API (Azure, etc) for the tenant you provided.

[scale-tone]

The same issue surfaces when using AzureSubscription.credential.getToken(scopes) method. Code:

        const provider = new VSCodeAzureSubscriptionProvider();
        const subscription = await provider.getSubscriptions(true);

        // both calls return the same token, with "aud": "https://management.core.windows.net"
        const testStorageToken = (await subscription[0].credential.getToken(['https://storage.azure.com/user_impersonation']))?.token;
        const testArmToken = (await subscription[0].credential.getToken(['https://management.core.windows.net/user_impersonation']))?.token;

[nturinski]

Try this

await subscription[0].createCredentialsForScopes(['https://storage.azure.com/user_impersonation'])

[scale-tone]

@nturinski , I do not see such a method in AzureSubscription class. Where do I get that method from?

[nturinski]

Sorry, you're correct. It is not something that's implemented on the AzureSubscription. You can access the method from ISubscriptionContext.

If you install the @microsoft/vscode-azext-utils package, and then call createSubscriptionContext(subscription[0]), the result object should have the method createCrednetialsForScopes.

[scale-tone]

the result object should have the method createCrednetialsForScopes.

OK, tried that, and it is even worse. That credentials.getToken() method then returns null:

[nturinski]

How did you come across that scope? I tried the same thing and also am ending up with null. However, 'https://storage.azure.com/.default' seems to work fine for me. Would that scope suffice?

[scale-tone]

How did you come across that scope?

Oh, my memory really isn't that good, it emerged from some early days of DfMon.

Anyway, apparently @mikeburgh 's workaround worked for me, so there 's no need for further workarounds.
Thanks for your help, @nturinski !