[Core] Replace allow_broker with enable_broker_on_windows

[jiasli]

Related command
az login

Description
This PR adopts the MSAL change AzureAD/microsoft-authentication-library-for-python#613 where MSAL will deprecate allow_broker and use enable_broker_on_windows.

Testing Guide

az config set core.enable_broker_on_windows=true
az login
az config unset core.enable_broker_on_windows
az login

[azure-client-tools-bot-prd]

️✔️AzureCLI-FullTest

️✔️acr

️✔️2020-09-01-hybrid

️✔️3.11

️✔️3.9

️✔️latest

️✔️3.11

️✔️3.9

️✔️acs

️✔️2020-09-01-hybrid

️✔️3.11

️✔️3.9

️✔️latest

️✔️3.11

️✔️3.9

️✔️advisor

️✔️latest

️✔️3.11

️✔️3.9

️✔️ams

️✔️latest

️✔️3.11

️✔️3.9

️✔️apim

️✔️latest

️✔️3.11

️✔️3.9

️✔️appconfig

️✔️latest

️✔️3.11

️✔️3.9

️✔️appservice

️✔️latest

️✔️3.11

️✔️3.9

️✔️aro

️✔️latest

️✔️3.11

️✔️3.9

️✔️backup

️✔️latest

️✔️3.11

️✔️3.9

️✔️batch

️✔️latest

️✔️3.11

️✔️3.9

️✔️batchai

️✔️latest

️✔️3.11

️✔️3.9

️✔️billing

️✔️latest

️✔️3.11

️✔️3.9

️✔️botservice

️✔️latest

️✔️3.11

️✔️3.9

️✔️cdn

️✔️latest

️✔️3.11

️✔️3.9

️✔️cloud

️✔️latest

️✔️3.11

️✔️3.9

️✔️cognitiveservices

️✔️latest

️✔️3.11

️✔️3.9

️✔️config

️✔️latest

️✔️3.11

️✔️3.9

️✔️configure

️✔️latest

️✔️3.11

️✔️3.9

️✔️consumption

️✔️latest

️✔️3.11

️✔️3.9

️✔️container

️✔️latest

️✔️3.11

️✔️3.9

️✔️containerapp

️✔️latest

️✔️3.11

️✔️3.9

️✔️core

️✔️2018-03-01-hybrid

️✔️3.11

️✔️3.9

️✔️2019-03-01-hybrid

️✔️3.11

️✔️3.9

️✔️2020-09-01-hybrid

️✔️3.11

️✔️3.9

️✔️latest

️✔️3.11

️✔️3.9

️✔️cosmosdb

️✔️latest

️✔️3.11

️✔️3.9

️✔️databoxedge

️✔️2019-03-01-hybrid

️✔️3.11

️✔️3.9

️✔️2020-09-01-hybrid

️✔️3.11

️✔️3.9

️✔️latest

️✔️3.11

️✔️3.9

️✔️dla

️✔️latest

️✔️3.11

️✔️3.9

️✔️dls

️✔️latest

️✔️3.11

️✔️3.9

️✔️dms

️✔️latest

️✔️3.11

️✔️3.9

️✔️eventgrid

️✔️latest

️✔️3.11

️✔️3.9

️✔️eventhubs

️✔️latest

️✔️3.11

️✔️3.9

️✔️feedback

️✔️latest

️✔️3.11

️✔️3.9

️✔️find

️✔️latest

️✔️3.11

️✔️3.9

️✔️hdinsight

️✔️latest

️✔️3.11

️✔️3.9

️✔️identity

️✔️latest

️✔️3.11

️✔️3.9

️✔️iot

️✔️2019-03-01-hybrid

️✔️3.11

️✔️3.9

️✔️2020-09-01-hybrid

️✔️3.11

️✔️3.9

️✔️latest

️✔️3.11

️✔️3.9

️✔️keyvault

️✔️2018-03-01-hybrid

️✔️3.11

️✔️3.9

️✔️2020-09-01-hybrid

️✔️3.11

️✔️3.9

️✔️latest

️✔️3.11

️✔️3.9

️✔️kusto

️✔️latest

️✔️3.11

️✔️3.9

️✔️lab

️✔️latest

️✔️3.11

️✔️3.9

️✔️managedservices

️✔️latest

️✔️3.11

️✔️3.9

️✔️maps

️✔️latest

️✔️3.11

️✔️3.9

️✔️marketplaceordering

️✔️latest

️✔️3.11

️✔️3.9

️✔️monitor

️✔️latest

️✔️3.11

️✔️3.9

️✔️mysql

️✔️latest

️✔️3.11

️✔️3.9

️✔️netappfiles

️✔️latest

️✔️3.11

️✔️3.9

️✔️network

️✔️2018-03-01-hybrid

️✔️3.11

️✔️3.9

️✔️latest

️✔️3.11

️✔️3.9

️✔️policyinsights

️✔️latest

️✔️3.11

️✔️3.9

️✔️privatedns

️✔️latest

️✔️3.11

️✔️3.9

️✔️profile

️✔️latest

️✔️3.11

️✔️3.9

️✔️rdbms

️✔️latest

️✔️3.11

️✔️3.9

️✔️redis

️✔️latest

️✔️3.11

️✔️3.9

️✔️relay

️✔️latest

️✔️3.11

️✔️3.9

️✔️resource

️✔️2018-03-01-hybrid

️✔️3.11

️✔️3.9

️✔️2019-03-01-hybrid

️✔️3.11

️✔️3.9

️✔️latest

️✔️3.11

️✔️3.9

️✔️role

️✔️latest

️✔️3.11

️✔️3.9

️✔️search

️✔️latest

️✔️3.11

️✔️3.9

️✔️security

️✔️latest

️✔️3.11

️✔️3.9

️✔️servicebus

️✔️latest

️✔️3.11

️✔️3.9

️✔️serviceconnector

️✔️latest

️✔️3.11

️✔️3.9

️✔️servicefabric

️✔️latest

️✔️3.11

️✔️3.9

️✔️signalr

️✔️latest

️✔️3.11

️✔️3.9

️✔️sql

️✔️latest

️✔️3.11

️✔️3.9

️✔️sqlvm

️✔️latest

️✔️3.11

️✔️3.9

️✔️storage

️✔️2018-03-01-hybrid

️✔️3.11

️✔️3.9

️✔️2019-03-01-hybrid

️✔️3.11

️✔️3.9

️✔️2020-09-01-hybrid

️✔️3.11

️✔️3.9

️✔️latest

️✔️3.11

️✔️3.9

️✔️synapse

️✔️latest

️✔️3.11

️✔️3.9

️✔️telemetry

️✔️2018-03-01-hybrid

️✔️3.11

️✔️3.9

️✔️2019-03-01-hybrid

️✔️3.11

️✔️3.9

️✔️2020-09-01-hybrid

️✔️3.11

️✔️3.9

️✔️latest

️✔️3.11

️✔️3.9

️✔️util

️✔️latest

️✔️3.11

️✔️3.9

️✔️vm

️✔️2018-03-01-hybrid

️✔️3.11

️✔️3.9

️✔️2019-03-01-hybrid

️✔️3.11

️✔️3.9

️✔️2020-09-01-hybrid

️✔️3.11

️✔️3.9

️✔️latest

️✔️3.11

️✔️3.9

[azure-client-tools-bot-prd]

Hi @jiasli,
Since the current milestone time is less than 7 days, this pr will be reviewed in the next milestone.

[azure-client-tools-bot-prd]

️✔️AzureCLI-BreakingChangeTest

️✔️Non Breaking Changes

[yonzhan]

Core

[jiasli]

After some further consideration, I am now not inclined to expose a unified enable_broker on the CLI side. Instead, CLI should expose the same config options as MSAL does - separate enable_broker_on_windows, enable_broker_on_mac config options for different platforms.

Reasons

1. Some users may share the same ~/.azure/config file across platforms, possibly by:

   • mounting the ~/.azure folder to a docker container
   • copy-and-pasting the ~/.azure folder, the ~/.azure/config file or the content of ~/.azure/config to another computer

   In the future, this usage may become more common if we implement config roaming ([Collect feedback - important] Settings in cloud for Azure CLI #25675). With only one enable_broker, there will be no way to have different broker configurations for different platforms. For example, if I turn on broker on Windows and copy the config file to macOS, CLI on macOS will also have broker enabled, but that may not be what I intend.

2. With only one enable_broker, we may face an issue similar to what was described in allow_broker becomes conditional per platform AzureAD/microsoft-authentication-library-for-python#510 (comment). A user would likely run into an unintended behavior change when we support broker on a new platform in the future. For example:

   • D-day: CLI does not yet support broker on macOS, but a user somehow uses enable_broker=True on macOS. As CLI and its first-party app don't support broker on macOS yet, CLI tells MSAL to fallback to browser by passing enable_broker_on_mac=False. CLI would work today on macOS.
   • D+1 day: CLI and its first-party app starts to support broker on macOS (but broker is not turned on by default yet).
   • D+2 day: The user makes no other change, but upgrades to the latest CLI. az login will start to trigger broker code path unexpectedly.

   This issue can be avoided on D-day by raising an error when setting enable_broker on macOS before CLI supports broker, but the user experience is not good, especially if the config is copied from somewhere else.

[rayluo]

not inclined to expose a unified enable_broker on the CLI side. Instead, CLI should expose the same config options as MSAL does - separate enable_broker_on_windows, enable_broker_on_mac config options for different platforms.

Reasons

1. Some users may share the same ~/.azure/config file across platforms
   ...

2. With only one enable_broker, we may face an issue similar to what was described ...
   D-day ... D+1 day ... D+2 day ...

I may agree with the choice, but not for the reasons that you brought up.

MSAL and Azure CLI face different challenges. MSAL as a library can never know whether the calling app meets the prerequisite (i.e., registering the specific redirect URI) of a given platform, so, MSAL has to provide a per-platform opt-in flag, to avoid that "D-day, D+1 day, D+2 day" situation. (BTW, can you share me a link of where I mentioned a similar example before? I want to double check it.)

Azure CLI as an app could go with only one enable_broker parameter, by hardcoding the "enable_broker"-to-"enable_broker_on_windows" mapping today, and harcoding the "enable_broker"-to-both-"...on_windows" and "...on_mac" logic at a later time. That way, a roamed configuration would not cause an older version of Azure CLI to accidentally enable broker on Mac. So, roaming is not a concern.

In particular,

For example, if I turn on broker on Windows and copy the config file to macOS, CLI on macOS will also have broker enabled, but that may not be what I intend.
...
upgrades to the latest CLI. az login will start to trigger broker code path unexpectedly.

I do not think a user with enable_broker=True config on Windows would dislike seeing a broker experience on Mac, as long as it works smoothly.

---

The reason that a new enable_broker_on_mac could be a good idea, is because previously in the era of "there was only one broker and it is on Windows", Azure CLI did not have to expose an "enable_broker" parameter at all, but still wisely chose to provide such a fine-grained option during the beta testing period. So, perhaps a dedicate "enable_broker_on_mac" this time would also give us flexibility to toggle it on-and-off during its beta test.

[jiasli]

MSAL as a library can never know whether the calling app meets the prerequisite (i.e., registering the specific redirect URI) of a given platform

This is true and this "D-day, D+1 day, D+2 day" situation is more severe on MSAL, as it raises an error, but on CLI side, even though there is no error, it is still a behavior change.

BTW, can you share me a link of where I mentioned a similar example before? I want to double check it.

The link is right in AzureAD/microsoft-authentication-library-for-python#510 (comment): https://identitydivision.visualstudio.com/DevEx/_git/AuthLibrariesApiReview/pullrequest/6882?_a=files

That way, a roamed configuration would not cause an older version of Azure CLI to accidentally enable broker on Mac. So, roaming is not a concern.

I am actually not concerned about roaming across different CLI versions but roaming across different platforms for the same CLI version.

I do not think a user with enable_broker=True config on Windows would dislike seeing a broker experience on Mac, as long as it works smoothly.

How about multiple users on different platforms? Consider your colleagues have enable_broker=True config on Windows and you copied their config to your macOS. You may not want to use broker right now.

So, perhaps a dedicate "enable_broker_on_mac" this time would also give us flexibility to toggle it on-and-off during its beta test.

This is my opinion as well. More flexibility usually means more versatility and customizability (but sometimes also more complexity).

[jiasli]

Telemetry-wise, another disadvantage of a combined enable_broker is that we have to correlate enable_broker with platform information to understand broker's usage. On the other hand, enable_broker_on_windows and enable_broker_on_mac allow us to get fine-grained information more easily and directly.

In my opinion, the complexity introduced for a combined enable_broker outweighs the benefit of it.

[jiasli]

The reason that a new enable_broker_on_mac could be a good idea, is because previously in the era of "there was only one broker and it is on Windows", Azure CLI did not have to expose an "enable_broker" parameter at all, but still wisely chose to provide such a fine-grained option during the beta testing period. So, perhaps a dedicate "enable_broker_on_mac" this time would also give us flexibility to toggle it on-and-off during its beta test.

On Windows, after we make WAM the default login method, allow_broker/enable_broker_on_windows will only be a switch to opt out. Most users won't use it at all. We definitely don't want to add additional complexity for this rarely used feature.

Also, after we kick off beta testing for broker support on mac, enable_broker_on_mac will provide us a dedicated switch, besides the enable_broker_on_windows switch or shared allow_broker.

[jiasli]

When we start the Mac broker beta test, do we allow toggle whether broker on Mac is enabled, independent of whether the broker-on-Windows (i.e., WAM) is enabled or not? If so, we will need dedicated flags for Win and Mac, at least for now.

This means a user will indeed be exposed to the details of configuring broker behavior differently per platform, regardless of how we name it. Specifically, the difference is really just:

1. setting enable_broker_on_windows=true & enable_broker_on_mac=false (vice versa) in one same configuration file which can be reused on different platforms.
2. setting allow_broker=true or false differently per platform. The user would need to maintain 2 configuration files and deploy the right one to the right platform.

Given that the per-platform discrepancy is already there (for better or worse), we think style 1 is more user friendly.

[jiasli]

Initially I forgot to rename self.allow_broker to self.enable_broker_on_windows. This results in the below error in debug log:

cli.azure.cli.core.decorators: Suppress exception:
Traceback (most recent call last):
  File "d:\cli\azure-cli\src\azure-cli\azure\cli\__main__.py", line 62, in <module>
    raise ex
  File "d:\cli\azure-cli\src\azure-cli\azure\cli\__main__.py", line 55, in <module>
    sys.exit(exit_code)
SystemExit: 0

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "d:\cli\azure-cli\src\azure-cli-core\azure\cli\core\decorators.py", line 79, in _wrapped_func
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "d:\cli\azure-cli\src\azure-cli-core\azure\cli\core\telemetry.py", line 110, in generate_payload
    cli = self._get_azure_cli_properties()
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "d:\cli\azure-cli\src\azure-cli-core\azure\cli\core\telemetry.py", line 224, in _get_azure_cli_properties
    set_custom_properties(result, 'AllowBroker', str(self.allow_broker))
                                                     ^^^^^^^^^^^^^^^^^
AttributeError: 'TelemetrySession' object has no attribute 'allow_broker'

telemetry.main: Split cli events and extra events failure: the JSON object must be str, bytes or bytearray, not NoneType

However, the CI doesn't find this. @evelyn-ys

[evelyn-ys]

good catch. We should add telemetry check in CI too

[bebound]

Should we add this to changelog? As we have mentioned core.allow_broker in doc: https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli-web-account-manager
Just to confirm, will we also update the related doc?

[jiasli]

Should we add this to changelog? As we have mentioned core.allow_broker in doc: https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli-web-account-manager Just to confirm, will we also update the related doc?

Nice catch and thanks for the reminder. As allow_broker's default value will be changed to True in #28085, users won't need to explicitly set it anymore. The new switch enable_broker_on_windows will only be used to disable WAM. This is mentioned in the changelog in #28085.

I initially aimed to merge this PR in 2023-12, but it was delayed to 2024-02. Even though it can be combined into
#28085, I still want to keep a clear boundary.

I will submit another PR to update https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli-web-account-manager.