Connect-AzAccount - VSCode Remote-SSH - pwsh

[coolhome]

Description

When using Connect-AzAccount the following is produced:

WARNING: Interactive authentication is not supported in this session, please run cmdlet 'Connect-AzAccount -UseDeviceAuthentication'.

My setup is the following:

• Local Machine
  • OS: Windows 11
  • VSCode Remote-SSH
• Remote Machine
  • OS: RHEL 9
  • VSCode Server via VSCode Remote-SSH

VSCode Remote-SSH will open xdg-open from the remote machine to my local machine browser

I was able to track down the issue to this function which would return false in my case because there is no DISPLAY, this is a SSH connection.

azure-powershell/src/Accounts/Accounts/Account/ConnectAzureRmAccount.cs

Lines 510 to 514 in 784c5e0

	if (!commonUtilities.IsDesktopSession() && IsPopUpInteractiveAuthenticationFlow())
	{
	WriteWarning(Resources.InteractiveAuthNotSupported);
	return;
	}

azure-powershell/src/Accounts/Authentication/Utilities/CommonUtilities.cs

Lines 28 to 36 in 784c5e0

	//Check only for Linux platform
	//Linux: https://github.com/microsoft/Git-Credential-Manager-Core/blob/master/src/shared/Microsoft.Git.CredentialManager/Interop/Posix/PosixSessionManager.cs
	//MacOS: https://github.com/microsoft/Git-Credential-Manager-Core/blob/master/src/shared/Microsoft.Git.CredentialManager/Interop/MacOS/MacOSSessionManager.cs
	//Windows: https://github.com/microsoft/Git-Credential-Manager-Core/blob/master/src/shared/Microsoft.Git.CredentialManager/Interop/Windows/WindowsSessionManager.cs
	if(RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
	{
	return !string.IsNullOrEmpty(Environment.GetEnvironmentVariable("DISPLAY"));
	}
	return true;

I think these common utilities check could be remove and rely on Microsoft.Identity.Client exception throwing if its unable to open interactively.

https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/f9253a67e69d4c34f30d26063006d6f788d71591/src/client/Microsoft.Identity.Client/Platforms/netcore/NetCorePlatformProxy.cs#L189-L228

A workaround is as simple as setting $env:DISPLAY = ":0.0" before running Connect-AzAccount. I just set this up in ~/.config/powershell/profile.ps1 so it is always loaded.

Issue script & Debug output

Connect-AzAccount                       
DEBUG: 1:59:29 PM - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: 1:59:29 PM - ConnectAzureRmAccountCommand begin processing with ParameterSet 'UserWithSubscriptionId'.
DEBUG: 1:59:29 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 1:59:29 PM - [ConfigManager] Got nothing from [DefaultSubscriptionForLogin], Module = [], Cmdlet = []. Returning default value [].
WARNING: Interactive authentication is not supported in this session, please run cmdlet 'Connect-AzAccount -UseDeviceAuthentication'.
DEBUG: 1:59:29 PM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 1:59:29 PM - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:2.19.0; CommandName: Connect-AzAccount; PSVersion: 7.4.2; IsSuccess: True; Duration: 00:00:00.0037181
DEBUG: 1:59:29 PM - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 1:59:29 PM - ConnectAzureRmAccountCommand end processing.

Environment data

Name                           Value
----                           -----
PSVersion                      7.4.2
PSEdition                      Core
GitCommitId                    7.4.2
OS                             Red Hat Enterprise Linux 9.2 (Plow)
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.19.0                Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}

Error output

Technically no error was produced, just a warning and exits.

[coolhome]

While this change would unlocks part of the problem for VSCode Remote-SSH there is still an issue where the local forwarding port 8400 just hangs. I think its because the VSCode Azure Account locally is running on port 8400, and VSCode Remote does not know what local ports are used. Azure CLI / python identity library has some code to make sure the port does not conflict.

I think this would need to be different based on context.

azure-powershell/src/Accounts/Authenticators/InteractiveUserAuthenticator.cs

Lines 81 to 85 in 784c5e0

	protected Uri GetReplyUrl(bool onPremise, Action<string> promptAction)
	{
	var port = GetReplyUrlPort(onPremise, promptAction);
	return new Uri($"http://localhost:{port}");
	}

[coolhome]

When it comes to conflicting local ports possibly from another Connect-AzAccount, then this is a related issue:
#23711

az login lets the system choose an available port which is probably less likely to collide.

--

When it comes to the request hanging, I think it's because on the MSAL is listening on port 8400 on TCP6 only.

tcp        0      0 127.0.0.1:39075         0.0.0.0:*               LISTEN      2212482/code-dc96b8 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1013/sshd: /usr/sbi 
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1/systemd           
tcp6       0      0 :::22                   :::*                    LISTEN      1013/sshd: /usr/sbi 
tcp6       0      0 :::111                  :::*                    LISTEN      1/systemd           
tcp6       0      0 ::1:8400                :::*                    LISTEN      2212716/pwsh

To mitigate locally setting this will force IPv4.

export DOTNET_SYSTEM_NET_DISABLEIPV6=true
pwsh

The localhost webserver is using hostname, which binds to ipv6 on my system. The solution is likely to support Ipv6 forwarding in vscode remote-ssh - microsoft/vscode-remote-release#7029 or change the redirect uri to use 0.0.0.0 which is what az login is doing.

$server =[System.Net.HttpListener]::new()
$server.Prefixes.Add("http://localhost:8400/"
$server.Start()

# tcp6       0      0 ::1:8400                :::*                    LISTEN      2270420/pwsh

// Obviously this is expected to IPv4
$server =[System.Net.HttpListener]::new()
$server.Prefixes.Add("http://*:8400/"
$server.Start()

# tcp        0      0 0.0.0.0:8400            0.0.0.0:*               LISTEN      2270420/pwsh

// Obviously this is expected to IPv4
$server =[System.Net.HttpListener]::new()
$server.Prefixes.Add("http://127.0.0.1:8400/"
$server.Start()

# tcp        0      0 127.0.0.1:8400          0.0.0.0:*               LISTEN      2270420/pwsh


[System.Net.Dns]::GetHostByName("localhost")

HostName  Aliases AddressList
--------  ------- -----------
localhost {}      {::1, 127.0.0.1}


az login

# tcp        0      0 0.0.0.0:36957           0.0.0.0:*               LISTEN      2281151/python3.9   

#