Fix Error 18456 with Entra ID auth when re-authenticating with stale tokens (#18456)

[ahernandez-developer]

Summary
Fix Error 18456 with Entra ID auth when re-authenticating with stale tokens
detect AADSTS50078 (wrong audience) and re-authenticate with correct scopes
compute resource-specific scopes for SQL endpoints instead of reusing ARM-only tokens
fix token expiry derivation from tokenResult.expiresOn instead of idTokenClaims
guard null access on refreshed account in MsalAzureController

Fixes #22031

Reproduction
The issue triggers when a stale refresh token forces re-authentication:

1. Connect to a SQL database using Entra ID - Universal with MFA
2. Extension attempts silent token refresh, fails with AADSTS50173 (stale grant)
3. reauthenticate() fires but uses ARM-scoped tokens instead of SQL-scoped tokens
4. SQL endpoint rejects the ARM-audience token with Error 18456
5. AADSTS50078 (wrong audience) not recognized, so no corrective re-auth happens
   Confirmed on both multi-tenant (account in Tenant A, DB in Tenant B) and single-tenant setups

Validation

• Built and tested with the local extension in multi-tenant and single-tenant environments:
  Connection succeeds — no Error 18456 on first connect or reconnect
• Tested without the extension (stock 1.42.1): Error 18456 reproduced consistently
• npm run build:extension
• npx eslint --quiet extensions/mssql/src/azure/constants.ts extensions/mssql/src/azure/msal/msalAzureAuth.ts extensions/mssql/src/azure/msal/msalAzureCodeGrant.ts
  extensions/mssql/src/azure/msal/msalAzureDeviceCode.ts extensions/mssql/src/azure/msal/msalAzureController.ts extensions/mssql/src/controllers/connectionManager.ts

Before fix: Error 18456 on connect.

After (fix):
Authority URL set to: https://login.microsoftonline.com/organizations
Failed to acquireTokenSilent InteractionRequiredAuthError: AADSTS50173 (stale grant)
→ Interactive auth triggered with resource-specific scopes
Authority URL set to: https://login.microsoftonline.com/
Failed to acquireTokenSilent InteractionRequiredAuthError: AADSTS50173 (wrong tenant token)
→ Interactive auth with correct tenant authority
→ Connection established successfully

[ahernandez-developer]

@microsoft-github-policy-service agree

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 20.00000% with 48 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.62%. Comparing base (b4542ac) to head (47b1cac).

Files with missing lines	Patch %	Lines
extensions/mssql/src/azure/msal/msalAzureAuth.ts	14.81%	23 Missing ⚠️
...nsions/mssql/src/azure/msal/msalAzureController.ts	0.00%	11 Missing ⚠️
...ensions/mssql/src/azure/msal/msalAzureCodeGrant.ts	12.50%	7 Missing ⚠️
...nsions/mssql/src/azure/msal/msalAzureDeviceCode.ts	14.28%	6 Missing ⚠️
...ensions/mssql/src/controllers/connectionManager.ts	0.00%	1 Missing ⚠️

❌ Your patch status has failed because the patch coverage (20.00%) is below the target coverage (70.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #22063      +/-   ##
==========================================
- Coverage   74.95%   74.62%   -0.33%     
==========================================
  Files         393      344      -49     
  Lines      119869   106319   -13550     
  Branches     7161     6610     -551     
==========================================
- Hits        89847    79343   -10504     
+ Misses      30022    26976    -3046     

Flag	Coverage Δ
data-workspace	?
mssql	74.62% <20.00%> (-0.03%)	⬇️
sqlproj	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
extensions/mssql/src/azure/constants.ts	100.00% <100.00%> (ø)
...ensions/mssql/src/controllers/connectionManager.ts	62.36% <0.00%> (-0.03%)	⬇️
...nsions/mssql/src/azure/msal/msalAzureDeviceCode.ts	39.17% <14.28%> (-2.13%)	⬇️
...ensions/mssql/src/azure/msal/msalAzureCodeGrant.ts	25.28% <12.50%> (-0.49%)	⬇️
...nsions/mssql/src/azure/msal/msalAzureController.ts	53.51% <0.00%> (-0.62%)	⬇️
extensions/mssql/src/azure/msal/msalAzureAuth.ts	45.68% <14.81%> (-0.91%)	⬇️

... and 49 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ahernandez-developer]

I see two CI items, but not sure if releated, first contribution to this repo, seems unrelated to the code changes:

• I see a validation failure in workflow bot from fork can't write comments on upstream repo 403. All build, lint, unit test, and smoke test steps passed.
• Also Codecov patch coverage says auth files modified (msalAzureAuth, msalAzureCodeGrant, msalAzureDeviceCode) have no existing unit tests in this repo. The connectionManager.ts change gets incidental coverage
  from existing tests. No regression from baseline.

Should I add tests?

[Benjin]

@ahernandez-developer no need to add tests to those, but I'd appreciate your help in reproducing the issue so that I can confirm your fix.

• What's your Azure SQL DB auth setup? Database in Tenant A, account in Tenant B... anything special about how you've given access to the database to the account?
• What values do you have set for these config keys?
  • mssql.enableExperimentalFeatures
  • mssql.preview.useVscodeAccountsForEntraMFA
  • mssql.enableSqlAuthenticationProvider

and, of course, the big one:

• what do I need to do to encounter this error?
  • when selecting the account in the connection dialog, should I choose the account's home tenant (Tenant B) or the database's tenant (Tenant A)
  • should I encounter this error with the initial connection, or only after the initial token expires and it attempts a refresh?
  • any other pertinent details?

Thanks again for your contribution, @ahernandez-developer!

Additional details:

Currently (on 1.42.2), I'm able to connect with a database in Tenant A with an account in Tenant B with Tenant A selected as tenant acquire a token via:

To give the account access, I ran:

-- when connected to the server in tenant A
CREATE USER [account@tenantB.com] FROM EXTERNAL PROVIDER;
ALTER ROLE db_owner ADD MEMBER [account@tenantB.com];