Fix MSAL Entra token flow#22079
Open
aasimkhan30 wants to merge 2 commits into
Open
Conversation
aasimkhan30
requested review from
Benjin,
allancascante,
caohai,
kburtram,
laurenastrid1,
lewis-sanchez and
ssreerama
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adjusts the Microsoft Entra (Azure MFA) authentication flow for classic MSAL-backed connections so that the extension refreshes the MSAL account cache but avoids passing SQL access tokens to SQL Tools Service (STS), relying instead on SqlClient’s registered SqlAuthenticationProvider to obtain SQL tokens from the shared MSAL cache. It also removes the now-stale “refresh token” UX from the connection dialog.
Changes:
- Updates
ConnectionManager.refreshEntraTokenIfNeededto refresh the MSAL account cache and then clearazureAccountToken/expiresOnso SQL token acquisition is delegated to STS/SqlClient. - Removes the connection dialog action that attempted to refresh Entra tokens client-side (and the related error prompt flow).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
extensions/mssql/src/controllers/connectionManager.ts |
Reworks Entra token refresh logic to refresh MSAL account cache without sending SQL access tokens to STS; removes now-unneeded local SQL-token caching and refresh dedupe. |
extensions/mssql/src/connectionconfig/connectionDialogWebviewController.ts |
Removes the Entra token refresh action/button from the connection dialog UX. |
Comments suppressed due to low confidence (1)
extensions/mssql/src/connectionconfig/connectionDialogWebviewController.ts:1772
getAzureActionButtonsno longer adds the Entra token refresh action/button. There are existing unit tests that importrefreshTokenLabeland assert arefreshTokenaction/button is present and used in error prompts; those tests will now fail. Please update/remove the affected tests to reflect the new UX (token refresh handled via MSAL cache refresh + STS provider) so CI remains green.
private async getAzureActionButtons(): Promise<FormItemActionButton[]> {
const actionButtons: FormItemActionButton[] = [];
actionButtons.push({
label: Loc.signIn,
id: "azureSignIn",
callback: async () => {
Comment on lines
+1114
to
+1118
| await this.azureController.refreshAccessToken( | ||
| account, | ||
| this.accountStore, | ||
| connectionInfo.tenantId, | ||
| getCloudProviderSettings(account.key.providerId).settings.armResource, |
Comment on lines
123
to
127
| private _uriToConnectionCompleteParamsMap: Map< | ||
| string, | ||
| Deferred<ConnectionContracts.ConnectionCompleteParams> | ||
| >; | ||
| private _keyVaultTokenCache: Map<string, IToken> = new Map<string, IToken>(); |
PR Changes
|
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #22079 +/- ##
==========================================
- Coverage 74.83% 74.78% -0.06%
==========================================
Files 394 394
Lines 120472 120235 -237
Branches 7201 7163 -38
==========================================
- Hits 90159 89917 -242
- Misses 30313 30318 +5
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
aasimkhan30
force-pushed
the
aasim/fix/msal
branch
from
390d76d to
95d18c2
Compare
aasimkhan30
force-pushed
the
aasim/fix/msal
branch
from
95d18c2 to
dd6459d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Updates classic MSAL-backed Azure MFA connections to refresh the account cache without passing SQL access tokens to STS, allowing SqlClient's registered authentication provider to acquire SQL tokens from the MSAL cache. Removes the stale connection dialog token refresh action.
The first incorrect MSAL-provider token-setting path appears to have been introduced in OE (Improvements in access token flows (#17670)) on May 3, 2023: when OE decided the account/cache needed refresh, it called
refreshAccount(...), which still assignedazureAccountToken/expiresOneven though SQL Auth Provider was enabled. I later copied that OE-style logic when centralizing connection preparation before connect in5e1d743b(Refactoring connection management (#18684)) on February 25, 2025, which made the behavior broader for Azure MFA connections.Potential Issues:
#22078
#22046
Code Changes Checklist
npm run test)Reviewers: Please read our reviewer guidelines