Fix LogInDetails() to check for external auth before falling through to local auth config (#8004)

* Initial plan

* Fix LogInDetails() to handle external auth (UseExternalAuth) correctly

Agent-Logs-Url: https://github.com/Azure/azure-dev/sessions/84c64f74-2291-4d35-9140-34e98182b0d3

Co-authored-by: bwateratmsft <36966225+bwateratmsft@users.noreply.github.com>

* Apply review feedback: use ClaimsForCurrentUser and validate non-empty account name

Agent-Logs-Url: https://github.com/Azure/azure-dev/sessions/ea7b51fa-0517-4597-a29d-e9e2cd889eea

Co-authored-by: bwateratmsft <36966225+bwateratmsft@users.noreply.github.com>

* Address wbreza review: doc comment + TODO for hardcoded EmailLoginType

Agent-Logs-Url: https://github.com/Azure/azure-dev/sessions/0aeda872-c855-445c-bc4b-50f929838abe

Co-authored-by: bwateratmsft <36966225+bwateratmsft@users.noreply.github.com>

* Use valid JWT in Test_CLI_Auth_ExternalAuth so claims parsing succeeds

Agent-Logs-Url: https://github.com/Azure/azure-dev/sessions/02de36fe-29ca-4aad-a437-23e98a408678

Co-authored-by: bwateratmsft <36966225+bwateratmsft@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: bwateratmsft <36966225+bwateratmsft@users.noreply.github.com>

Author: Copilot

cli/azd/pkg/auth/manager.go

@@ -1399,8 +1399,30 @@ type LogInDetails struct {
 // LogInDetails contains information about the currently logged in user.
 // It provides details about the type of login (email-based or client ID-based)
 // and the account identifier. When legacy authentication is used, it will
-// return the account name from the az CLI.
+// return the account name from the az CLI. When external authentication is
+// configured, it will acquire a token from the external auth endpoint (an
+// outbound HTTP call) and derive the account identifier from the token claims.
 func (m *Manager) LogInDetails(ctx context.Context) (*LogInDetails, error) {
+	if m.UseExternalAuth() {
+		claims, err := m.ClaimsForCurrentUser(ctx, nil)
+		if err != nil {
+			return nil, fmt.Errorf("fetching claims for external auth: %w", err)
+		}
+
+		accountName := strings.TrimSpace(claims.DisplayUsername())
+		if accountName == "" {
+			return nil, fmt.Errorf("external auth token did not contain a usable account identifier: %w", ErrNoCurrentUser)
+		}
+
+		// TODO: External auth could theoretically serve service principal tokens, but we always
+		// report EmailLoginType here. CurrentPrincipalType() maps this to UserType, which matches
+		// the existing assumption that external auth represents a user identity.
+		return &LogInDetails{
+			LoginType: EmailLoginType,
+			Account:   accountName,
+		}, nil
+	}
+
 	userConfig, err := m.userConfigManager.Load()
 	if err != nil {
 		return nil, fmt.Errorf("reading user config: %w", err)

cli/azd/pkg/auth/manager_test.go

@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/http/httptest"
 	"os"
 	"strings"
 	"testing"
@@ -381,6 +382,63 @@ func TestLogInDetails(t *testing.T) {
 		require.Error(t, err)
 		require.ErrorIs(t, err, ErrNoCurrentUser)
 	})
+
+	t.Run("external auth - returns email login type with upn from token", func(t *testing.T) {
+		// Build a JWT token with a preferred_username claim
+		token := buildTestJWT(t, map[string]any{
+			"preferred_username": "user@contoso.com",
+			"oid":                "oid-abc",
+			"tid":                "tenant-xyz",
+		})
+
+		// Set up a mock HTTP server that returns the token
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusOK)
+			_, _ = io.WriteString(w, `{"status":"success","token":"`+token+`","expiresOn":"2030-01-01T00:00:00Z"}`)
+		}))
+		defer srv.Close()
+
+		m := Manager{
+			externalAuthCfg: ExternalAuthConfiguration{
+				Endpoint:    srv.URL,
+				Key:         "test-key",
+				Transporter: srv.Client(),
+			},
+			cloud: cloud.AzurePublic(),
+		}
+
+		details, err := m.LogInDetails(t.Context())
+		require.NoError(t, err)
+		require.Equal(t, EmailLoginType, details.LoginType)
+		require.Equal(t, "user@contoso.com", details.Account)
+	})
+
+	t.Run("external auth - error when token has no usable account identifier", func(t *testing.T) {
+		// Build a JWT token with no username claims
+		token := buildTestJWT(t, map[string]any{
+			"oid": "oid-abc",
+			"tid": "tenant-xyz",
+		})
+
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusOK)
+			_, _ = io.WriteString(w, `{"status":"success","token":"`+token+`","expiresOn":"2030-01-01T00:00:00Z"}`)
+		}))
+		defer srv.Close()
+
+		m := Manager{
+			externalAuthCfg: ExternalAuthConfiguration{
+				Endpoint:    srv.URL,
+				Key:         "test-key",
+				Transporter: srv.Client(),
+			},
+			cloud: cloud.AzurePublic(),
+		}
+
+		_, err := m.LogInDetails(t.Context())
+		require.Error(t, err)
+		require.ErrorIs(t, err, ErrNoCurrentUser)
+	})
 }
 
 func newMemoryUserConfigManager() *memoryUserConfigManager {

cli/azd/test/functional/auth_test.go

@@ -4,6 +4,7 @@
 package cli_test
 
 import (
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -18,6 +19,19 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+// buildFakeJWT constructs a minimal unsigned JWT with the provided claims.
+// It is sufficient for tests that only need azd to parse claims out of the
+// token; the signature is not verified.
+func buildFakeJWT(t *testing.T, claims map[string]any) string {
+	t.Helper()
+	header := base64.RawURLEncoding.EncodeToString([]byte(`{"alg":"none","typ":"JWT"}`))
+	body, err := json.Marshal(claims)
+	require.NoError(t, err)
+	payload := base64.RawURLEncoding.EncodeToString(body)
+	sig := base64.RawURLEncoding.EncodeToString([]byte("fakesig"))
+	return fmt.Sprintf("%s.%s.%s", header, payload, sig)
+}
+
 func Test_CLI_Auth_ExternalAuth(t *testing.T) {
 	// running this test in parallel is ok as it uses a t.TempDir()
 	t.Parallel()
@@ -35,7 +49,9 @@ func Test_CLI_Auth_ExternalAuth(t *testing.T) {
 	// what we handed back.
 
 	// nolint:gosec
-	expectedToken := "THIS-IS-A-FAKE-TOKEN"
+	expectedToken := buildFakeJWT(t, map[string]any{
+		"preferred_username": "user@contoso.com",
+	})
 	expectedExpiresOn := time.Now().UTC().Add(time.Hour).Format(time.RFC3339)
 
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {