Skip to content

Fix IsChainedCredential for single credential selection in DACFactory#56334

Open
m-nash wants to merge 1 commit intomainfrom
fix/identity-ischainedcredential-56324
Open

Fix IsChainedCredential for single credential selection in DACFactory#56334
m-nash wants to merge 1 commit intomainfrom
fix/identity-ischainedcredential-56324

Conversation

@m-nash
Copy link
Member

@m-nash m-nash commented Feb 18, 2026

Description

When CredentialSource selects a specific single credential (not a chain), the credential's IsChainedCredential should be false. Previously, all Create* methods in DefaultAzureCredentialFactory hardcoded IsChainedCredential = true.

Each Create* method now checks Options.CredentialSource == null to determine whether the credential is part of a chain or a standalone selection. For CreateManagedIdentityCredential, the existing isChained parameter is also considered to handle the environment variable path.

Changes

  • DefaultAzureCredentialFactory.cs: Each Create* method sets IsChainedCredential = Options.CredentialSource == null instead of hardcoding true
  • Test base classes: Added IsChainedCredentialSupported property and skip guards for chained-only test scenarios
  • Configurable credential tests: Set IsChainedCredentialSupported => false since CredentialSource always creates non-chained credentials

Fixes #56324

@m-nash @Copilot
Fix IsChainedCredential for single credential selection in DACFactory
cb192fa 
When CredentialSource selects a specific single credential, each Create*
method now checks Options.CredentialSource to set IsChainedCredential to
false. This ensures proper exception behavior - non-chained credentials
throw AuthenticationFailedException for unknown errors instead of wrapping
them as CredentialUnavailableException.

Fixes #56324

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@m-nash m-nash requested a review from christothes as a code owner February 18, 2026 23:46
Copilot AI review requested due to automatic review settings February 18, 2026 23:46
@m-nash m-nash requested review from a team and JonathanCrd as code owners February 18, 2026 23:46
Copilot AI reviewed Feb 18, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates DefaultAzureCredentialFactory and related tests to ensure credentials created as a single explicit selection are not marked as chained, aligning exception behavior with the actual authentication flow used by DefaultAzureCredential and ConfigurableCredential.

Changes:

  • Update DefaultAzureCredentialFactory to set IsChainedCredential based on whether the credential is part of a chain vs a standalone selection.
  • Add IsChainedCredentialSupported to test bases and skip chained-only scenarios for configurable (single-selection) credentials.
  • Adjust configurable credential tests to reflect non-chained behavior when CredentialSource is used.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
sdk/identity/Azure.Identity/src/DefaultAzureCredentialFactory.cs Changes how IsChainedCredential is set when constructing credentials via the factory.
sdk/identity/Azure.Identity/tests/VisualStudioCredentialTests.cs Adds IsChainedCredentialSupported and skips chained-only scenarios when unsupported.
sdk/identity/Azure.Identity/tests/ConfigurableCredentials/VisualStudioCredentialTests.cs Marks configurable VS credential tests as not supporting chained scenarios.
sdk/identity/Azure.Identity/tests/AzurePowerShellCredentialsTests.cs Introduces IsChainedCredentialSupported and adds guards for chained-only test paths.
sdk/identity/Azure.Identity/tests/ConfigurableCredentials/AzurePowerShellCredentialTests.cs Switches configurable PS tests to “non-chained only” via IsChainedCredentialSupported.
sdk/identity/Azure.Identity/tests/AzureDeveloperCliCredentialTests.cs Adds chained-scenario skip guards for configurable single-credential runs.
sdk/identity/Azure.Identity/tests/ConfigurableCredentials/AzureDeveloperCliCredentialTests.cs Marks configurable azd tests as not supporting chained scenarios.
sdk/identity/Azure.Identity/tests/AzureCliCredentialTests.cs Adds chained-scenario skip guards for configurable single-credential runs.
sdk/identity/Azure.Identity/tests/ConfigurableCredentials/AzureCliCredentialTests.cs Marks configurable az tests as not supporting chained scenarios.

jsquire
jsquire approved these changes Feb 18, 2026
View reviewed changes
Copy link
Member

@jsquire jsquire left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one is subtle. You'll want to get Chris or Jonathan to also sign-off before merging just in case I'm overlooking an issue in the behavior.

JonathanCrd
JonathanCrd reviewed Feb 19, 2026
View reviewed changes
Copy link
Member

@JonathanCrd JonathanCrd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes look good overall, but there's a scenario involving the Dev and Prod chains that I'd like another perspective on, just to be sure we're not missing something :)

sdk/identity/Azure.Identity/src/DefaultAzureCredentialFactory.cs
Comment on lines 166 to 167
(true, _) => CreateDevelopmentCredentialChain(),
(_, true) => CreateProductionCredentialChain(),
Copy link
Member

@JonathanCrd JonathanCrd Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering if there's an scenario where CredentialSource is set to "dev" or "prod", and Options.CredentialSource is set to something, then IsChainedCredential would be false on every credential of the selected sub-chain.

If that’s possible, then I think this is incorrect. Since those credentials are part of the Dev or Prod chain, I would expect IsChainedCredential to be true.

@christothes do you think this scenario can actually occur?

Copy link
Member

@christothes christothes Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that scenario seems possible - Perhaps we should change the logic to not check for 'CredentialSource' having a value, but that the value is either null or not 'dev' or 'prod'.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JonathanCrd JonathanCrd JonathanCrd left review comments

Copilot code review Copilot Copilot left review comments

@jsquire jsquire jsquire approved these changes

@christothes christothes Awaiting requested review from christothes christothes is a code owner

@joshfree joshfree Awaiting requested review from joshfree joshfree is a code owner automatically assigned from Azure/azure-sdk-write-identity

@pvaneck pvaneck Awaiting requested review from pvaneck pvaneck is a code owner automatically assigned from Azure/azure-sdk-write-identity

@g2vinay g2vinay Awaiting requested review from g2vinay g2vinay is a code owner automatically assigned from Azure/azure-sdk-write-identity

@KarishmaGhiya KarishmaGhiya Awaiting requested review from KarishmaGhiya KarishmaGhiya is a code owner automatically assigned from Azure/azure-sdk-write-identity

@anannya03 anannya03 Awaiting requested review from anannya03 anannya03 is a code owner automatically assigned from Azure/azure-sdk-write-identity

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Azure.Identity

Projects

Azure Identity SDK Improvements
Status: Untriaged

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Azure.Identity: IsChainedCredential should be set to false when only a single credential is possible

4 participants

@m-nash @jsquire @christothes @JonathanCrd

Comments