Get-AccessToken's Breaking Change (Azure#27706)

Co-authored-by: Yeming Liu <[email protected]>
Co-authored-by: Copilot <[email protected]>

Author: 3 people

src/Accounts/Accounts.Test/AccessTokenCmdletTest.cs

@@ -85,6 +85,7 @@ public void TestGetAccessTokenAsPlainText()
             // Setup
             cmdlet.TenantId = tenantId;
             var fakeToken = "eyfaketoken.eyfaketoken";
+            Environment.SetEnvironmentVariable(Constants.AzPsOutputPlainTextAccessToken, bool.TrueString);
 
             var expected = new PSAccessToken { 
                 UserId = "[email protected]",
@@ -122,6 +123,7 @@ public void TestGetAccessTokenAsPlainText()
             Assert.Equal("Bearer", ((PSAccessToken)outputPipeline.First()).Type);
             Assert.Equal(expected.Token, ((PSAccessToken)outputPipeline.First()).Token);
 
+            Environment.SetEnvironmentVariable(Constants.AzPsOutputPlainTextAccessToken, null);
             AzureSession.Instance.AuthenticationFactory = previousFactory;
         }
 

src/Accounts/Accounts/ChangeLog.md

@@ -19,6 +19,7 @@
 -->
 
 ## Upcoming Release
+* Changed the default output access token of `Get-AzAccessToken` from plain text to `SecureString`.
 * Removed the warning message about failing to initialize PSStyle in automation runbooks. [#26155]
 * Increased the timeout for tab-completion of location, resource group, etc. to 10 seconds.
 

src/Accounts/Accounts/Token/GetAzureRmAccessToken.cs

@@ -19,20 +19,19 @@
 using Microsoft.Azure.Commands.ResourceManager.Common;
 using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
 using Microsoft.Azure.PowerShell.Authenticators;
-using Microsoft.WindowsAzure.Commands.Common.CustomAttributes;
 using Microsoft.WindowsAzure.Commands.Utilities.Common;
 
 using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Management.Automation;
+using System.Security.Cryptography;
 using System.Text.Json;
 
 namespace Microsoft.Azure.Commands.Profile
 {
-    [SecureStringBreakingChange("The Token property of the output type will be changed from String to SecureString. Add the [-AsSecureString] switch to avoid the impact of this upcoming breaking change.", "14.0.0", "5.0.0")]
     [Cmdlet(VerbsCommon.Get, AzureRMConstants.AzureRMPrefix + "AccessToken", DefaultParameterSetName = KnownResourceNameParameterSet)]
-    [OutputType(typeof(PSAccessToken), typeof(PSSecureAccessToken))]
+    [OutputType(typeof(PSSecureAccessToken))]
     public class GetAzureRmAccessTokenCommand : AzureRMCmdlet
     {
         private const string ResourceUrlParameterSet = "ResourceUrl";
@@ -73,7 +72,7 @@ public class GetAzureRmAccessTokenCommand : AzureRMCmdlet
         [Parameter(Mandatory = false, HelpMessage = "Optional Tenant Id. Use tenant id of default context if not specified.")]
         public string TenantId { get; set; }
 
-        [Parameter(Mandatory = false, HelpMessage = "Specify to convert output token as a secure string.")]
+        [Parameter(Mandatory = false, HelpMessage = "The parameter is no long used but kept for backward compatibility.")]
         public SwitchParameter AsSecureString { get; set; }
 
         public override void ExecuteCmdlet()
@@ -146,14 +145,25 @@ public override void ExecuteCmdlet()
                 }
             }
 
-            if (AsSecureString.IsPresent)
+            bool usePlainText = false;
+            try
             {
-                WriteObject(new PSSecureAccessToken(result));
+                usePlainText = string.Equals(Environment.GetEnvironmentVariable(Constants.AzPsOutputPlainTextAccessToken), bool.TrueString, StringComparison.OrdinalIgnoreCase);
             }
-            else
+            catch (Exception e)
+            {
+                WriteDebug("Exception occurred while checking environment variable AZUREPS_OUTPUT_PLAINTEXT_AZACCESSTOKEN: " + e.ToString());
+                //Throw exception when the caller doesn't have permission.
+                //Use SecureString only when AZUREPS_OUTPUT_PLAINTEXT_AZACCESSTOKEN is successfully set.
+            }
+            if (usePlainText)
             {
                 WriteObject(result);
             }
+            else
+            {
+                WriteObject(new PSSecureAccessToken(result));
+            }
         }
     }
 }

src/Accounts/Accounts/help/Get-AzAccessToken.md

@@ -8,12 +8,12 @@ schema: 2.0.0
 # Get-AzAccessToken
 
 ## SYNOPSIS
-Get secure raw access token. When using -ResourceUrl, please make sure the value does match current Azure environment. You may refer to the value of `(Get-AzContext).Environment`.
+Get secure access token. When using -ResourceUrl, please make sure the value does match current Azure environment. You may refer to the value of `(Get-AzContext).Environment`.
 
 > [!NOTE]
-> For security purposes, the default output type will change from a plain text `String` to
-> `SecureString`. To prepare for this change and ensure secure handling, use the **AsSecureString**
-> parameter before the update takes effect.
+> For security purposes, the default output type has been changed from a plain text `String` to `SecureString`.
+> Please refer to [Frequently asked questions about Azure PowerShell](https://learn.microsoft.com/en-us/powershell/azure/faq)
+> for how to convert from `SecureString` to plain text.
 
 ## SYNTAX
 
@@ -30,7 +30,7 @@ Get-AzAccessToken -ResourceUrl <String> [-TenantId <String>] [-AsSecureString]
 ```
 
 ## DESCRIPTION
-Get access token
+Get secure access token
 
 ## EXAMPLES
 
@@ -58,8 +58,7 @@ Get access token of Microsoft Graph endpoint for current account
 ## PARAMETERS
 
 ### -AsSecureString
-Specifiy to convert output token as a secure string.
-Please always use the parameter for security purpose and to avoid the upcoming breaking change and refer to [Frequently asked questions about Azure PowerShell](https://learn.microsoft.com/en-us/powershell/azure/faq) for how to convert from `SecureString` to plain text.
+The parameter is no longer used but kept for backward compatibility. No matter `AsSecureString` is specified, the output token is a `SecureString`.
 
 ```yaml
 Type: System.Management.Automation.SwitchParameter
@@ -142,11 +141,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable
 
 ## OUTPUTS
 
-### Microsoft.Azure.Commands.Profile.Models.PSAccessToken
-The output type is going to be deprecate.
-
 ### Microsoft.Azure.Commands.Profile.Models.PSSecureAccessToken
-Use `-AsSecureString` to get the token as `SecureString`.
 
 ## NOTES
 

src/Accounts/Authentication/Constants.cs

@@ -37,5 +37,7 @@ public class ConfigProviderIds
             /// </summary>
             public const string None = "None";
         }
+
+        public const string AzPsOutputPlainTextAccessToken = "AZUREPS_OUTPUT_PLAINTEXT_AZACCESSTOKEN";
     }
 }

tools/StaticAnalysis/Exceptions/Az.Accounts/BreakingChangeIssues.csv

@@ -7,4 +7,5 @@
 "Az.Accounts","Microsoft.Azure.Commands.Profile.Context.RenameAzureRmContext","Rename-AzContext","0","1050","The parameter set '__AllParameterSets' for cmdlet 'Rename-AzContext' has been removed.","Add parameter set '__AllParameterSets' back to cmdlet 'Rename-AzContext'."
 "Az.Accounts","Microsoft.Azure.Commands.Profile.Context.RenameAzureRmContext","Rename-AzContext","0","1050","The parameter set 'RenameByName' for cmdlet 'Rename-AzContext' has been removed.","Add parameter set 'RenameByName' back to cmdlet 'Rename-AzContext'."
 "Az.Accounts","Microsoft.Azure.Commands.Profile.Context.SelectAzureRmContext","Select-AzContext","0","2000","The cmdlet 'Select-AzContext' no longer supports the parameter 'Name' and no alias was found for the original parameter name.","Add the parameter 'Name' back to the cmdlet 'Select-AzContext', or add an alias to the original parameter name."
-"Az.Accounts","Microsoft.Azure.Commands.Profile.Context.SelectAzureRmContext","Select-AzContext","0","1050","The parameter set 'SelectByName' for cmdlet 'Select-AzContext' has been removed.","Add parameter set 'SelectByName' back to cmdlet 'Select-AzContext'."
+"Az.Accounts","Microsoft.Azure.Commands.Profile.Context.SelectAzureRmContext","Select-AzContext","0","1050","The parameter set 'SelectByName' for cmdlet 'Select-AzContext' has been removed.","Add parameter set 'SelectByName' back to cmdlet 'Select-AzContext'."
+"Az.Accounts","Microsoft.Azure.Commands.Profile.GetAzureRmAccessTokenCommand","Get-AzAccessToken","0","1020","The cmdlet 'Get-AzAccessToken' no longer has output type 'Microsoft.Azure.Commands.Profile.Models.PSAccessToken'.","Make cmdlet 'Get-AzAccessToken' return type 'Microsoft.Azure.Commands.Profile.Models.PSAccessToken'."