Reprocess request blocked on cookie security

[clarkbreyman]

Devcontainer cannot authenticate via host flow due to cookie security settings. Chrome and Edge both report:

"Cookies marked with SameSite=None must also be marked with Secure to allow setting them in a cross-site context. This behavior protects user data from being sent over an insecure connection."

[clarkbreyman]

FWIW - az account get-access-token --tenant ... --scope ... --output json doesn't have this issue .

[clarkbreyman]

The following script can be linked to in place of /usr/bin/azureauth to unblock the devcontainer scenario until the issue is addressed.

#!/usr/bin/env bash
# azureauth shim: translates azureauth CLI args into `az account get-access-token`.
#
# Supported azureauth flags (others are ignored with a warning on stderr):
#   aad                              subcommand (optional, ignored)
#   -c, --client     <client-id>     ignored (az uses the currently signed-in identity)
#   -t, --tenant     <tenant-id>     -> --tenant
#   -s, --scope      <scope>         -> --scope (repeatable; first one wins for az)
#   -r, --resource   <resource>      -> --resource
#   -d, --domain     <domain>        ignored
#   -o, --output     <format>        token|status|json|none -> shapes az output
#       --prompt-hint <text>         ignored
#   -m, --mode       <mode>          ignored
#       --timeout    <minutes>       ignored
#
# Output modes:
#   token  -> prints just the access token (default for parity with azureauth)
#   json   -> prints raw `az` JSON
#   status -> prints a short "OK <upn>" style line
#   none   -> prints nothing on success

set -euo pipefail

tenant=""
resource=""
scopes=()
output="token"

warn() { printf 'azureauth-shim: %s\n' "$*" >&2; }

# Drop a leading subcommand like `aad`, `ado`, etc.
if [[ $# -gt 0 && "$1" != -* ]]; then
  case "$1" in
    aad) shift ;;
    ado) warn "subcommand '$1' not supported; only 'aad' token flow is mapped"; exit 2 ;;
    *)   shift ;;
  esac
fi

while [[ $# -gt 0 ]]; do
  case "$1" in
    -c|--client)        shift; [[ $# -gt 0 ]] && shift ;;
    -t|--tenant)        tenant="$2"; shift 2 ;;
    -s|--scope)         scopes+=("$2"); shift 2 ;;
    -r|--resource)      resource="$2"; shift 2 ;;
    -d|--domain)        shift; [[ $# -gt 0 ]] && shift ;;
    -o|--output)        output="$2"; shift 2 ;;
    --prompt-hint)      shift; [[ $# -gt 0 ]] && shift ;;
    -m|--mode)          shift; [[ $# -gt 0 ]] && shift ;;
    --timeout)          shift; [[ $# -gt 0 ]] && shift ;;
    -h|--help)
      sed -n '2,30p' "$0"; exit 0 ;;
    *)
      warn "ignoring unknown arg: $1"; shift ;;
  esac
done

if ! command -v az >/dev/null 2>&1; then
  warn "az CLI not found on PATH"; exit 127
fi

args=(account get-access-token)
[[ -n "$tenant" ]] && args+=(--tenant "$tenant")

if [[ -n "$resource" ]]; then
  args+=(--resource "$resource")
elif [[ ${#scopes[@]} -gt 0 ]]; then
  if [[ ${#scopes[@]} -gt 1 ]]; then
    warn "az accepts a single --scope; using first of ${#scopes[@]}"
  fi
  args+=(--scope "${scopes[0]}")
fi

case "$output" in
  token)
    az "${args[@]}" --query accessToken -o tsv
    ;;
  json)
    az "${args[@]}" -o json
    ;;
  status)
    json="$(az "${args[@]}" -o json)"
    upn="$(printf '%s' "$json" | jq -r '.subscription // .tenant // "ok"')"
    printf 'OK %s\n' "$upn"
    ;;
  none)
    az "${args[@]}" >/dev/null
    ;;
  *)
    warn "unknown output mode '$output'; defaulting to token"
    az "${args[@]}" --query accessToken -o tsv
    ;;
esac