Enable token encryption on macOS

[glyph]

Describe the bug

By default, on macOS, azure login places its OAuth tokens in .azure/msal_token_cache.json.

The only documentation for how to protect the tokens using Keychain appears to be in the code here:

azure-cli/src/azure-cli-core/azure/cli/core/util.py

Lines 1353 to 1361 in 3ae3c61

	def should_encrypt_token_cache(cli_ctx):
	# Only enable encryption for Windows (for now).
	fallback = sys.platform.startswith('win32')
	# EXPERIMENTAL: Use core.encrypt_token_cache=False to turn off token cache encryption.
	# encrypt_token_cache affects both MSAL token cache and service principal entries.
	encrypt = cli_ctx.config.getboolean('core', 'encrypt_token_cache', fallback=fallback)
	return encrypt

The comment here is misleading, as it says EXPERIMENTAL: Use core.encrypt_token_cache=False to turn off token cache encryption. as if the default value is True, but it's actually False.

At least, encrypt_token_cache does not appear in the list of "core" configuration values here:

https://learn.microsoft.com/en-us/cli/azure/azure-cli-configuration#cli-configuration-values-and-environment-variables

MSAL for Python also gives a somewhat misleading summary of its security properties, as it says:

https://github.com/AzureAD/microsoft-authentication-extensions-for-python#microsoft-authentication-extensions-for-python

MAC - The MAC KeyChain is used.

Which is not true in the configuration that the azure CLI actually uses it.

Finally, once encrypt_token_cache is set to true, the keychain service name and account name are set to "my_service_name" and "my_account_name" here:

azure-cli/src/azure-cli-core/azure/cli/core/auth/persistence.py

Line 44 in 3ae3c61

return KeychainPersistence(location, "my_service_name", "my_account_name")

I verified that this is actually how it's stored in Keychain Access:

Related command

az login

Errors

No errors.

Issue script & Debug output

No relevant debug output.

Expected behavior

In general the credential storage situation just ought to be tightened up:

• encryption / storage in macOS keychain should be the default
• encrypt_token_cache ought to be documented
• credential labels seem inappropriately generic, and it should say something more like a service name of "Azure CLI" and an account name of the user's email address.
• credentials also really ought to be stored in separate keychain items so that applications can be granted access control to, for example, test credentials without granting them access to production credentials in the same keychain.

There's also the msal_http_cache.bin file which contains cookies and stuff, which maybe should also be encrypted somewhere; i don't know the privilege level of these cookies but it seems relevant to look at them.

Environment Summary

azure-cli                         2.50.0 *

core                              2.50.0 *
telemetry                          1.0.8 *

Dependencies:
msal                              1.22.0
azure-mgmt-resource             23.1.0b2

Python location '/opt/homebrew/Cellar/azure-cli/2.50.0_1/libexec/bin/python'
Extensions directory '/Users/glyph/.azure/cliextensions'

Python (Darwin) 3.10.12 (main, Jun 20 2023, 19:43:52) [Clang 14.0.3 (clang-1403.0.22.14.1)]

Legal docs and information: aka.ms/AzureCliLegal

Additional context

I am filing this as a regular bug and not as a security issue because I don't see an exploit here per se, and the tools don't directly claim any security properties that are subverted by this misconfiguration.

[azure-client-tools-bot-prd]

Hi @glyph,

2.50.0 is not the latest Azure CLI(2.51.0).

Please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

[yonzhan]

Thank you for opening this issue, we will look into it.