[Core] az login: Add interactive browser authentication in GitHub Codespaces

[abdurriq]

Related command
az login

Description
Improves the browser authentication experience in GitHub Codespaces by using an interactive auth code flow instead of falling back to device code. This should now match the normal / non-Codespaces experience for Desktop Codespaces, and adds a workaround for Codespaces Web that still allows non-device code (standard) auth.

Problem:
When running az login in a GitHub Codespace, the CLI falls back to device code flow because localhost in the browser refers to the user's local machine, not the container. This forces a two-step auth process (visit URL separately → enter code) and is inconsistent with the desktop experience.

Solution:

• Detect GitHub Codespaces and route to a new login_with_auth_code_for_codespaces() method instead of device code
• Start a local HTTP callback server on a random port using http://localhost:PORT as the redirect URI (already registered for the Azure CLI app)
• Desktop VS Code: Automatically captures the callback via port forwarding -- user presses Enter after signing in and the token is received and used.
• Web Codespaces: User copies the redirected URL from the browser address bar and pastes it (browser shows connection error as expected, due to the shared port not being on localhost)
• Uses PKCE auth code flow for both paths; no additional setup required

Testing Guide

• Desktop VS Code Codespace:

  • az login
  • Press Enter to open browser
  • Sign in to Azure
  • Press Enter to continue → automatic callback capture → success

• Web Codespace:

  • az login
  • Press Enter to open browser
  • Sign in to Azure
  • See "connection refused" → copy URL from address bar
  • Paste URL at prompt → success

History Notes

[Core] az login: Use interactive browser auth code flow in GitHub Codespaces instead of device code

---

This checklist is used to make sure that common guidelines for a pull request are followed.

• The PR title and description has followed the guideline in Submitting Pull Requests.

• I adhere to the Command Guidelines.

• I adhere to the Error Handling Guidelines.

Should fix #20315, #31703, #26556, #21025

[azure-client-tools-bot-prd]

Validation for Azure CLI Full Test Starting...

Thanks for your contribution!

[azure-client-tools-bot-prd]

Validation for Breaking Change Starting...

Thanks for your contribution!

[microsoft-github-policy-service]

Thank you for your contribution @abdurriq! We will review the pull request and get back to you soon.

[Copilot]

⚠️ Not ready to approve

The new Codespaces auth-code flow has a critical server lifecycle bug (shutdown before waiting for callback) and a localhost binding/security issue that should be fixed before merge.

Pull request overview

This PR updates az login to detect GitHub Codespaces and use an interactive browser authorization code + PKCE flow (with a local callback listener and a paste-URL fallback) instead of falling back to device code flow, improving the Codespaces sign-in UX.

Changes:

• Route interactive login in GitHub Codespaces to a new Identity.login_with_auth_code_for_codespaces() flow.
• Add a local HTTP callback listener on an ephemeral port and a URL-paste fallback for web Codespaces.
• Update/add unit tests to cover the new Codespaces routing behavior and URL parsing.

File summaries

File	Description
src/azure-cli-core/azure/cli/core/auth/identity.py	Adds Codespaces-specific auth-code login flow, callback listener, and URL parsing helper.
src/azure-cli-core/azure/cli/core/_profile.py	Changes Profile.login() routing to use the new Codespaces auth-code flow when appropriate.
src/azure-cli-core/azure/cli/core/tests/test_profile.py	Updates tests to validate Codespaces routing and _parse_codespaces_auth_response().

Copilot's findings

• Files reviewed: 3/3 changed files
• Comments generated: 2

Note

Your feedback helps us improve the quality of this feature.
Please use 👍 or 👎 to tell us whether this assessment is correct.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

⚠️ Not ready to approve

The new Codespaces callback server can enqueue non-auth requests and is shut down too early, causing intermittent or guaranteed auth failures in realistic browser/redirect timing scenarios.

Copilot's findings

• Files reviewed: 3/3 changed files
• Comments generated: 3

Note

Your feedback helps us improve the quality of this feature.
Please use 👍 or 👎 to tell us whether this assessment is correct.

[Copilot]

⚠️ Not ready to approve

The new callback capture/parsing has a few robustness issues (accepting incomplete callbacks, short timeout, and allowing empty code/state) that can cause confusing failures in real-world sign-ins.

Copilot's findings

• Files reviewed: 3/3 changed files
• Comments generated: 3

Note

Your feedback helps us improve the quality of this feature.
Please use 👍 or 👎 to tell us whether this assessment is correct.

[yonzhan]

az login