[identity] DeviceCodeCredential uses MSALClient

[maorleger]

Packages impacted by this PR

@azure/identity

Issues associated with this PR

Resolves #29377

Describe the problem that is addressed by this PR

This PR makes the following changes to the Identity library:

1. Migrates DeviceCodeCredential to the MSALClient flow
2. Skips silent authentication for client credential based flows
3. Allows passing disableAutomaticAuthentication as an option param instead of during client construction

The reason this is important and exciting is because DeviceCodeCredential is the first PublicClientApplication based
flow that is being migrated to MSALClient!

Checklists

• Added impacted package name to the issue description.
• Does this PR need any fixes in the SDK Generator?** (If so, create an Issue in the Autorest/typescript repository and link it here.)
• Added a changelog (if necessary).

[azure-sdk]

API change check

API changes are not detected in this pull request.

[maorleger]

/azp run js - identity - tests

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[maorleger]

Slowly working on defining this type. It's probably fine for now, but I'll clean this up soonish

[xirzec]

Small remarks, but I like the direction here!

[xirzec]

I understand that we want to not attempt silent authentication, but the naming of this parameter confuses me since you'd think you'd want to disable automatic authentication rather than setting this to false which would enable it?

[maorleger]

Yeah, I agree that the naming is confusing. The reason I stuck with it is because it matches the same behavior and meaning as the public API's version of disableAutomaticAuthentication which can help when searching the codebase for this.

Personally I think a name like disableInteractiveAuthentication makes more sense, but I'm not sure if I want to stay consistent with the meaning of the public API field or do the name-mapping here

What this actually does, if I'm reading the source code correctly, is disable interactive auth - if an AuthenticationRequiredError is thrown from getTokenSilent and this option is true we will throw instead of continuing on to the interactive auth.

With that context in place - I don't have strong feelings and am happy to change it, but I have a slight preference to keeping the name and meaning consistent with the public API for better or worse. What do you think? @KarishmaGhiya would love your take as well!

[KarishmaGhiya]

@maorleger Is this param on L132 actually set by the public API param (L105) ? Or is this used for disabling interactive auth in another scenario (other than when passed in as a parameter by the user) ?

[maorleger]

This is used for enabling interactive auth fallback when the user passes is disableAutomaticAuthentication: true - so in the getToken call we will simply pass whatever the user passed in the public API param. In authenticate we ignore what the user passed in because authenticate is meant to be called by the user when getToken fails to silent auth, and disableAutomaticAuthentication is true.

Here's a few scenarios:

user sets disableAutomaticAuthentication	deviceCodeCredential#getToken	deviceCodeCredential#authenticate
undefined	false	false
false	false	false
true	true	false

Happy to discuss more in our sync!

[xirzec]

should this be called throwOnUserAuthenticationNeeded or something similar?

[maorleger]

Heya @xirzec - Karishma and I chatted offline and we think that as backwards as this name is we will keep it throughout the codebase for consistency. At least it matches the meaning and behavior of the public API for better or worse. If you feel strongly, happy to make a follow-up PR with some renames! But merging for now