What authentication flow does the Azure CLI use?

Question

I am trying to write a command line interface (CLI) utility that authenticates against our Azure subscription/AD accounts. I want it to behave the same way the the Azure CLI (az login) works where when I run it, a window pops open and the user selects their account. Then the authentication occurs and Azure returns the token back to my CLI application so the user can use the application using their own identity. I can figure out how to get the device code flow working but I don't want the user to have to paste in a device code when they run my CLI. I want it to work the same way the "az" utility works and I'm unclear as to the flow az uses. Does anybody know what authentication flow the Azure az utility uses?

Answer 1

In your case, if you login the Azure CLI with a user account, it uses the authorization code flow.

You can simply get the request URL when you run az login.

The request URL is like below(actually it use auth code flow v1.0 endpoint, the link in first line is for v2.0 endpoint):

https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=04b07795-8ddb-461a-bbee-02f9e1bf7b46&redirect_uri=http://localhost:8400&state=c5tvdjross6a83528fx8&resource=https://management.core.windows.net/&prompt=select_account

So in your scenario, if you want to write a command line interface like Azure CLI, just create a Multi-tenant app as a public client, then use the auth code flow to login the user and get token.