@microsoft/vscode-azext-azureauth 6.1.0-alpha.1 → 6.1.0-alpha.2

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Change Log
 
+## 6.1.0-alpha.2 - 2026-06-02
+
+* Add an optional `options` parameter to `getSessionWithScopes`. Passing `{ createIfNone: true }` allows an interactive consent prompt when a session for the requested scopes has not yet been granted, instead of failing silently. This enables callers to eagerly obtain consent for a non-management audience (e.g. the App Service audience used for Kudu/SCM deployments) before it is first needed. See [microsoft/vscode-azurefunctions#5073](https://github.com/microsoft/vscode-azurefunctions/issues/5073)
+
 ## 6.0.0-alpha.8 - 2026-03-27
 
 * [#2248](https://github.com/microsoft/vscode-azuretools/pull/2248) Watch sovereign cloud config and fire `onRefreshSuggested`

package/dist/cjs/src/providers/AzureSubscriptionProviderBase.js

@@ -373,12 +373,25 @@ class AzureSubscriptionProviderBase {
                     }
                     return session;
                 },
-                getSessionWithScopes: async (scopeListOrRequest) => {
-                    this.silenceRefreshEvents();
-                    // in order to handle a challenge, we must enable createIfNone so
-                    // that we can prompt the user to step-up their session with MFA
-                    // otherwise, never prompt the user
-                    const session = await (0, getSessionFromVSCode_1.getSessionFromVSCode)(scopeListOrRequest, tenant.tenantId, { ...((0, isAuthenticationWwwAuthenticateRequest_1.isAuthenticationWwwAuthenticateRequest)(scopeListOrRequest) ? { createIfNone: true } : { silent: true }), account: tenant.account });
+                getSessionWithScopes: async (scopeListOrRequest, options) => {
+                    // A challenge (e.g. an MFA step-up) must always be able to prompt so the user can
+                    // satisfy it. For a plain scope list we stay silent by default, but allow callers to
+                    // opt in to an interactive consent prompt via `options.createIfNone` (used, for example,
+                    // to consent to the App Service audience before a deployment).
+                    // See https://github.com/microsoft/vscode-azurefunctions/issues/5073
+                    const createIfNone = (0, isAuthenticationWwwAuthenticateRequest_1.isAuthenticationWwwAuthenticateRequest)(scopeListOrRequest) || !!options?.createIfNone;
+                    if (createIfNone) {
+                        // Interactive consent can take a while, so suppress without timeout until it is
+                        // done, then silence for a bit longer afterwards (same pattern as `signIn`).
+                        this.suppressRefreshSuggestedEvents = true;
+                    }
+                    else {
+                        this.silenceRefreshEvents();
+                    }
+                    const session = await (0, getSessionFromVSCode_1.getSessionFromVSCode)(scopeListOrRequest, tenant.tenantId, { ...(createIfNone ? { createIfNone: true } : { silent: true }), account: tenant.account });
+                    if (createIfNone) {
+                        this.silenceRefreshEvents();
+                    }
                     if (!session) {
                         throw new NotSignedInError_1.NotSignedInError();
                     }

package/dist/esm/src/contracts/AzureAuthentication.d.ts

@@ -14,8 +14,21 @@ export interface AzureAuthentication {
      * Gets a VS Code authentication session for an Azure subscription.
      *
      * @param scopeListOrRequest - The scopes or request for which the authentication is needed.
+     * @param options - (Optional) Options controlling how the session is acquired. By default a plain
+     * scope list is acquired silently; set `createIfNone` to allow an interactive consent prompt when
+     * no session for the requested scopes has been granted yet. Challenge requests always allow prompting.
      *
      * @returns A VS Code authentication session or undefined, if none could be obtained.
      */
-    getSessionWithScopes(scopeListOrRequest: string[] | vscode.AuthenticationWwwAuthenticateRequest): vscode.ProviderResult<vscode.AuthenticationSession>;
+    getSessionWithScopes(scopeListOrRequest: string[] | vscode.AuthenticationWwwAuthenticateRequest, options?: GetSessionWithScopesOptions): vscode.ProviderResult<vscode.AuthenticationSession>;
+}
+/**
+ * Options for {@link AzureAuthentication.getSessionWithScopes}.
+ */
+export interface GetSessionWithScopesOptions {
+    /**
+     * Whether to allow an interactive prompt (sign in / consent) if no session for the requested
+     * scopes is already available. Defaults to `false`, in which case the session is acquired silently.
+     */
+    createIfNone?: boolean;
 }

package/dist/esm/src/providers/AzureSubscriptionProviderBase.js

@@ -337,12 +337,25 @@ export class AzureSubscriptionProviderBase {
                     }
                     return session;
                 },
-                getSessionWithScopes: async (scopeListOrRequest) => {
-                    this.silenceRefreshEvents();
-                    // in order to handle a challenge, we must enable createIfNone so
-                    // that we can prompt the user to step-up their session with MFA
-                    // otherwise, never prompt the user
-                    const session = await getSessionFromVSCode(scopeListOrRequest, tenant.tenantId, { ...(isAuthenticationWwwAuthenticateRequest(scopeListOrRequest) ? { createIfNone: true } : { silent: true }), account: tenant.account });
+                getSessionWithScopes: async (scopeListOrRequest, options) => {
+                    // A challenge (e.g. an MFA step-up) must always be able to prompt so the user can
+                    // satisfy it. For a plain scope list we stay silent by default, but allow callers to
+                    // opt in to an interactive consent prompt via `options.createIfNone` (used, for example,
+                    // to consent to the App Service audience before a deployment).
+                    // See https://github.com/microsoft/vscode-azurefunctions/issues/5073
+                    const createIfNone = isAuthenticationWwwAuthenticateRequest(scopeListOrRequest) || !!options?.createIfNone;
+                    if (createIfNone) {
+                        // Interactive consent can take a while, so suppress without timeout until it is
+                        // done, then silence for a bit longer afterwards (same pattern as `signIn`).
+                        this.suppressRefreshSuggestedEvents = true;
+                    }
+                    else {
+                        this.silenceRefreshEvents();
+                    }
+                    const session = await getSessionFromVSCode(scopeListOrRequest, tenant.tenantId, { ...(createIfNone ? { createIfNone: true } : { silent: true }), account: tenant.account });
+                    if (createIfNone) {
+                        this.silenceRefreshEvents();
+                    }
                     if (!session) {
                         throw new NotSignedInError();
                     }

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "@microsoft/vscode-azext-azureauth",
     "author": "Microsoft Corporation",
-    "version": "6.1.0-alpha.1",
+    "version": "6.1.0-alpha.2",
     "description": "Azure authentication helpers for Visual Studio Code",
     "tags": [
         "azure",