py2docfx 0.1.20rc2195074__py3-none-any.whl → 0.1.20rc2245107__py3-none-any.whl

py2docfx/venv/basevenv/Lib/site-packages/charset_normalizer/api.py

@@ -369,14 +369,15 @@ def from_bytes(
             # Preparing those fallbacks in case we got nothing.
             if (
                 enable_fallback
-                and encoding_iana in ["ascii", "utf_8", specified_encoding]
+                and encoding_iana
+                in ["ascii", "utf_8", specified_encoding, "utf_16", "utf_32"]
                 and not lazy_str_hard_failure
             ):
                 fallback_entry = CharsetMatch(
                     sequences,
                     encoding_iana,
                     threshold,
-                    False,
+                    bom_or_sig_available,
                     [],
                     decoded_payload,
                     preemptive_declaration=specified_encoding,

py2docfx/venv/basevenv/Lib/site-packages/charset_normalizer/legacy.py

@@ -4,7 +4,7 @@ from typing import TYPE_CHECKING, Any
 from warnings import warn
 
 from .api import from_bytes
-from .constant import CHARDET_CORRESPONDENCE
+from .constant import CHARDET_CORRESPONDENCE, TOO_SMALL_SEQUENCE
 
 # TODO: remove this check when dropping Python 3.7 support
 if TYPE_CHECKING:
@@ -49,6 +49,22 @@ def detect(
     language = r.language if r is not None and r.language != "Unknown" else ""
     confidence = 1.0 - r.chaos if r is not None else None
 
+    # automatically lower confidence
+    # on small bytes samples.
+    # https://github.com/jawah/charset_normalizer/issues/391
+    if (
+        confidence is not None
+        and confidence >= 0.9
+        and encoding
+        not in {
+            "utf_8",
+            "ascii",
+        }
+        and r.bom is False  # type: ignore[union-attr]
+        and len(byte_str) < TOO_SMALL_SEQUENCE
+    ):
+        confidence -= 0.2
+
     # Note: CharsetNormalizer does not return 'UTF-8-SIG' as the sig get stripped in the detection/normalization process
     # but chardet does return 'utf-8-sig' and it is a valid codec name.
     if r is not None and encoding == "utf_8" and r.bom:

py2docfx/venv/basevenv/Lib/site-packages/charset_normalizer/version.py

@@ -4,5 +4,5 @@ Expose version
 
 from __future__ import annotations
 
-__version__ = "3.4.2"
+__version__ = "3.4.3"
 VERSION = __version__.split(".")

py2docfx/venv/basevenv/Lib/site-packages/requests/__version__.py

@@ -5,8 +5,8 @@
 __title__ = "requests"
 __description__ = "Python HTTP for Humans."
 __url__ = "https://requests.readthedocs.io"
-__version__ = "2.32.4"
-__build__ = 0x023204
+__version__ = "2.32.5"
+__build__ = 0x023205
 __author__ = "Kenneth Reitz"
 __author_email__ = "me@kennethreitz.org"
 __license__ = "Apache-2.0"

py2docfx/venv/basevenv/Lib/site-packages/requests/adapters.py

@@ -27,7 +27,6 @@ from urllib3.poolmanager import PoolManager, proxy_from_url
 from urllib3.util import Timeout as TimeoutSauce
 from urllib3.util import parse_url
 from urllib3.util.retry import Retry
-from urllib3.util.ssl_ import create_urllib3_context
 
 from .auth import _basic_auth_str
 from .compat import basestring, urlparse
@@ -74,19 +73,6 @@ DEFAULT_RETRIES = 0
 DEFAULT_POOL_TIMEOUT = None
 
 
-try:
-    import ssl  # noqa: F401
-
-    _preloaded_ssl_context = create_urllib3_context()
-    _preloaded_ssl_context.load_verify_locations(
-        extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
-    )
-except ImportError:
-    # Bypass default SSLContext creation when Python
-    # interpreter isn't built with the ssl module.
-    _preloaded_ssl_context = None
-
-
 def _urllib3_request_context(
     request: "PreparedRequest",
     verify: "bool | str | None",
@@ -99,19 +85,9 @@ def _urllib3_request_context(
     scheme = parsed_request_url.scheme.lower()
     port = parsed_request_url.port
 
-    # Determine if we have and should use our default SSLContext
-    # to optimize performance on standard requests.
-    poolmanager_kwargs = getattr(poolmanager, "connection_pool_kw", {})
-    has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
-    should_use_default_ssl_context = (
-        _preloaded_ssl_context is not None and not has_poolmanager_ssl_context
-    )
-
     cert_reqs = "CERT_REQUIRED"
     if verify is False:
         cert_reqs = "CERT_NONE"
-    elif verify is True and should_use_default_ssl_context:
-        pool_kwargs["ssl_context"] = _preloaded_ssl_context
     elif isinstance(verify, str):
         if not os.path.isdir(verify):
             pool_kwargs["ca_certs"] = verify
@@ -314,26 +290,27 @@ class HTTPAdapter(BaseAdapter):
         :param cert: The SSL certificate to verify.
         """
         if url.lower().startswith("https") and verify:
-            conn.cert_reqs = "CERT_REQUIRED"
+            cert_loc = None
 
-            # Only load the CA certificates if 'verify' is a string indicating the CA bundle to use.
-            # Otherwise, if verify is a boolean, we don't load anything since
-            # the connection will be using a context with the default certificates already loaded,
-            # and this avoids a call to the slow load_verify_locations()
+            # Allow self-specified cert location.
             if verify is not True:
-                # `verify` must be a str with a path then
                 cert_loc = verify
 
-                if not os.path.exists(cert_loc):
-                    raise OSError(
-                        f"Could not find a suitable TLS CA certificate bundle, "
-                        f"invalid path: {cert_loc}"
-                    )
+            if not cert_loc:
+                cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
 
-                if not os.path.isdir(cert_loc):
-                    conn.ca_certs = cert_loc
-                else:
-                    conn.ca_cert_dir = cert_loc
+            if not cert_loc or not os.path.exists(cert_loc):
+                raise OSError(
+                    f"Could not find a suitable TLS CA certificate bundle, "
+                    f"invalid path: {cert_loc}"
+                )
+
+            conn.cert_reqs = "CERT_REQUIRED"
+
+            if not os.path.isdir(cert_loc):
+                conn.ca_certs = cert_loc
+            else:
+                conn.ca_cert_dir = cert_loc
         else:
             conn.cert_reqs = "CERT_NONE"
             conn.ca_certs = None
@@ -410,7 +387,7 @@ class HTTPAdapter(BaseAdapter):
           ``"cert_reqs"`` will be set
         * If ``verify`` is a string, (i.e., it is a user-specified trust bundle)
           ``"ca_certs"`` will be set if the string is not a directory recognized
-          by :py:func:`os.path.isdir`, otherwise ``"ca_certs_dir"`` will be
+          by :py:func:`os.path.isdir`, otherwise ``"ca_cert_dir"`` will be
           set.
         * If ``"cert"`` is specified, ``"cert_file"`` will always be set. If
           ``"cert"`` is a tuple with a second item, ``"key_file"`` will also

py2docfx/venv/basevenv/Lib/site-packages/requests/sessions.py

@@ -535,7 +535,7 @@ class Session(SessionRedirectMixin):
             for multipart encoding upload.
         :param auth: (optional) Auth tuple or callable to enable
             Basic/Digest/Custom HTTP Auth.
-        :param timeout: (optional) How long to wait for the server to send
+        :param timeout: (optional) How many seconds to wait for the server to send
             data before giving up, as a float, or a :ref:`(connect timeout,
             read timeout) <timeouts>` tuple.
         :type timeout: float or tuple

py2docfx/venv/venv1/Lib/site-packages/azure/core/_version.py

@@ -9,4 +9,4 @@
 # regenerated.
 # --------------------------------------------------------------------------
 
-VERSION = "1.35.0"
+VERSION = "1.35.1"

py2docfx/venv/venv1/Lib/site-packages/azure/core/pipeline/policies/_authentication.py

@@ -6,12 +6,14 @@
 import time
 import base64
 from typing import TYPE_CHECKING, Optional, TypeVar, MutableMapping, Any, Union, cast
+
 from azure.core.credentials import (
     TokenCredential,
     SupportsTokenInfo,
     TokenRequestOptions,
     TokenProvider,
 )
+from azure.core.exceptions import HttpResponseError
 from azure.core.pipeline import PipelineRequest, PipelineResponse
 from azure.core.pipeline.transport import (
     HttpResponse as LegacyHttpResponse,
@@ -165,7 +167,20 @@ class BearerTokenCredentialPolicy(_BearerTokenCredentialPolicyBase, HTTPPolicy[H
         if response.http_response.status_code == 401:
             self._token = None  # any cached token is invalid
             if "WWW-Authenticate" in response.http_response.headers:
-                request_authorized = self.on_challenge(request, response)
+                try:
+                    request_authorized = self.on_challenge(request, response)
+                except Exception as ex:
+                    # If the response is streamed, read it so the error message is immediately available to the user.
+                    # Otherwise, a generic error message will be given and the user will have to read the response
+                    # body to see the actual error.
+                    if response.context.options.get("stream"):
+                        try:
+                            response.http_response.read()  # type: ignore
+                        except Exception:  # pylint:disable=broad-except
+                            pass
+                    # Raise the exception from the token request with the original 401 response
+                    raise ex from HttpResponseError(response=response.http_response)
+
                 if request_authorized:
                     # if we receive a challenge response, we retrieve a new token
                     # which matches the new target. In this case, we don't want to remove
@@ -200,14 +215,11 @@ class BearerTokenCredentialPolicy(_BearerTokenCredentialPolicyBase, HTTPPolicy[H
             encoded_claims = get_challenge_parameter(headers, "Bearer", "claims")
             if not encoded_claims:
                 return False
-            try:
-                padding_needed = -len(encoded_claims) % 4
-                claims = base64.urlsafe_b64decode(encoded_claims + "=" * padding_needed).decode("utf-8")
-                if claims:
-                    self.authorize_request(request, *self._scopes, claims=claims)
-                    return True
-            except Exception:  # pylint:disable=broad-except
-                return False
+            padding_needed = -len(encoded_claims) % 4
+            claims = base64.urlsafe_b64decode(encoded_claims + "=" * padding_needed).decode("utf-8")
+            if claims:
+                self.authorize_request(request, *self._scopes, claims=claims)
+                return True
         return False
 
     def on_response(

py2docfx/venv/venv1/Lib/site-packages/azure/core/pipeline/policies/_authentication_async.py

@@ -13,6 +13,7 @@ from azure.core.credentials_async import (
     AsyncSupportsTokenInfo,
     AsyncTokenProvider,
 )
+from azure.core.exceptions import HttpResponseError
 from azure.core.pipeline import PipelineRequest, PipelineResponse
 from azure.core.pipeline.policies import AsyncHTTPPolicy
 from azure.core.pipeline.policies._authentication import (
@@ -110,7 +111,21 @@ class AsyncBearerTokenCredentialPolicy(AsyncHTTPPolicy[HTTPRequestType, AsyncHTT
         if response.http_response.status_code == 401:
             self._token = None  # any cached token is invalid
             if "WWW-Authenticate" in response.http_response.headers:
-                request_authorized = await self.on_challenge(request, response)
+                try:
+                    request_authorized = await self.on_challenge(request, response)
+                except Exception as ex:
+                    # If the response is streamed, read it so the error message is immediately available to the user.
+                    # Otherwise, a generic error message will be given and the user will have to read the response
+                    # body to see the actual error.
+                    if response.context.options.get("stream"):
+                        try:
+                            await response.http_response.read()  # type: ignore
+                        except Exception:  # pylint:disable=broad-except
+                            pass
+
+                    # Raise the exception from the token request with the original 401 response
+                    raise ex from HttpResponseError(response=response.http_response)
+
                 if request_authorized:
                     # if we receive a challenge response, we retrieve a new token
                     # which matches the new target. In this case, we don't want to remove
@@ -145,14 +160,11 @@ class AsyncBearerTokenCredentialPolicy(AsyncHTTPPolicy[HTTPRequestType, AsyncHTT
             encoded_claims = get_challenge_parameter(headers, "Bearer", "claims")
             if not encoded_claims:
                 return False
-            try:
-                padding_needed = -len(encoded_claims) % 4
-                claims = base64.urlsafe_b64decode(encoded_claims + "=" * padding_needed).decode("utf-8")
-                if claims:
-                    await self.authorize_request(request, *self._scopes, claims=claims)
-                    return True
-            except Exception:  # pylint:disable=broad-except
-                return False
+            padding_needed = -len(encoded_claims) % 4
+            claims = base64.urlsafe_b64decode(encoded_claims + "=" * padding_needed).decode("utf-8")
+            if claims:
+                await self.authorize_request(request, *self._scopes, claims=claims)
+                return True
         return False
 
     def on_response(

py2docfx/venv/venv1/Lib/site-packages/azure/core/pipeline/policies/_retry.py

@@ -118,7 +118,7 @@ class RetryPolicyBase:
             "read": options.pop("retry_read", self.read_retries),
             "status": options.pop("retry_status", self.status_retries),
             "backoff": options.pop("retry_backoff_factor", self.backoff_factor),
-            "max_backoff": options.pop("retry_backoff_max", self.BACKOFF_MAX),
+            "max_backoff": options.pop("retry_backoff_max", self.backoff_max),
             "methods": options.pop("retry_on_methods", self._method_whitelist),
             "timeout": options.pop("timeout", self.timeout),
             "history": [],

py2docfx/venv/venv1/Lib/site-packages/azure/identity/_bearer_token_provider.py

@@ -30,7 +30,7 @@ def get_bearer_token_provider(credential: TokenProvider, *scopes: str) -> Callab
         request.headers["Authorization"] = "Bearer " + bearer_token_provider()
 
     :param credential: The credential used to authenticate the request.
-    :type credential: ~azure.core.credentials.TokenCredential
+    :type credential: ~azure.core.credentials.TokenProvider
     :param str scopes: The scopes required for the bearer token.
     :rtype: callable
     :return: A callable that returns a bearer token.

py2docfx/venv/venv1/Lib/site-packages/azure/identity/_credentials/authorization_code.py

@@ -127,7 +127,7 @@ class AuthorizationCodeCredential(GetTokenMixin):
             return token
 
         token = None
-        for refresh_token in self._client.get_cached_refresh_tokens(scopes):
+        for refresh_token in self._client.get_cached_refresh_tokens(scopes, **kwargs):
             if "secret" in refresh_token:
                 token = self._client.obtain_token_by_refresh_token(scopes, refresh_token["secret"], **kwargs)
                 if token:

py2docfx/venv/venv1/Lib/site-packages/azure/identity/_credentials/azd_cli.py

@@ -17,7 +17,7 @@ from azure.core.credentials import AccessToken, AccessTokenInfo, TokenRequestOpt
 from azure.core.exceptions import ClientAuthenticationError
 
 from .. import CredentialUnavailableError
-from .._internal import resolve_tenant, within_dac, validate_tenant_id, validate_scope
+from .._internal import encode_base64, resolve_tenant, within_dac, validate_tenant_id, validate_scope
 from .._internal.decorators import log_get_token
 
 
@@ -28,7 +28,11 @@ CLI_NOT_FOUND = (
     "Please visit https://aka.ms/azure-dev for installation instructions and then,"
     "once installed, authenticate to your Azure account using 'azd auth login'."
 )
-COMMAND_LINE = ["auth", "token", "--output", "json"]
+UNKNOWN_CLAIMS_FLAG = (
+    "Claims challenges are not supported by the Azure Developer CLI version you are using. "
+    "Please update to version 1.18.1 or later."
+)
+COMMAND_LINE = ["auth", "token", "--output", "json", "--no-prompt"]
 EXECUTABLE_NAME = "azd"
 NOT_LOGGED_IN = "Please run 'azd auth login' from a command prompt to authenticate before using this credential."
 
@@ -99,7 +103,7 @@ class AzureDeveloperCliCredential:
     def get_token(
         self,
         *scopes: str,
-        claims: Optional[str] = None,  # pylint:disable=unused-argument
+        claims: Optional[str] = None,
         tenant_id: Optional[str] = None,
         **kwargs: Any,
     ) -> AccessToken:
@@ -111,7 +115,8 @@ class AzureDeveloperCliCredential:
         :param str scopes: desired scope for the access token. This credential allows only one scope per request.
             For more information about scopes, see
             https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
-        :keyword str claims: not used by this credential; any value provided will be ignored.
+        :keyword str claims: additional claims required in the token, such as those returned in a resource provider's
+            claims challenge following an authorization failure.
         :keyword str tenant_id: optional tenant to include in the token request.
 
         :return: An access token with the desired scopes.
@@ -125,6 +130,8 @@ class AzureDeveloperCliCredential:
         options: TokenRequestOptions = {}
         if tenant_id:
             options["tenant_id"] = tenant_id
+        if claims:
+            options["claims"] = claims
 
         token_info = self._get_token_base(*scopes, options=options, **kwargs)
         return AccessToken(token_info.token, token_info.expires_on)
@@ -159,6 +166,7 @@ class AzureDeveloperCliCredential:
             raise ValueError("Missing scope in request. \n")
 
         tenant_id = options.get("tenant_id") if options else None
+        claims = options.get("claims") if options else None
         if tenant_id:
             validate_tenant_id(tenant_id)
         for scope in scopes:
@@ -175,16 +183,23 @@ class AzureDeveloperCliCredential:
         )
         if tenant:
             command_args += ["--tenant-id", tenant]
+        if claims:
+            command_args += ["--claims", encode_base64(claims)]
         output = _run_command(command_args, self._process_timeout)
 
         token = parse_token(output)
         if not token:
-            sanitized_output = sanitize_output(output)
-            message = (
-                f"Unexpected output from Azure Developer CLI: '{sanitized_output}'. \n"
-                f"To mitigate this issue, please refer to the troubleshooting guidelines here at "
-                f"https://aka.ms/azsdk/python/identity/azdevclicredential/troubleshoot."
-            )
+            # Try to extract a meaningful error from azd consoleMessage JSON lines
+            extracted = extract_cli_error_message(output)
+            if extracted:
+                message = extracted
+            else:
+                sanitized_output = sanitize_output(output)
+                message = (
+                    f"Unexpected output from Azure Developer CLI: '{sanitized_output}'. \n"
+                    f"To mitigate this issue, please refer to the troubleshooting guidelines here at "
+                    f"https://aka.ms/azsdk/python/identity/azdevclicredential/troubleshoot."
+                )
             if within_dac.get():
                 raise CredentialUnavailableError(message=message)
             raise ClientAuthenticationError(message=message)
@@ -241,6 +256,54 @@ def sanitize_output(output: str) -> str:
     return re.sub(r"\"token\": \"(.*?)(\"|$)", "****", output)
 
 
+def extract_cli_error_message(output: str) -> Optional[str]:
+    """
+    Extract a single, user-friendly message from azd consoleMessage JSON output.
+
+    :param str output: The output from the Azure Developer CLI command.
+    :return: A user-friendly error message if found, otherwise None.
+    :rtype: Optional[str]
+
+    Preference order:
+    1) A message containing "Suggestion" (case-insensitive)
+    2) The second message if multiple are present
+    3) The first message if only one exists
+    Returns None if no messages can be parsed.
+    """
+    messages: List[str] = []
+    for line in output.splitlines():
+        line = line.strip()
+        if not line:
+            continue
+        try:
+            obj = json.loads(line)
+        except json.JSONDecodeError:  # not JSON -> ignore
+            continue
+        if isinstance(obj, dict):
+            data = obj.get("data")
+            if isinstance(data, dict):
+                msg = data.get("message")
+                if isinstance(msg, str) and msg.strip():
+                    messages.append(msg.strip())
+                    continue
+            msg = obj.get("message")
+            if isinstance(msg, str) and msg.strip():
+                messages.append(msg.strip())
+
+    if not messages:
+        return None
+
+    # Prefer the suggestion line if present
+    for msg in messages:
+        if "suggestion" in msg.lower():
+            return sanitize_output(msg)
+
+    # If more than one message exists, return the last one
+    if len(messages) > 1:
+        return sanitize_output(messages[-1])
+    return sanitize_output(messages[0])
+
+
 def _run_command(command_args: List[str], timeout: int) -> str:
     # Ensure executable exists in PATH first. This avoids a subprocess call that would fail anyway.
     azd_path = shutil.which(EXECUTABLE_NAME)
@@ -267,16 +330,18 @@ def _run_command(command_args: List[str], timeout: int) -> str:
         # Fallback check in case the executable is not found while executing subprocess.
         if ex.returncode == 127 or (ex.stderr is not None and ex.stderr.startswith("'azd' is not recognized")):
             raise CredentialUnavailableError(message=CLI_NOT_FOUND) from ex
-        if ex.stderr is not None and (
-            "not logged in, run `azd auth login` to login" in ex.stderr and "AADSTS" not in ex.stderr
-        ):
+        combined_text = "{}\n{}".format(ex.output or "", ex.stderr or "")
+        if "not logged in, run `azd auth login` to login" in combined_text and "AADSTS" not in combined_text:
             raise CredentialUnavailableError(message=NOT_LOGGED_IN) from ex
+        if "unknown flag: --claims" in combined_text:
+            raise CredentialUnavailableError(message=UNKNOWN_CLAIMS_FLAG) from ex
 
         # return code is from the CLI -> propagate its output
-        if ex.stderr:
-            message = sanitize_output(ex.stderr)
-        else:
-            message = "Failed to invoke Azure Developer CLI"
+        message = (
+            extract_cli_error_message(ex.output or "")
+            or extract_cli_error_message(ex.stderr or "")
+            or (sanitize_output(ex.stderr) if ex.stderr else "Failed to invoke Azure Developer CLI")
+        )
         if within_dac.get():
             raise CredentialUnavailableError(message=message) from ex
         raise ClientAuthenticationError(message=message) from ex

py2docfx/venv/venv1/Lib/site-packages/azure/identity/_credentials/azure_cli.py

@@ -18,6 +18,7 @@ from azure.core.exceptions import ClientAuthenticationError
 from .. import CredentialUnavailableError
 from .._internal import (
     _scopes_to_resource,
+    encode_base64,
     resolve_tenant,
     within_dac,
     validate_tenant_id,
@@ -34,6 +35,11 @@ CLI_NOT_FOUND = "Azure CLI not found on path"
 COMMAND_LINE = ["account", "get-access-token", "--output", "json"]
 EXECUTABLE_NAME = "az"
 NOT_LOGGED_IN = "Please run 'az login' to set up an account"
+CLAIMS_UNSUPPORTED_ERROR = (
+    "This credential doesn't support claims challenges. To authenticate with the required "
+    "claims, please run the following command (requires Azure CLI version 2.76.0 or later): "
+    "az login --claims-challenge {claims_value}"
+)
 
 
 class AzureCliCredential:
@@ -90,7 +96,7 @@ class AzureCliCredential:
     def get_token(
         self,
         *scopes: str,
-        claims: Optional[str] = None,  # pylint:disable=unused-argument
+        claims: Optional[str] = None,
         tenant_id: Optional[str] = None,
         **kwargs: Any,
     ) -> AccessToken:
@@ -102,20 +108,23 @@ class AzureCliCredential:
         :param str scopes: desired scope for the access token. This credential allows only one scope per request.
             For more information about scopes, see
             https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
-        :keyword str claims: not used by this credential; any value provided will be ignored.
+        :keyword str claims: additional claims required in the token. This credential does not support claims
+            challenges.
         :keyword str tenant_id: optional tenant to include in the token request.
 
         :return: An access token with the desired scopes.
         :rtype: ~azure.core.credentials.AccessToken
 
-        :raises ~azure.identity.CredentialUnavailableError: the credential was unable to invoke the Azure CLI.
+        :raises ~azure.identity.CredentialUnavailableError: the credential was either unable to invoke the Azure CLI
+          or a claims challenge was provided.
         :raises ~azure.core.exceptions.ClientAuthenticationError: the credential invoked the Azure CLI but didn't
           receive an access token.
         """
-
         options: TokenRequestOptions = {}
         if tenant_id:
             options["tenant_id"] = tenant_id
+        if claims:
+            options["claims"] = claims
 
         token_info = self._get_token_base(*scopes, options=options, **kwargs)
         return AccessToken(token_info.token, token_info.expires_on)
@@ -136,7 +145,8 @@ class AzureCliCredential:
         :rtype: ~azure.core.credentials.AccessTokenInfo
         :return: An AccessTokenInfo instance containing information about the token.
 
-        :raises ~azure.identity.CredentialUnavailableError: the credential was unable to invoke the Azure CLI.
+        :raises ~azure.identity.CredentialUnavailableError: the credential was either unable to invoke the Azure CLI
+          or a claims challenge was provided.
         :raises ~azure.core.exceptions.ClientAuthenticationError: the credential invoked the Azure CLI but didn't
           receive an access token.
         """
@@ -145,6 +155,19 @@ class AzureCliCredential:
     def _get_token_base(
         self, *scopes: str, options: Optional[TokenRequestOptions] = None, **kwargs: Any
     ) -> AccessTokenInfo:
+        # Check for claims challenge first
+        if options and "claims" in options and options["claims"]:
+            error_message = CLAIMS_UNSUPPORTED_ERROR.format(claims_value=encode_base64(options["claims"]))
+
+            # Add tenant if provided in options
+            if options.get("tenant_id"):
+                error_message += f" --tenant {options.get('tenant_id')}"
+
+            # Add scope if provided
+            if scopes:
+                error_message += f" --scope {scopes[0]}"
+
+            raise CredentialUnavailableError(message=error_message)
 
         tenant_id = options.get("tenant_id") if options else None
         if tenant_id:

py2docfx/venv/venv1/Lib/site-packages/azure/identity/_credentials/azure_powershell.py

@@ -13,7 +13,14 @@ from azure.core.exceptions import ClientAuthenticationError
 
 from .azure_cli import get_safe_working_dir
 from .. import CredentialUnavailableError
-from .._internal import _scopes_to_resource, resolve_tenant, within_dac, validate_tenant_id, validate_scope
+from .._internal import (
+    _scopes_to_resource,
+    encode_base64,
+    resolve_tenant,
+    within_dac,
+    validate_tenant_id,
+    validate_scope,
+)
 from .._internal.decorators import log_get_token
 
 
@@ -24,6 +31,11 @@ BLOCKED_BY_EXECUTION_POLICY = "Execution policy prevented invoking Azure PowerSh
 NO_AZ_ACCOUNT_MODULE = "NO_AZ_ACCOUNT_MODULE"
 POWERSHELL_NOT_INSTALLED = "PowerShell is not installed"
 RUN_CONNECT_AZ_ACCOUNT = 'Please run "Connect-AzAccount" to set up account'
+CLAIMS_UNSUPPORTED_ERROR = (
+    "This credential doesn't support claims challenges. To authenticate with the required "
+    "claims, please run the following command (requires Az.Accounts module version 5.2.0 or later): "
+    "Connect-AzAccount -ClaimsChallenge {claims_value}"
+)
 SCRIPT = """$ErrorActionPreference = 'Stop'
 [version]$minimumVersion = '2.2.0'
 
@@ -112,7 +124,7 @@ class AzurePowerShellCredential:
     def get_token(
         self,
         *scopes: str,
-        claims: Optional[str] = None,  # pylint:disable=unused-argument
+        claims: Optional[str] = None,
         tenant_id: Optional[str] = None,
         **kwargs: Any,
     ) -> AccessToken:
@@ -135,10 +147,11 @@ class AzurePowerShellCredential:
         :raises ~azure.core.exceptions.ClientAuthenticationError: the credential invoked Azure PowerShell but didn't
           receive an access token
         """
-
         options: TokenRequestOptions = {}
         if tenant_id:
             options["tenant_id"] = tenant_id
+        if claims:
+            options["claims"] = claims
 
         token_info = self._get_token_base(*scopes, options=options, **kwargs)
         return AccessToken(token_info.token, token_info.expires_on)
@@ -170,6 +183,13 @@ class AzurePowerShellCredential:
         self, *scopes: str, options: Optional[TokenRequestOptions] = None, **kwargs: Any
     ) -> AccessTokenInfo:
 
+        # Check if claims challenge is provided
+        if options and "claims" in options and options["claims"]:
+            error_message = CLAIMS_UNSUPPORTED_ERROR.format(claims_value=encode_base64(options["claims"]))
+            if options.get("tenant_id"):
+                error_message += f" -Tenant {options.get('tenant_id')}"
+            raise CredentialUnavailableError(message=error_message)
+
         tenant_id = options.get("tenant_id") if options else None
         if tenant_id:
             validate_tenant_id(tenant_id)
@@ -269,7 +289,11 @@ def raise_for_error(return_code: int, stdout: str, stderr: str) -> None:
 
     if stderr:
         # stderr is too noisy to include with an exception but may be useful for debugging
-        _LOGGER.debug('%s received an error from Azure PowerShell: "%s"', AzurePowerShellCredential.__name__, stderr)
+        _LOGGER.debug(
+            '%s received an error from Azure PowerShell: "%s"',
+            AzurePowerShellCredential.__name__,
+            stderr,
+        )
     raise CredentialUnavailableError(
         message="Failed to invoke PowerShell. Enable debug logging for additional information."
     )