Skip to content

FEAT: Add "credential= " parameter for custom Azure Identity credential support#603

Open
jahnvi480 wants to merge 4 commits into
mainfrom
jahnvi/custom-credential-support
Open

FEAT: Add "credential= " parameter for custom Azure Identity credential support#603
jahnvi480 wants to merge 4 commits into
mainfrom
jahnvi/custom-credential-support

Conversation

@jahnvi480
Copy link
Copy Markdown
Contributor

@jahnvi480 jahnvi480 commented May 27, 2026
edited by azure-boards Bot
Loading

Work Item / Issue Reference

AB#45121

GitHub Issue: #577

Summary

This pull request adds support for supplying a custom Azure credential object for Entra ID (Azure AD) authentication via a new credential parameter in the connection API. This allows users to directly pass any object with a .get_token(scope) method (such as Azure Identity credentials), providing more flexibility and control over authentication. The implementation ensures this parameter is mutually exclusive with the existing Authentication= connection string option, and includes robust error handling and comprehensive tests for the new feature.

The most important changes are:

Custom Credential Support for Entra ID Authentication:

  • Added a new credential parameter to the connect() API and Connection constructor, allowing users to pass a custom credential object for authentication. This parameter is mutually exclusive with the Authentication= connection string option, and appropriate errors are raised if both are provided.
  • Implemented internal helpers acquire_token_from_credential and acquire_raw_token_from_credential to centralize token acquisition and error handling from custom credential objects.

Integration with Bulk Copy and Connection Logic:

  • Updated the bulk copy logic to use the user-supplied credential (if present) to acquire a fresh token, ensuring correct authentication for bulk operations.

Constants and Codebase Cleanup:

  • Refactored connection string constants and aliases for improved readability and maintainability, ensuring consistent usage throughout the codebase.

Testing Enhancements:

  • Added comprehensive tests for the new credential parameter, including happy paths, error cases (e.g., missing or invalid .get_token), and integration with other connection options. Also added tests for the new token acquisition helpers.

These changes provide a more flexible and robust authentication mechanism for users who need explicit control over Azure credential selection.

@jahnvi480
Add credential= parameter for custom Azure Identity credential support
00ad6af 
Add a new 'credential' parameter to connect() that accepts any object
following the Azure TokenCredential protocol (.get_token() method).
This allows users to authenticate with any azure-identity credential
class without being limited to the driver's hardcoded credential map.

Changes:
- auth.py: Add _get_token_from_credential() shared helper,
  acquire_token_from_credential(), acquire_raw_token_from_credential()
- db_connection.py: Add credential=None parameter to connect()
- connection.py: Validate credential, acquire token, store for
  bulk copy token refresh. Mutually exclusive with Authentication=
- cursor.py: Check _custom_credential before _auth_type in bulk copy
- constants.py: Unify _KEY_* constants with _ALLOWED_CONNECTION_STRING_PARAMS
  to use single source of truth (_CONNECTION_STRING_*_KEY pattern)
- test_008_auth.py: Add 12 new tests for custom credential flow
@github-actions github-actions Bot added the pr-size: medium Moderate update size label May 27, 2026
Copilot AI reviewed May 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a new credential= parameter to the public connection API to support custom Azure Identity (Entra ID) credential objects for token acquisition, and wires that credential through to bulk copy so fresh tokens can be acquired when needed.

Changes:

  • Added credential parameter to connect() / Connection to accept objects implementing .get_token(scope).
  • Implemented credential-based token acquisition helpers in auth.py and integrated credential token usage into Cursor.bulkcopy().
  • Refactored connection-string key constants and added test coverage for the new credential flows.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
tests/test_008_auth.py Adds unit tests for the new credential token helpers and connect(..., credential=...) behaviors.
mssql_python/db_connection.py Extends the connect() API to accept and forward the new credential parameter.
mssql_python/cursor.py Updates bulk copy to acquire a fresh token from a user-supplied custom credential when present.
mssql_python/constants.py Refactors connection-string key constants/aliases used by auth/connection code.
mssql_python/connection.py Implements the new credential parameter behavior (validation, token acquisition, mutual exclusivity with Authentication=).
mssql_python/auth.py Adds centralized helpers for acquiring raw tokens / ODBC token structs from custom credentials.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread mssql_python/connection.py
Comment thread mssql_python/db_connection.py
jahnvi480 added 2 commits May 27, 2026 19:51
@jahnvi480
Sanitize conn string in credential= path, update .pyi stubs
36ccf52 
- Strip UID/PWD/Trusted_Connection from connection_str when credential=
  is used (same as Authentication= path) to avoid leaking unused secrets
- Add credential= parameter to Connection.__init__ and connect() in
  mssql_python.pyi type stubs
@jahnvi480
Fix bulkcopy auth test mock to set _custom_credential = None
4a5687a 
The _make_cursor helper uses MagicMock for the connection, which
auto-creates truthy attributes. Without explicitly setting
_custom_credential = None, the bulk copy code takes the custom
credential path instead of the expected _auth_type path.
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 27, 2026
edited
Loading

📊 Code Coverage Report

🔥 Diff Coverage

100%

🎯 Overall Coverage

80%

📈 Total Lines Covered: 6673 out of 8278
📁 Project: mssql-python

Diff Coverage

Diff: main...HEAD, staged and unstaged changes

  • mssql_python/auth.py (100%)
  • mssql_python/connection.py (100%)
  • mssql_python/constants.py (100%)

Summary

  • Total: 31 lines
  • Missing: 0 lines
  • Coverage: 100%

📋 Files Needing Attention

📉 Files with overall lowest coverage (click to expand) 
mssql_python.pybind.logger_bridge.cpp: 59.2%
mssql_python.pybind.ddbc_bindings.h: 59.7%
mssql_python.pybind.logger_bridge.hpp: 70.8%
mssql_python.pybind.ddbc_bindings.cpp: 76.1%
mssql_python.row.py: 76.9%
mssql_python.__init__.py: 77.3%
mssql_python.pybind.connection.connection.cpp: 77.3%
mssql_python.ddbc_bindings.py: 79.6%
mssql_python.logging.py: 85.5%
mssql_python.cursor.py: 87.2%

🔗 Quick Links

⚙️ Build Summary 📋 Coverage Details

View Azure DevOps Build

Browse Full Coverage Report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@saurabh500 saurabh500 Awaiting requested review from saurabh500

@bewithgaurav bewithgaurav Awaiting requested review from bewithgaurav

@sumitmsft sumitmsft Awaiting requested review from sumitmsft

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

pr-size: medium Moderate update size

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jahnvi480