[App Config] az appconfig: Add support for custom token audience to --auth-mode login parameter (Azure#30739)

Author: albertofori

src/azure-cli/azure/cli/command_modules/appconfig/_credential.py

@@ -0,0 +1,23 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+# pylint: disable=too-few-public-methods
+from azure.cli.core.auth.util import resource_to_scopes
+
+
+# This class is used to pass in custom token audience that will be respected by the SDK.
+# Users can configure an audience based on their cloud.
+class AppConfigurationCliCredential:
+
+    def __init__(self, credential, resource: str = None):
+        self._impl = credential
+        self._resource = resource
+
+    def get_token(self, *scopes, **kwargs):
+
+        if self._resource is not None:
+            scopes = resource_to_scopes(self._resource)
+
+        return self._impl.get_token(*scopes, **kwargs)

src/azure-cli/azure/cli/command_modules/appconfig/_utils.py

@@ -177,10 +177,18 @@ def get_appconfig_data_client(cmd, name, connection_string, auth_mode, endpoint)
                 raise CLIError(str(ex) + "\nYou may be able to resolve this issue by providing App Configuration endpoint instead of name.")
 
         from azure.cli.core._profile import Profile
+        from azure.cli.core.cloud import get_active_cloud
+        from ._credential import AppConfigurationCliCredential
         profile = Profile(cli_ctx=cmd.cli_ctx)
         cred, _, _ = profile.get_login_credentials()
+
+        current_cloud = get_active_cloud(cmd.cli_ctx)
+        token_audience = None
+        if hasattr(current_cloud.endpoints, "appconfig_auth_token_audience"):
+            token_audience = current_cloud.endpoints.appconfig_auth_token_audience
+
         try:
-            azconfig_client = AzureAppConfigurationClient(credential=cred,
+            azconfig_client = AzureAppConfigurationClient(credential=AppConfigurationCliCredential(cred._credential, token_audience),  # pylint: disable=protected-access
                                                           base_url=endpoint,
                                                           user_agent=HttpHeaders.USER_AGENT)
         except (ValueError, TypeError) as ex: