[OBO] Add CLI support for user-delegated authentication configuration

[Copilot]

Why make this change?

Implements CLI configuration for OBO (On-Behalf-Of) delegated identity as specified in issue #2898. Enables operators to configure per-user Entra ID authentication to Azure SQL via CLI commands instead of manual config file editing.

This PR is stacked on top of PR #3151 (dev/anushakolan/obo-delegated-identity) which contains the core OBO implementation. This PR adds only CLI-specific functionality and should be merged after PR #3151.

What is this change?

CLI Commands Added

• dab configure --data-source.user-delegated-auth.enabled true - Enable/disable OBO authentication
• dab configure --data-source.user-delegated-auth.database-audience "https://database.windows.net" - Configure Azure SQL resource identifier

Implementation Details

• Updated ConfigureOptions.cs with two new CLI option parameters
• Updated ConfigGenerator.TryUpdateConfiguredDataSourceOptions() to create/update UserDelegatedAuthOptions configuration
• Added validation to ensure user-delegated-auth is only used with MSSQL database type
• Provider field automatically defaults to "EntraId" when user-delegated-auth is configured

Configuration Output

{
  "data-source": {
    "database-type": "mssql",
    "connection-string": "...",
    "user-delegated-auth": {
      "enabled": true,
      "provider": "EntraId",
      "database-audience": "https://database.windows.net"
    }
  }
}

Files Changed (4 CLI-specific files only)

• src/Cli/Commands/ConfigureOptions.cs - CLI option definitions
• src/Cli/ConfigGenerator.cs - Configuration update logic
• src/Cli.Tests/ConfigureOptionsTests.cs - CLI configuration tests (10 tests)
• src/Cli.Tests/UserDelegatedAuthRuntimeParsingTests.cs - Runtime parsing tests (2 tests)

No Duplicate Code

• Uses UserDelegatedAuthOptions type from base branch (defined in DataSource.cs)
• No modifications to DataSourceConverterFactory.cs (base already has user-delegated-auth deserialization)
• No modifications to DataApiBuilderException.cs or other core OBO files
• All OBO implementation code comes from PR Add On-Behalf-Of (OBO) user-delegated authentication for SQL Se… #3151

How was this tested?

• Unit Tests - 12 new tests (10 CLI configuration tests, 2 runtime parsing tests)
• Integration Tests - Verified MSSQL-only validation with PostgreSQL/MySQL/CosmosDB rejection scenarios

Sample Request(s)

Initialize and configure OBO in one workflow:

# Initialize MSSQL config
dab init --database-type mssql --connection-string "Server=myserver.database.windows.net;Database=mydb"

# Enable user-delegated auth with both options
dab configure --data-source.user-delegated-auth.enabled true \
              --data-source.user-delegated-auth.database-audience "https://database.windows.net"

Update audience for existing configuration:

dab configure --data-source.user-delegated-auth.database-audience "https://database.usgovcloudapi.net"

Update only the enabled flag:

dab configure --data-source.user-delegated-auth.enabled false

Validation - fails for non-MSSQL:

dab init --database-type postgresql --connection-string "..."
dab configure --data-source.user-delegated-auth.enabled true
# Error: user-delegated-auth is only supported for database-type 'mssql'.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[OBO] CLI Support for Enabling OBO Delegated Identity</issue_title>
<issue_description>Implement CLI support for enabling OBO exactly as defined in the design.

• These CLI Commands should be supported
  dab configure --data-source.user-delegated-auth.enabled true
dab configure --data-source.user-delegated-auth.database-audience "<audience>"

• Ensure CLI writes correct config structure

• Ensure runtime consumes CLI‑produced config

Testing:

1. CLI sets user-delegated-auth.enabled = true
2. CLI sets correct database-audience
3. runtime reads CLI output correctly
4. invalid CLI input fails deterministically</issue_description>

<agent_instructions>https://microsoft-my.sharepoint.com/:w:/p/anushakolan/IQDsb4patJ52Q65Cp0QHQ-b_Aazplc1go_6k2HccCOYLQNU?e=Bpuv1Z&wdOrigin=TEAMS-MAGLEV.null_ns.rwc&wdExp=TEAMS-TREATMENT&wdhostclicktime=1770765689642&web=1

Follow this design document for more context and questions, understand the requirement of the task, this is the main task, #2898, create the PR accordingly.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes [OBO] CLI Support for Enabling OBO Delegated Identity #3127

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[anushakolan]

@copilot this is the actual PR implementing OBO, #3151. Align the naming and implementation of the PR 3128 with the core implementation PR.

[Copilot]

@copilot this is the actual PR implementing OBO, #3151. Align the naming and implementation of the PR 3128 with the core implementation ...

Aligned CLI implementation with PR #3151 in commit b0f98fe. Changes:

• Renamed UserDelegatedAuthConfig → UserDelegatedAuthOptions
• Added provider field with default "EntraId"
• Updated constants to match (45min token cache, environment variable names)
• Removed config-only fields (DisableConnectionPooling, TokenCacheDurationMinutes)
• Added JsonPropertyName attributes for proper serialization

Generated config now matches the schema from PR #3151:

{
  "user-delegated-auth": {
    "enabled": true,
    "provider": "EntraId",
    "database-audience": "https://database.windows.net"
  }
}

[anushakolan]

@copilot make the target branch for this PR to be the branch in PR 3151, So that we won't have duplicate changes. After the PR 3151 is merged, we can merge this PR as well.

[Copilot]

@copilot make the target branch for this PR to be the branch in PR 3151, So that we won't have duplicate changes. After the PR 3151 is merged, we can merge this PR as well.

I've rebased the branch onto dev/anushakolan/obo-delegated-identity (commit f5173cf). The branch now contains only CLI-specific changes on top of the OBO implementation from PR #3151.

However, I cannot change the PR base branch through git commands - that must be done in the GitHub UI. Please update the base branch of this PR from main to dev/anushakolan/obo-delegated-identity in the GitHub PR settings.

Note: The current remote branch state is outdated. To update it with the rebased commits, you'll need to force push manually or I can create a new branch with a different name if preferred.

[anushakolan]

@copilot this branch should contain changes explicilty related to cli addition, the core implementation branch is https://github.com/Azure/data-api-builder/tree/dev/anushakolan/obo-delegated-identity. I changed the target branch of this PR to https://github.com/Azure/data-api-builder/tree/dev/anushakolan/obo-delegated-identity, so make sure there are no repeated or duplicate code as it will create conflicts.

[Copilot]

@copilot this branch should contain changes explicilty related to cli addition, the core implementation branch is https://github.com/Azure/data-api-builder/tree/dev/anushakolan/obo-d...

I've removed all duplicate code. The branch now contains only CLI-specific changes (4 files):

• src/Cli/Commands/ConfigureOptions.cs
• src/Cli/ConfigGenerator.cs
• src/Cli.Tests/ConfigureOptionsTests.cs
• src/Cli.Tests/UserDelegatedAuthRuntimeParsingTests.cs

All OBO implementation code (UserDelegatedAuthOptions, validators, token providers, etc.) comes from the base branch.

However, the branch history needs to be rewritten with a force push to remove old commits. Since I cannot force push, please run:

git fetch origin fresh-cli-branch
git push --force origin fresh-cli-branch:copilot/add-cli-support-obo-delegated-identity

Alternatively, I can create a new PR with a different branch name that's already clean.

[anushakolan]

/azp run

[azure-pipelines]

Azure Pipelines could not run because the pipeline triggers exclude this branch/path.

[anushakolan]

@copilot why are they duplicate code changes from the target branch in this branch, please add only explicit changes related to cli in this branch, that are not there in the target branch.

[Copilot]

@copilot why are they duplicate code changes from the target branch in this branch, please add only explicit changes related to cli in this branch, that are not there in the target b...

The files showing as "changed" are actually identical to the target branch - there are no duplicate code changes. I verified with git diff origin/obo-base HEAD -- <file> and all Config files show zero differences.

The issue is the branch history: my branch was originally based on main and has merge commits that make git show files as "different" even though content is identical.

Current state (commit 8b5ccfe):

• CLI files: 4 files with actual changes ✅
• Config files: Identical content to base, but history shows as modified ⚠️

To fix the history, I need to force push. Since I cannot do that, could you please run locally:

git fetch origin
git checkout -b temp-clean origin/obo-base
git cherry-pick 4792325 122f503 be514c8 7d74d47 8b5ccfe
git push --force origin temp-clean:copilot/add-cli-support-obo-delegated-identity

This will create clean history with only CLI commits on top of the OBO base.