feat: support CLI login with Entra ID (#3943)

lib/crewai/src/crewai/cli/authentication/main.py

@@ -67,7 +67,11 @@ class ProviderFactory:
         module = importlib.import_module(
             f"crewai.cli.authentication.providers.{settings.provider.lower()}"
         )
-        provider = getattr(module, f"{settings.provider.capitalize()}Provider")
+        # Converts from snake_case to CamelCase to obtain the provider class name.
+        provider = getattr(
+            module,
+            f"{''.join(word.capitalize() for word in settings.provider.split('_'))}Provider",
+        )
 
         return cast("BaseProvider", provider(settings))
 
@@ -91,7 +95,7 @@ class AuthenticationCommand:
 
         device_code_payload = {
             "client_id": self.oauth2_provider.get_client_id(),
-            "scope": "openid",
+            "scope": " ".join(self.oauth2_provider.get_oauth_scopes()),
             "audience": self.oauth2_provider.get_audience(),
         }
         response = requests.post(
@@ -104,9 +108,14 @@ class AuthenticationCommand:
 
     def _display_auth_instructions(self, device_code_data: dict[str, str]) -> None:
         """Display the authentication instructions to the user."""
-        console.print("1. Navigate to: ", device_code_data["verification_uri_complete"])
+
+        verification_uri = device_code_data.get(
+            "verification_uri_complete", device_code_data.get("verification_uri", "")
+        )
+
+        console.print("1. Navigate to: ", verification_uri)
         console.print("2. Enter the following code: ", device_code_data["user_code"])
-        webbrowser.open(device_code_data["verification_uri_complete"])
+        webbrowser.open(verification_uri)
 
     def _poll_for_token(self, device_code_data: dict[str, Any]) -> None:
         """Polls the server for the token until it is received, or max attempts are reached."""
@@ -186,8 +195,9 @@ class AuthenticationCommand:
             )
 
             settings = Settings()
+
             console.print(
-                f"You are authenticated to the tool repository as [bold cyan]'{settings.org_name}'[/bold cyan] ({settings.org_uuid})",
+                f"You are now authenticated to the tool repository for organization [bold cyan]'{settings.org_name if settings.org_name else settings.org_uuid}'[/bold cyan]",
                 style="green",
             )
         except Exception:

lib/crewai/src/crewai/cli/authentication/providers/base_provider.py

@@ -28,3 +28,6 @@ class BaseProvider(ABC):
     def get_required_fields(self) -> list[str]:
         """Returns which provider-specific fields inside the "extra" dict will be required"""
         return []
+
+    def get_oauth_scopes(self) -> list[str]:
+        return ["openid", "profile", "email"]

lib/crewai/src/crewai/cli/authentication/providers/entra_id.py

@@ -0,0 +1,43 @@
+from typing import cast
+
+from crewai.cli.authentication.providers.base_provider import BaseProvider
+
+
+class EntraIdProvider(BaseProvider):
+    def get_authorize_url(self) -> str:
+        return f"{self._base_url()}/oauth2/v2.0/devicecode"
+
+    def get_token_url(self) -> str:
+        return f"{self._base_url()}/oauth2/v2.0/token"
+
+    def get_jwks_url(self) -> str:
+        return f"{self._base_url()}/discovery/v2.0/keys"
+
+    def get_issuer(self) -> str:
+        return f"{self._base_url()}/v2.0"
+
+    def get_audience(self) -> str:
+        if self.settings.audience is None:
+            raise ValueError(
+                "Audience is required. Please set it in the configuration."
+            )
+        return self.settings.audience
+
+    def get_client_id(self) -> str:
+        if self.settings.client_id is None:
+            raise ValueError(
+                "Client ID is required. Please set it in the configuration."
+            )
+        return self.settings.client_id
+
+    def get_oauth_scopes(self) -> list[str]:
+        return [
+            *super().get_oauth_scopes(),
+            *cast(str, self.settings.extra.get("scope", "")).split(),
+        ]
+
+    def get_required_fields(self) -> list[str]:
+        return ["scope"]
+
+    def _base_url(self) -> str:
+        return f"https://login.microsoftonline.com/{self.settings.domain}"

lib/crewai/src/crewai/cli/authentication/utils.py

@@ -1,10 +1,12 @@
+from typing import Any
+
 import jwt
 from jwt import PyJWKClient
 
 
 def validate_jwt_token(
     jwt_token: str, jwks_url: str, issuer: str, audience: str
-) -> dict:
+) -> Any:
     """
     Verify the token's signature and claims using PyJWT.
     :param jwt_token: The JWT (JWS) string to validate.
@@ -24,6 +26,7 @@ def validate_jwt_token(
         _unverified_decoded_token = jwt.decode(
             jwt_token, options={"verify_signature": False}
         )
+
         return jwt.decode(
             jwt_token,
             signing_key.key,

lib/crewai/src/crewai/cli/tools/main.py

@@ -162,7 +162,7 @@ class ToolCommand(BaseCommand, PlusAPIMixin):
 
         if login_response.status_code != 200:
             console.print(
-                "Authentication failed. Verify access to the tool repository, or try `crewai login`. ",
+                "Authentication failed. Verify if the currently active organization access to the tool repository, and run 'crewai login' again. ",
                 style="bold red",
             )
             raise SystemExit