Merge pull request #83 from docker/azure-login

Azure login
2020-05-15 15:38:27 +02:00 · 2020-05-15 15:38:27 +02:00 · 4dbb0df34c
parent 230cccff76 7cf2309ca6
commit 4dbb0df34c
19 changed files with 876 additions and 32 deletions
--- a/.golangci.yml
+++ b/.golangci.yml
@ -2,7 +2,7 @@ linters:
  run:
    concurrency: 2
    skip-dirs:
-      - composefiles
+      - tests/composefiles
  enable-all: false
  disable-all: true
  enable:
--- a/azure/aci.go
+++ b/azure/aci.go
@ -6,14 +6,14 @@ import (
 	"io"
 	"io/ioutil"
 	"net/http"
-	"os"
 	"strings"
 	"time"

+	"github.com/docker/api/azure/login"
+
 	"github.com/Azure/azure-sdk-for-go/profiles/2019-03-01/resources/mgmt/resources"
 	"github.com/Azure/azure-sdk-for-go/profiles/preview/preview/subscription/mgmt/subscription"
 	"github.com/Azure/azure-sdk-for-go/services/containerinstance/mgmt/2018-10-01/containerinstance"
-	"github.com/Azure/azure-sdk-for-go/services/keyvault/auth"
 	"github.com/Azure/go-autorest/autorest"
 	"github.com/Azure/go-autorest/autorest/to"
 	tm "github.com/buger/goterm"
@ -24,14 +24,6 @@ import (
 	"github.com/docker/api/context/store"
 )

-func init() {
-	// required to get auth.NewAuthorizerFromCLI() to work, otherwise getting "The access token has been obtained for wrong audience or resource 'https://vault.azure.net'."
-	err := os.Setenv("AZURE_KEYVAULT_RESOURCE", "https://management.azure.com")
-	if err != nil {
-		panic("unable to set environment variable AZURE_KEYVAULT_RESOURCE")
-	}
-}
-
 func createACIContainers(ctx context.Context, aciContext store.AciContext, groupDefinition containerinstance.ContainerGroup) error {
 	containerGroupsClient, err := getContainerGroupsClient(aciContext.SubscriptionID)
 	if err != nil {
@ -243,7 +235,7 @@ func getACIContainerLogs(ctx context.Context, aciContext store.AciContext, conta
 }

 func getContainerGroupsClient(subscriptionID string) (containerinstance.ContainerGroupsClient, error) {
-	auth, err := auth.NewAuthorizerFromCLI()
+	auth, err := login.NewAuthorizerFromLogin()
 	if err != nil {
 		return containerinstance.ContainerGroupsClient{}, err
 	}
@ -256,7 +248,7 @@ func getContainerGroupsClient(subscriptionID string) (containerinstance.Containe
 }

 func getContainerClient(subscriptionID string) (containerinstance.ContainerClient, error) {
-	auth, err := auth.NewAuthorizerFromCLI()
+	auth, err := login.NewAuthorizerFromLogin()
 	if err != nil {
 		return containerinstance.ContainerClient{}, err
 	}
@ -267,7 +259,7 @@ func getContainerClient(subscriptionID string) (containerinstance.ContainerClien

 func getSubscriptionsClient() subscription.SubscriptionsClient {
 	subc := subscription.NewSubscriptionsClient()
-	authorizer, _ := auth.NewAuthorizerFromCLI()
+	authorizer, _ := login.NewAuthorizerFromLogin()
 	subc.Authorizer = authorizer
 	return subc
 }
@ -275,7 +267,7 @@ func getSubscriptionsClient() subscription.SubscriptionsClient {
 // GetGroupsClient ...
 func GetGroupsClient(subscriptionID string) resources.GroupsClient {
 	groupsClient := resources.NewGroupsClient(subscriptionID)
-	authorizer, _ := auth.NewAuthorizerFromCLI()
+	authorizer, _ := login.NewAuthorizerFromLogin()
 	groupsClient.Authorizer = authorizer
 	return groupsClient
 }
--- a/azure/backend.go
+++ b/azure/backend.go
@ -8,13 +8,15 @@ import (
 	"strconv"
 	"strings"

+	"github.com/docker/api/context/cloud"
+
 	"github.com/Azure/azure-sdk-for-go/services/containerinstance/mgmt/2018-10-01/containerinstance"
-	"github.com/Azure/go-autorest/autorest/azure/auth"
 	"github.com/compose-spec/compose-go/types"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"

 	"github.com/docker/api/azure/convert"
+	"github.com/docker/api/azure/login"
 	"github.com/docker/api/backend"
 	"github.com/docker/api/compose"
 	"github.com/docker/api/containers"
@ -50,43 +52,48 @@ func New(ctx context.Context) (backend.Service, error) {
 	}
 	aciContext, _ := metadata.Metadata.Data.(store.AciContext)

-	auth, _ := auth.NewAuthorizerFromCLI()
+	auth, _ := login.NewAuthorizerFromLogin()
 	containerGroupsClient := containerinstance.NewContainerGroupsClient(aciContext.SubscriptionID)
 	containerGroupsClient.Authorizer = auth

-	return getAciAPIService(containerGroupsClient, aciContext), nil
+	return getAciAPIService(containerGroupsClient, aciContext)
 }

-func getAciAPIService(cgc containerinstance.ContainerGroupsClient, aciCtx store.AciContext) *aciAPIService {
+func getAciAPIService(cgc containerinstance.ContainerGroupsClient, aciCtx store.AciContext) (*aciAPIService, error) {
+	service, err := login.NewAzureLoginService()
+	if err != nil {
+		return nil, err
+	}
 	return &aciAPIService{
 		aciContainerService: aciContainerService{
 			containerGroupsClient: cgc,
 			ctx:                   aciCtx,
 		},
 		aciComposeService: aciComposeService{
-			containerGroupsClient: cgc,
-			ctx:                   aciCtx,
+			ctx: aciCtx,
 		},
-	}
+		aciCloudService: aciCloudService{
+			loginService: service,
+		},
+	}, nil
 }

 type aciAPIService struct {
 	aciContainerService
 	aciComposeService
+	aciCloudService
 }

 func (a *aciAPIService) ContainerService() containers.Service {
-	return &aciContainerService{
-		containerGroupsClient: a.aciContainerService.containerGroupsClient,
-		ctx:                   a.aciContainerService.ctx,
-	}
+	return &a.aciContainerService
 }

 func (a *aciAPIService) ComposeService() compose.Service {
-	return &aciComposeService{
-		containerGroupsClient: a.aciComposeService.containerGroupsClient,
-		ctx:                   a.aciComposeService.ctx,
-	}
+	return &a.aciComposeService
+}
+
+func (a *aciAPIService) CloudService() cloud.Service {
+	return &a.aciCloudService
 }

 type aciContainerService struct {
@ -231,8 +238,7 @@ func (cs *aciContainerService) Delete(ctx context.Context, containerID string, _
 }

 type aciComposeService struct {
-	containerGroupsClient containerinstance.ContainerGroupsClient
-	ctx                   store.AciContext
+	ctx store.AciContext
 }

 func (cs *aciComposeService) Up(ctx context.Context, opts compose.ProjectOptions) error {
@ -266,3 +272,11 @@ func (cs *aciComposeService) Down(ctx context.Context, opts compose.ProjectOptio

 	return err
 }
+
+type aciCloudService struct {
+	loginService login.AzureLoginService
+}
+
+func (cs *aciCloudService) Login(ctx context.Context, params map[string]string) error {
+	return cs.loginService.Login(ctx)
+}
--- a/azure/login/login.go
+++ b/azure/login/login.go
@ -0,0 +1,243 @@
+package login
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log"
+	"math/rand"
+	"net/url"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"strconv"
+	"time"
+
+	"github.com/docker/api/errdefs"
+
+	"github.com/Azure/go-autorest/autorest"
+	"github.com/Azure/go-autorest/autorest/adal"
+	"github.com/Azure/go-autorest/autorest/azure/cli"
+	"github.com/Azure/go-autorest/autorest/date"
+	"golang.org/x/oauth2"
+
+	"github.com/pkg/errors"
+)
+
+func init() {
+	rand.Seed(time.Now().Unix())
+}
+
+//go login process, derived from code sample provided by MS at https://github.com/devigned/go-az-cli-stuff
+const (
+	authorizeFormat  = "https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?response_type=code&client_id=%s&redirect_uri=%s&state=%s&prompt=select_account&response_mode=query&scope=%s"
+	tokenEndpoint    = "https://login.microsoftonline.com/%s/oauth2/v2.0/token"
+	authorizationURL = "https://management.azure.com/tenants?api-version=2019-11-01"
+	// scopes for a multi-tenant app works for openid, email, other common scopes, but fails when trying to add a token
+	// v1 scope like "https://management.azure.com/.default" for ARM access
+	scopes   = "offline_access https://management.azure.com/.default"
+	clientID = "04b07795-8ddb-461a-bbee-02f9e1bf7b46" // Azure CLI client id
+)
+
+type (
+	azureToken struct {
+		Type         string `json:"token_type"`
+		Scope        string `json:"scope"`
+		ExpiresIn    int    `json:"expires_in"`
+		ExtExpiresIn int    `json:"ext_expires_in"`
+		AccessToken  string `json:"access_token"`
+		RefreshToken string `json:"refresh_token"`
+		Foci         string `json:"foci"`
+	}
+
+	tenantResult struct {
+		Value []tenantValue `json:"value"`
+	}
+	tenantValue struct {
+		TenantID string `json:"tenantId"`
+	}
+)
+
+// AzureLoginService Service to log into azure and get authentifier for azure APIs
+type AzureLoginService struct {
+	tokenStore tokenStore
+	apiHelper  apiHelper
+}
+
+const tokenStoreFilename = "dockerAccessToken.json"
+
+// NewAzureLoginService creates a NewAzureLoginService
+func NewAzureLoginService() (AzureLoginService, error) {
+	return newAzureLoginServiceFromPath(getTokenStorePath(), azureAPIHelper{})
+}
+
+func newAzureLoginServiceFromPath(tokenStorePath string, helper apiHelper) (AzureLoginService, error) {
+	store, err := newTokenStore(tokenStorePath)
+	if err != nil {
+		return AzureLoginService{}, err
+	}
+	return AzureLoginService{
+		tokenStore: store,
+		apiHelper:  helper,
+	}, nil
+}
+
+//Login perform azure login through browser
+func (login AzureLoginService) Login(ctx context.Context) error {
+	queryCh := make(chan url.Values, 1)
+	serverPort, err := startLoginServer(queryCh)
+	if err != nil {
+		return err
+	}
+
+	redirectURL := "http://localhost:" + strconv.Itoa(serverPort)
+	login.apiHelper.openAzureLoginPage(redirectURL)
+
+	select {
+	case <-ctx.Done():
+		return nil
+	case qsValues := <-queryCh:
+		errorMsg, hasError := qsValues["error"]
+		if hasError {
+			return fmt.Errorf("login failed : %s", errorMsg)
+		}
+		code, hasCode := qsValues["code"]
+		if !hasCode {
+			return errdefs.ErrLoginFailed
+		}
+		data := url.Values{
+			"grant_type":   []string{"authorization_code"},
+			"client_id":    []string{clientID},
+			"code":         code,
+			"scope":        []string{scopes},
+			"redirect_uri": []string{redirectURL},
+		}
+		token, err := login.apiHelper.queryToken(data, "organizations")
+		if err != nil {
+			return errors.Wrap(err, "Access token request failed")
+		}
+
+		bits, statusCode, err := login.apiHelper.queryAuthorizationAPI(authorizationURL, fmt.Sprintf("Bearer %s", token.AccessToken))
+		if err != nil {
+			return errors.Wrap(err, "login failed")
+		}
+
+		if statusCode == 200 {
+			var tenantResult tenantResult
+			if err := json.Unmarshal(bits, &tenantResult); err != nil {
+				return errors.Wrap(err, "login failed")
+			}
+			tenantID := tenantResult.Value[0].TenantID
+			tenantToken, err := login.refreshToken(token.RefreshToken, tenantID)
+			if err != nil {
+				return errors.Wrap(err, "login failed")
+			}
+			loginInfo := TokenInfo{TenantID: tenantID, Token: tenantToken}
+
+			err = login.tokenStore.writeLoginInfo(loginInfo)
+
+			if err != nil {
+				return errors.Wrap(err, "login failed")
+			}
+			fmt.Println("Login Succeeded")
+
+			return nil
+		}
+
+		return fmt.Errorf("login failed : " + string(bits))
+	}
+}
+
+func getTokenStorePath() string {
+	cliPath, _ := cli.AccessTokensPath()
+	return filepath.Join(filepath.Dir(cliPath), tokenStoreFilename)
+}
+
+func toOAuthToken(token azureToken) oauth2.Token {
+	expireTime := time.Now().Add(time.Duration(token.ExpiresIn) * time.Second)
+	oauthToken := oauth2.Token{
+		RefreshToken: token.RefreshToken,
+		AccessToken:  token.AccessToken,
+		Expiry:       expireTime,
+		TokenType:    token.Type,
+	}
+	return oauthToken
+}
+
+// NewAuthorizerFromLogin creates an authorizer based on login access token
+func NewAuthorizerFromLogin() (autorest.Authorizer, error) {
+	login, err := NewAzureLoginService()
+	if err != nil {
+		return nil, err
+	}
+	oauthToken, err := login.GetValidToken()
+	if err != nil {
+		return nil, err
+	}
+
+	token := adal.Token{
+		AccessToken:  oauthToken.AccessToken,
+		Type:         oauthToken.TokenType,
+		ExpiresIn:    json.Number(strconv.Itoa(int(time.Until(oauthToken.Expiry).Seconds()))),
+		ExpiresOn:    json.Number(strconv.Itoa(int(oauthToken.Expiry.Sub(date.UnixEpoch()).Seconds()))),
+		RefreshToken: "",
+		Resource:     "",
+	}
+
+	return autorest.NewBearerAuthorizer(&token), nil
+}
+
+// GetValidToken returns an access token. Refresh token if needed
+func (login AzureLoginService) GetValidToken() (oauth2.Token, error) {
+	loginInfo, err := login.tokenStore.readToken()
+	if err != nil {
+		return oauth2.Token{}, err
+	}
+	token := loginInfo.Token
+	if token.Valid() {
+		return token, nil
+	}
+	tenantID := loginInfo.TenantID
+	token, err = login.refreshToken(token.RefreshToken, tenantID)
+	if err != nil {
+		return oauth2.Token{}, errors.Wrap(err, "access token request failed. Maybe you need to login to azure again.")
+	}
+	err = login.tokenStore.writeLoginInfo(TokenInfo{TenantID: tenantID, Token: token})
+	if err != nil {
+		return oauth2.Token{}, err
+	}
+	return token, nil
+}
+
+func (login AzureLoginService) refreshToken(currentRefreshToken string, tenantID string) (oauth2.Token, error) {
+	data := url.Values{
+		"grant_type":    []string{"refresh_token"},
+		"client_id":     []string{clientID},
+		"scope":         []string{scopes},
+		"refresh_token": []string{currentRefreshToken},
+	}
+	token, err := login.apiHelper.queryToken(data, tenantID)
+	if err != nil {
+		return oauth2.Token{}, err
+	}
+
+	return toOAuthToken(token), nil
+}
+
+func openbrowser(url string) {
+	var err error
+
+	switch runtime.GOOS {
+	case "linux":
+		err = exec.Command("xdg-open", url).Start()
+	case "windows":
+		err = exec.Command("rundll32", "url.dll,FileProtocolHandler", url).Start()
+	case "darwin":
+		err = exec.Command("open", url).Start()
+	default:
+		err = fmt.Errorf("unsupported platform")
+	}
+	if err != nil {
+		log.Fatal(err)
+	}
+}
--- a/azure/login/loginHelper.go
+++ b/azure/login/loginHelper.go
@ -0,0 +1,75 @@
+package login
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"math/rand"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"github.com/pkg/errors"
+)
+
+type apiHelper interface {
+	queryToken(data url.Values, tenantID string) (azureToken, error)
+	openAzureLoginPage(redirectURL string)
+	queryAuthorizationAPI(authorizationURL string, authorizationHeader string) ([]byte, int, error)
+}
+
+type azureAPIHelper struct{}
+
+func (helper azureAPIHelper) openAzureLoginPage(redirectURL string) {
+	state := randomString("", 10)
+	authURL := fmt.Sprintf(authorizeFormat, clientID, redirectURL, state, scopes)
+	openbrowser(authURL)
+}
+
+func (helper azureAPIHelper) queryAuthorizationAPI(authorizationURL string, authorizationHeader string) ([]byte, int, error) {
+	req, err := http.NewRequest(http.MethodGet, authorizationURL, nil)
+	if err != nil {
+		return nil, 0, err
+	}
+	req.Header.Add("Authorization", authorizationHeader)
+	res, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return nil, 0, err
+	}
+	bits, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return nil, 0, err
+	}
+	return bits, res.StatusCode, nil
+}
+
+func (helper azureAPIHelper) queryToken(data url.Values, tenantID string) (azureToken, error) {
+	res, err := http.Post(fmt.Sprintf(tokenEndpoint, tenantID), "application/x-www-form-urlencoded", strings.NewReader(data.Encode()))
+	if err != nil {
+		return azureToken{}, err
+	}
+	if res.StatusCode != 200 {
+		return azureToken{}, errors.Errorf("error while renewing access token, status : %s", res.Status)
+	}
+	bits, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return azureToken{}, err
+	}
+	token := azureToken{}
+	if err := json.Unmarshal(bits, &token); err != nil {
+		return azureToken{}, err
+	}
+	return token, nil
+}
+
+var (
+	letterRunes = []rune("abcdefghijklmnopqrstuvwxyz123456789")
+)
+
+func randomString(prefix string, length int) string {
+	b := make([]rune, length)
+	for i := range b {
+		b[i] = letterRunes[rand.Intn(len(letterRunes))]
+	}
+	return prefix + string(b)
+}
--- a/azure/login/login_test.go
+++ b/azure/login/login_test.go
@ -0,0 +1,240 @@
+package login
+
+import (
+	"context"
+	"errors"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"os"
+	"path/filepath"
+	"reflect"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/suite"
+
+	"golang.org/x/oauth2"
+
+	. "github.com/onsi/gomega"
+)
+
+type LoginSuiteTest struct {
+	suite.Suite
+	dir        string
+	mockHelper *MockAzureHelper
+	azureLogin AzureLoginService
+}
+
+func (suite *LoginSuiteTest) BeforeTest(suiteName, testName string) {
+	dir, err := ioutil.TempDir("", "test_store")
+	Expect(err).To(BeNil())
+
+	suite.dir = dir
+	suite.mockHelper = &MockAzureHelper{}
+	suite.azureLogin, err = newAzureLoginServiceFromPath(filepath.Join(dir, tokenStoreFilename), suite.mockHelper)
+	Expect(err).To(BeNil())
+}
+
+func (suite *LoginSuiteTest) AfterTest(suiteName, testName string) {
+	err := os.RemoveAll(suite.dir)
+	Expect(err).To(BeNil())
+}
+
+func (suite *LoginSuiteTest) TestRefreshInValidToken() {
+	data := refreshTokenData("refreshToken")
+	suite.mockHelper.On("queryToken", data, "123456").Return(azureToken{
+		RefreshToken: "newRefreshToken",
+		AccessToken:  "newAccessToken",
+		ExpiresIn:    3600,
+		Foci:         "1",
+	}, nil)
+
+	//nolint copylocks
+	azureLogin, err := newAzureLoginServiceFromPath(filepath.Join(suite.dir, tokenStoreFilename), suite.mockHelper)
+	Expect(err).To(BeNil())
+	suite.azureLogin = azureLogin
+	err = suite.azureLogin.tokenStore.writeLoginInfo(TokenInfo{
+		TenantID: "123456",
+		Token: oauth2.Token{
+			AccessToken:  "accessToken",
+			RefreshToken: "refreshToken",
+			Expiry:       time.Now().Add(-1 * time.Hour),
+			TokenType:    "Bearer",
+		},
+	})
+	Expect(err).To(BeNil())
+
+	token, _ := suite.azureLogin.GetValidToken()
+
+	Expect(token.AccessToken).To(Equal("newAccessToken"))
+	Expect(token.Expiry).To(BeTemporally(">", time.Now().Add(3500*time.Second)))
+
+	storedToken, _ := suite.azureLogin.tokenStore.readToken()
+	Expect(storedToken.Token.AccessToken).To(Equal("newAccessToken"))
+	Expect(storedToken.Token.RefreshToken).To(Equal("newRefreshToken"))
+	Expect(storedToken.Token.Expiry).To(BeTemporally(">", time.Now().Add(3500*time.Second)))
+}
+
+func (suite *LoginSuiteTest) TestDoesNotRefreshValidToken() {
+	expiryDate := time.Now().Add(1 * time.Hour)
+	err := suite.azureLogin.tokenStore.writeLoginInfo(TokenInfo{
+		TenantID: "123456",
+		Token: oauth2.Token{
+			AccessToken:  "accessToken",
+			RefreshToken: "refreshToken",
+			Expiry:       expiryDate,
+			TokenType:    "Bearer",
+		},
+	})
+	Expect(err).To(BeNil())
+
+	token, _ := suite.azureLogin.GetValidToken()
+
+	Expect(suite.mockHelper.Calls).To(BeEmpty())
+	Expect(token.AccessToken).To(Equal("accessToken"))
+}
+
+func (suite *LoginSuiteTest) TestInvalidLogin() {
+	suite.mockHelper.On("openAzureLoginPage", mock.AnythingOfType("string")).Run(func(args mock.Arguments) {
+		redirectURL := args.Get(0).(string)
+		err := queryKeyValue(redirectURL, "error", "access denied")
+		Expect(err).To(BeNil())
+	})
+
+	//nolint copylocks
+	azureLogin, err := newAzureLoginServiceFromPath(filepath.Join(suite.dir, tokenStoreFilename), suite.mockHelper)
+	Expect(err).To(BeNil())
+
+	err = azureLogin.Login(context.TODO())
+	Expect(err).To(MatchError(errors.New("login failed : [access denied]")))
+}
+
+func (suite *LoginSuiteTest) TestValidLogin() {
+	var redirectURL string
+	suite.mockHelper.On("openAzureLoginPage", mock.AnythingOfType("string")).Run(func(args mock.Arguments) {
+		redirectURL = args.Get(0).(string)
+		err := queryKeyValue(redirectURL, "code", "123456879")
+		Expect(err).To(BeNil())
+	})
+
+	suite.mockHelper.On("queryToken", mock.MatchedBy(func(data url.Values) bool {
+		//Need a matcher here because the value of redirectUrl is not known until executing openAzureLoginPage
+		return reflect.DeepEqual(data, url.Values{
+			"grant_type":   []string{"authorization_code"},
+			"client_id":    []string{clientID},
+			"code":         []string{"123456879"},
+			"scope":        []string{scopes},
+			"redirect_uri": []string{redirectURL},
+		})
+	}), "organizations").Return(azureToken{
+		RefreshToken: "firstRefreshToken",
+		AccessToken:  "firstAccessToken",
+		ExpiresIn:    3600,
+		Foci:         "1",
+	}, nil)
+
+	authBody := `{"value":[{"id":"/tenants/12345a7c-c56d-43e8-9549-dd230ce8a038","tenantId":"12345a7c-c56d-43e8-9549-dd230ce8a038"}]}`
+
+	suite.mockHelper.On("queryAuthorizationAPI", authorizationURL, "Bearer firstAccessToken").Return([]byte(authBody), 200, nil)
+	data := refreshTokenData("firstRefreshToken")
+	suite.mockHelper.On("queryToken", data, "12345a7c-c56d-43e8-9549-dd230ce8a038").Return(azureToken{
+		RefreshToken: "newRefreshToken",
+		AccessToken:  "newAccessToken",
+		ExpiresIn:    3600,
+		Foci:         "1",
+	}, nil)
+	//nolint copylocks
+	azureLogin, err := newAzureLoginServiceFromPath(filepath.Join(suite.dir, tokenStoreFilename), suite.mockHelper)
+	Expect(err).To(BeNil())
+
+	err = azureLogin.Login(context.TODO())
+	Expect(err).To(BeNil())
+
+	loginToken, err := suite.azureLogin.tokenStore.readToken()
+	Expect(err).To(BeNil())
+	Expect(loginToken.Token.AccessToken).To(Equal("newAccessToken"))
+	Expect(loginToken.Token.RefreshToken).To(Equal("newRefreshToken"))
+	Expect(loginToken.Token.Expiry).To(BeTemporally(">", time.Now().Add(3500*time.Second)))
+	Expect(loginToken.TenantID).To(Equal("12345a7c-c56d-43e8-9549-dd230ce8a038"))
+	Expect(loginToken.Token.Type()).To(Equal("Bearer"))
+}
+
+func (suite *LoginSuiteTest) TestLoginAuthorizationFailed() {
+	var redirectURL string
+	suite.mockHelper.On("openAzureLoginPage", mock.AnythingOfType("string")).Run(func(args mock.Arguments) {
+		redirectURL = args.Get(0).(string)
+		err := queryKeyValue(redirectURL, "code", "123456879")
+		Expect(err).To(BeNil())
+	})
+
+	suite.mockHelper.On("queryToken", mock.MatchedBy(func(data url.Values) bool {
+		//Need a matcher here because the value of redirectUrl is not known until executing openAzureLoginPage
+		return reflect.DeepEqual(data, url.Values{
+			"grant_type":   []string{"authorization_code"},
+			"client_id":    []string{clientID},
+			"code":         []string{"123456879"},
+			"scope":        []string{scopes},
+			"redirect_uri": []string{redirectURL},
+		})
+	}), "organizations").Return(azureToken{
+		RefreshToken: "firstRefreshToken",
+		AccessToken:  "firstAccessToken",
+		ExpiresIn:    3600,
+		Foci:         "1",
+	}, nil)
+
+	authBody := `[access denied]`
+
+	suite.mockHelper.On("queryAuthorizationAPI", authorizationURL, "Bearer firstAccessToken").Return([]byte(authBody), 400, nil)
+
+	azureLogin, err := newAzureLoginServiceFromPath(filepath.Join(suite.dir, tokenStoreFilename), suite.mockHelper)
+	Expect(err).To(BeNil())
+
+	err = azureLogin.Login(context.TODO())
+	Expect(err).To(MatchError(errors.New("login failed : [access denied]")))
+}
+
+func refreshTokenData(refreshToken string) url.Values {
+	return url.Values{
+		"grant_type":    []string{"refresh_token"},
+		"client_id":     []string{clientID},
+		"scope":         []string{scopes},
+		"refresh_token": []string{refreshToken},
+	}
+}
+
+func queryKeyValue(redirectURL string, key string, value string) error {
+	req, err := http.NewRequest("GET", redirectURL, nil)
+	Expect(err).To(BeNil())
+	q := req.URL.Query()
+	q.Add(key, value)
+	req.URL.RawQuery = q.Encode()
+	client := &http.Client{}
+	_, err = client.Do(req)
+	return err
+}
+
+func TestLoginSuite(t *testing.T) {
+	RegisterTestingT(t)
+	suite.Run(t, new(LoginSuiteTest))
+}
+
+type MockAzureHelper struct {
+	mock.Mock
+}
+
+func (s *MockAzureHelper) queryToken(data url.Values, tenantID string) (token azureToken, err error) {
+	args := s.Called(data, tenantID)
+	return args.Get(0).(azureToken), args.Error(1)
+}
+
+func (s *MockAzureHelper) queryAuthorizationAPI(authorizationURL string, authorizationHeader string) ([]byte, int, error) {
+	args := s.Called(authorizationURL, authorizationHeader)
+	return args.Get(0).([]byte), args.Int(1), args.Error(2)
+}
+
+func (s *MockAzureHelper) openAzureLoginPage(redirectURL string) {
+	s.Called(redirectURL)
+}
--- a/azure/login/logingLocalServer.go
+++ b/azure/login/logingLocalServer.go
@ -0,0 +1,83 @@
+package login
+
+import (
+	"fmt"
+	"net"
+	"net/http"
+	"net/url"
+)
+
+const loginFailedHTML = `
+	<!DOCTYPE html>
+	<html>
+	<head>
+	    <meta charset="utf-8" />
+	    <title>Login failed</title>
+	</head>
+	<body>
+	    <h4>Some failures occurred during the authentication</h4>
+	    <p>You can log an issue at <a href="https://github.com/azure/azure-cli/issues">Azure CLI GitHub Repository</a> and we will assist you in resolving it.</p>
+	</body>
+	</html>
+	`
+
+const successfullLoginHTML = `
+	<!DOCTYPE html>
+	<html>
+	<head>
+	    <meta charset="utf-8" />
+	    <meta http-equiv="refresh" content="10;url=https://docs.microsoft.com/cli/azure/">
+	    <title>Login successfully</title>
+	</head>
+	<body>
+	    <h4>You have logged into Microsoft Azure!</h4>
+	    <p>You can close this window, or we will redirect you to the <a href="https://docs.microsoft.com/cli/azure/">Azure CLI documents</a> in 10 seconds.</p>
+	</body>
+	</html>
+	`
+
+func startLoginServer(queryCh chan url.Values) (int, error) {
+	mux := http.NewServeMux()
+	mux.HandleFunc("/", queryHandler(queryCh))
+	listener, err := net.Listen("tcp", ":0")
+	if err != nil {
+		return 0, err
+	}
+
+	availablePort := listener.Addr().(*net.TCPAddr).Port
+	server := &http.Server{Handler: mux}
+	go func() {
+		if err := server.Serve(listener); err != nil {
+			queryCh <- url.Values{
+				"error": []string{fmt.Sprintf("error starting http server with: %v", err)},
+			}
+		}
+	}()
+	return availablePort, nil
+}
+
+func queryHandler(queryCh chan url.Values) func(w http.ResponseWriter, r *http.Request) {
+	queryHandler := func(w http.ResponseWriter, r *http.Request) {
+		_, hasCode := r.URL.Query()["code"]
+		if hasCode {
+			_, err := w.Write([]byte(successfullLoginHTML))
+			if err != nil {
+				queryCh <- url.Values{
+					"error": []string{err.Error()},
+				}
+			} else {
+				queryCh <- r.URL.Query()
+			}
+		} else {
+			_, err := w.Write([]byte(loginFailedHTML))
+			if err != nil {
+				queryCh <- url.Values{
+					"error": []string{err.Error()},
+				}
+			} else {
+				queryCh <- r.URL.Query()
+			}
+		}
+	}
+	return queryHandler
+}
--- a/azure/login/tokenStore.go
+++ b/azure/login/tokenStore.go
@ -0,0 +1,62 @@
+package login
+
+import (
+	"encoding/json"
+	"errors"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"golang.org/x/oauth2"
+)
+
+type tokenStore struct {
+	filePath string
+}
+
+// TokenInfo data stored in tokenStore
+type TokenInfo struct {
+	Token    oauth2.Token `json:"oauthToken"`
+	TenantID string       `json:"tenantId"`
+}
+
+func newTokenStore(path string) (tokenStore, error) {
+	parentFolder := filepath.Dir(path)
+	dir, err := os.Stat(parentFolder)
+	if os.IsNotExist(err) {
+		err = os.MkdirAll(parentFolder, 0700)
+		if err != nil {
+			return tokenStore{}, err
+		}
+		dir, err = os.Stat(parentFolder)
+	}
+	if err != nil {
+		return tokenStore{}, err
+	}
+	if !dir.Mode().IsDir() {
+		return tokenStore{}, errors.New("cannot use path " + path + " ; " + parentFolder + " already exists and is not a directory")
+	}
+	return tokenStore{
+		filePath: path,
+	}, nil
+}
+
+func (store tokenStore) writeLoginInfo(info TokenInfo) error {
+	bytes, err := json.MarshalIndent(info, "", "  ")
+	if err != nil {
+		return err
+	}
+	return ioutil.WriteFile(store.filePath, bytes, 0644)
+}
+
+func (store tokenStore) readToken() (TokenInfo, error) {
+	bytes, err := ioutil.ReadFile(store.filePath)
+	if err != nil {
+		return TokenInfo{}, err
+	}
+	loginInfo := TokenInfo{}
+	if err := json.Unmarshal(bytes, &loginInfo); err != nil {
+		return TokenInfo{}, err
+	}
+	return loginInfo, nil
+}
--- a/azure/login/tokenStore_test.go
+++ b/azure/login/tokenStore_test.go
@ -0,0 +1,54 @@
+package login
+
+import (
+	"errors"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	. "github.com/onsi/gomega"
+	"github.com/stretchr/testify/suite"
+)
+
+type tokenStoreTestSuite struct {
+	suite.Suite
+}
+
+func (suite *tokenStoreTestSuite) TestCreateStoreFromExistingFolder() {
+	existingDir, err := ioutil.TempDir("", "test_store")
+	Expect(err).To(BeNil())
+
+	storePath := filepath.Join(existingDir, tokenStoreFilename)
+	store, err := newTokenStore(storePath)
+	Expect(err).To(BeNil())
+	Expect((store.filePath)).To(Equal(storePath))
+}
+
+func (suite *tokenStoreTestSuite) TestCreateStoreFromNonExistingFolder() {
+	existingDir, err := ioutil.TempDir("", "test_store")
+	Expect(err).To(BeNil())
+
+	storePath := filepath.Join(existingDir, "new", tokenStoreFilename)
+	store, err := newTokenStore(storePath)
+	Expect(err).To(BeNil())
+	Expect((store.filePath)).To(Equal(storePath))
+
+	newDir, err := os.Stat(filepath.Join(existingDir, "new"))
+	Expect(err).To(BeNil())
+	Expect(newDir.Mode().IsDir()).To(BeTrue())
+}
+
+func (suite *tokenStoreTestSuite) TestErrorIfParentFolderIsAFile() {
+	existingDir, err := ioutil.TempFile("", "test_store")
+	Expect(err).To(BeNil())
+
+	storePath := filepath.Join(existingDir.Name(), tokenStoreFilename)
+	_, err = newTokenStore(storePath)
+	Expect(err).To(MatchError(errors.New("cannot use path " + storePath + " ; " + existingDir.Name() + " already exists and is not a directory")))
+}
+
+func TestTokenStoreSuite(t *testing.T) {
+	RegisterTestingT(t)
+	suite.Run(t, new(tokenStoreTestSuite))
+}
--- a/backend/backend.go
+++ b/backend/backend.go
@ -9,6 +9,7 @@ import (

 	"github.com/docker/api/compose"
 	"github.com/docker/api/containers"
+	"github.com/docker/api/context/cloud"
 )

 var (
@ -33,6 +34,7 @@ var backends = struct {
 type Service interface {
 	ContainerService() containers.Service
 	ComposeService() compose.Service
+	CloudService() cloud.Service
 }

 // Register adds a typed backend to the registry
--- a/cli/cmd/context/context.go
+++ b/cli/cmd/context/context.go
@ -30,6 +30,8 @@ package context
 import (
 	"github.com/spf13/cobra"

+	"github.com/docker/api/cli/cmd/context/login"
+
 	cliopts "github.com/docker/api/cli/options"
 )

@ -45,6 +47,7 @@ func Command(opts *cliopts.GlobalOpts) *cobra.Command {
 		listCommand(),
 		removeCommand(),
 		useCommand(opts),
+		login.Command(),
 	)

 	return cmd
--- a/cli/cmd/context/login/login.go
+++ b/cli/cmd/context/login/login.go
@ -0,0 +1,37 @@
+package login
+
+import (
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+
+	"github.com/docker/api/client"
+	apicontext "github.com/docker/api/context"
+)
+
+// Command returns the compose command with its child commands
+func Command() *cobra.Command {
+	command := &cobra.Command{
+		Short: "Cloud login for docker contexts",
+		Use:   "login",
+	}
+	command.AddCommand(
+		azureLoginCommand(),
+	)
+	return command
+}
+
+func azureLoginCommand() *cobra.Command {
+	azureLoginCmd := &cobra.Command{
+		Use: "azure",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := apicontext.WithCurrentContext(cmd.Context(), "aci")
+			c, err := client.New(ctx)
+			if err != nil {
+				return errors.Wrap(err, "cannot connect to backend")
+			}
+			return c.CloudService().Login(ctx, nil)
+		},
+	}
+
+	return azureLoginCmd
+}
--- a/client/client.go
+++ b/client/client.go
@ -30,6 +30,8 @@ package client
 import (
 	"context"

+	"github.com/docker/api/context/cloud"
+
 	"github.com/docker/api/backend"
 	backendv1 "github.com/docker/api/backend/v1"
 	cliv1 "github.com/docker/api/cli/v1"
@ -84,3 +86,8 @@ func (c *Client) ContainerService() containers.Service {
 func (c *Client) ComposeService() compose.Service {
 	return c.bs.ComposeService()
 }
+
+// CloudService returns the backend service for the current context
+func (c *Client) CloudService() cloud.Service {
+	return c.bs.CloudService()
+}
--- a/context/cloud/api.go
+++ b/context/cloud/api.go
@ -0,0 +1,9 @@
+package cloud
+
+import "context"
+
+// Service cloud specific services
+type Service interface {
+	// Login login to cloud provider
+	Login(ctx context.Context, params map[string]string) error
+}
--- a/errdefs/errors.go
+++ b/errdefs/errors.go
@ -40,6 +40,8 @@ var (
 	ErrForbidden = errors.New("forbidden")
 	// ErrUnknown is returned when the error type is unmapped
 	ErrUnknown = errors.New("unknown")
+	// ErrLoginFailed is returned when login failed
+	ErrLoginFailed = errors.New("login failed")
 )

 // IsNotFoundError returns true if the unwrapped error is ErrNotFound
--- a/example/backend.go
+++ b/example/backend.go
@ -5,6 +5,8 @@ import (
 	"fmt"
 	"io"

+	"github.com/docker/api/context/cloud"
+
 	"github.com/docker/api/backend"
 	"github.com/docker/api/compose"
 	"github.com/docker/api/containers"
@ -23,6 +25,10 @@ func (a *apiService) ComposeService() compose.Service {
 	return &a.composeService
 }

+func (a *apiService) CloudService() cloud.Service {
+	return nil
+}
+
 func init() {
 	backend.Register("example", "example", func(ctx context.Context) (backend.Service, error) {
 		return &apiService{}, nil
--- a/go.mod
+++ b/go.mod
@ -6,7 +6,10 @@ require (
 	github.com/Azure/azure-sdk-for-go v42.0.0+incompatible
 	github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect
 	github.com/Azure/go-autorest/autorest v0.10.0
+	github.com/Azure/go-autorest/autorest/adal v0.8.2
 	github.com/Azure/go-autorest/autorest/azure/auth v0.4.2
+	github.com/Azure/go-autorest/autorest/azure/cli v0.3.1
+	github.com/Azure/go-autorest/autorest/date v0.2.0
 	github.com/Azure/go-autorest/autorest/to v0.3.0
 	github.com/Azure/go-autorest/autorest/validation v0.2.0 // indirect
 	github.com/Microsoft/go-winio v0.4.14 // indirect
@ -35,6 +38,7 @@ require (
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.5.1
 	golang.org/x/net v0.0.0-20200425230154-ff2c4b7c35a0
+	golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be
 	golang.org/x/text v0.3.2 // indirect
 	google.golang.org/grpc v1.29.1
 	google.golang.org/protobuf v1.21.0
--- a/go.sum
+++ b/go.sum
@ -3,10 +3,12 @@ github.com/Azure/azure-sdk-for-go v42.0.0+incompatible h1:yz6sFf5bHZ+gEOQVuK5JhP
 github.com/Azure/azure-sdk-for-go v42.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
+github.com/Azure/go-autorest v14.1.0+incompatible h1:qROrS0rWxAXGfFdNOI33we8553d7T8v78jXf/8tjLBM=
 github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI=
 github.com/Azure/go-autorest/autorest v0.9.3/go.mod h1:GsRuLYvwzLjjjRoWEIyMUaYq8GNUx2nRB378IPt/1p0=
 github.com/Azure/go-autorest/autorest v0.10.0 h1:mvdtztBqcL8se7MdrUweNieTNi4kfNG6GOJuurQJpuY=
 github.com/Azure/go-autorest/autorest v0.10.0/go.mod h1:/FALq9T/kS7b5J5qsQ+RSTUdAmGFqi0vUdVNNx8q630=
+github.com/Azure/go-autorest/autorest v0.10.1 h1:uaB8A32IZU9YKs9v50+/LWIWTDHJk2vlGzbfd7FfESI=
 github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0=
 github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc=
 github.com/Azure/go-autorest/autorest/adal v0.8.1/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q=
@ -235,6 +237,7 @@ github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1 h1:2vfRuCMp5sSVIDSqO8oNnWJq7mPa6KVP3iPIwFBuy8A=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
@ -275,6 +278,7 @@ golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR
 golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200425230154-ff2c4b7c35a0 h1:Jcxah/M+oLZ/R4/z5RzfPzGbPXnVDPkEDtf2JnuxN+U=
 golang.org/x/net v0.0.0-20200425230154-ff2c4b7c35a0/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be h1:vEDujvNQGv4jgYKudGeI/+DAX4Jffq6hpD55MmoEvKs=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -310,6 +314,7 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55 h1:gSJIx1SDwno+2ElGhA4+qG2zF97qiUzTM+rQ0klBOcE=
--- a/moby/backend.go
+++ b/moby/backend.go
@ -4,6 +4,8 @@ import (
 	"context"
 	"io"

+	"github.com/docker/api/context/cloud"
+
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/client"
@ -45,6 +47,10 @@ func (ms *mobyService) ComposeService() compose.Service {
 	return nil
 }

+func (ms *mobyService) CloudService() cloud.Service {
+	return nil
+}
+
 func (ms *mobyService) List(ctx context.Context) ([]containers.Container, error) {
 	css, err := ms.apiClient.ContainerList(ctx, types.ContainerListOptions{
 		All: false,