Add CLI interactive browser login

[marrobi]

Fixes #4856

This PR adds an interactive browser login method to the TRE CLI for easier authentication.

Changes

• Add InteractiveApiClient class to support browser-based MSAL authentication with token caching
• Add tre login interactive command that auto-discovers TRE URL from:
  • Previously saved config (~/.config/tre/environment.json)
  • TRE deployment outputs (core/tre_output.json)
• Update CLI documentation

Usage

# For devcontainer users with a deployed TRE
tre login interactive

# To specify a different TRE instance
tre login interactive --base-url https://mytre.westeurope.cloudapp.azure.com/

[github-actions]

Unit Test Results

0 tests   0 ✅  0s ⏱️
0 suites  0 💤
0 files    0 ❌

Results for commit 0d5f17a.

♻️ This comment has been updated with latest results.

[Copilot]

Pull request overview

This PR adds an interactive browser-based authentication method to the TRE CLI, addressing scenarios where device code flow is blocked by organizational policies. The implementation follows the existing patterns established by the device-code and client-credentials login methods, with the addition of automatic TRE URL discovery from saved configuration or deployment outputs.

Changes:

• Added InteractiveApiClient class that uses MSAL's interactive browser authentication with silent token refresh from cache
• Added tre login interactive command with auto-discovery of TRE URL from ~/.config/tre/environment.json or core/tre_output.json
• Updated CLI documentation to include the new interactive login method as the recommended approach for developers

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
docs/tre-developers/CLI.md	Documents the new interactive browser flow login method with usage examples and auto-discovery behavior
cli/tre/commands/login.py	Implements the login_interactive command with base URL auto-discovery and token caching
cli/tre/api_client.py	Adds InteractiveApiClient class with support for silent token refresh and interactive browser authentication
CHANGELOG.md	Records the enhancement with proper issue reference

Comments suppressed due to low confidence (1)

cli/tre/api_client.py:131

• Overridden method signature does not match call, where it is passed too many arguments. Overriding method method ClientCredentialsApiClient.get_auth_token matches the call.
  Overridden method signature does not match call, where it is passed too many arguments. Overriding method method DeviceCodeApiClient.get_auth_token matches the call.
  Overridden method signature does not match call, where it is passed too many arguments. Overriding method method InteractiveApiClient.get_auth_token matches the call.
  Overridden method signature does not match call, where it is passed too many arguments. Overriding method method ClientCredentialsApiClient.get_auth_token matches the call.
  Overridden method signature does not match call, where it is passed too many arguments. Overriding method method DeviceCodeApiClient.get_auth_token matches the call.
  Overridden method signature does not match call, where it is passed too many arguments. Overriding method method InteractiveApiClient.get_auth_token matches the call.

    def get_auth_token() -> str:

[JC-wk]

LGTM

[marrobi]

/test

Checking CI hasn't been broken.

[github-actions]

🤖 pr-bot 🤖

🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/21829999074 (with refid 755ff696)

(in response to this comment from @marrobi)