From eaff0bf10c918b2e7556b1cf3b9e55208a6d3e68 Mon Sep 17 00:00:00 2001
From: Raymond Wiker <rayw@equinor.com>
Date: Thu, 8 Jan 2026 11:58:27 +0100
Subject: [PATCH] fix: change order of authentication schemes so that an
 explicitly passed token (refresh or access) is used in preference to anything
 else.

---
 src/sumo/wrapper/_auth_provider.py | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/src/sumo/wrapper/_auth_provider.py b/src/sumo/wrapper/_auth_provider.py
index 1e5bd43..e28aa19 100644
--- a/src/sumo/wrapper/_auth_provider.py
+++ b/src/sumo/wrapper/_auth_provider.py
@@ -432,17 +432,6 @@ def get_auth_provider(
     devicecode=False,
     case_uuid=None,
 ) -> AuthProvider:
-    if all(
-        os.getenv(x)
-        for x in [
-            "AZURE_FEDERATED_TOKEN_FILE",
-            "AZURE_TENANT_ID",
-            "AZURE_CLIENT_ID",
-            "AZURE_AUTHORITY_HOST",
-        ]
-    ):
-        return AuthProviderManaged(resource_id)
-    # ELSE
     if refresh_token:
         return AuthProviderRefreshToken(
             refresh_token, client_id, authority, resource_id
@@ -464,6 +453,17 @@ def get_auth_provider(
             return auth_silent
         pass
     # ELSE
+    if all(
+        os.getenv(x)
+        for x in [
+            "AZURE_FEDERATED_TOKEN_FILE",
+            "AZURE_TENANT_ID",
+            "AZURE_CLIENT_ID",
+            "AZURE_AUTHORITY_HOST",
+        ]
+    ):
+        return AuthProviderManaged(resource_id)
+    # ELSE
     if interactive:
         lockfile_path = Path.home() / ".config/chromium/SingletonLock"