Workaround MSAL.NET issue with MSA-PT account silent auth #1321
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Let the caller in to the `IMicrosoftAuthentication` component decide if Microsoft Account Passthrough (MSA-PT) behaviour should be used. Azure DevOps requires MSA-PT, so set that to `true` in usages.
When we have a Microsoft Account (MSA) in the cache and attempt to do a silent authentication, if we're an MSA-PT app we need to specify the special MSA transfer tenant ID to make sure we get the a token silently, correctly. See the issue [1] in the MSAL repo for more information. [1] AzureAD/microsoft-authentication-library-for-dotnet#3077
ldennington
approved these changes
Jul 10, 2023
| var atsBuilder = app.AcquireTokenSilent(scopes, account); | ||
|
|
||
| // Is we are operating with an MSA passthrough app we need to ensure that we target the | ||
| // special MSA 'transfer' tenant explicitly. This is a workaround for MSAL issue: |
There was a problem hiding this comment.
Super nit: I'm wondering whether there's any public documentation available about the transfer tenant that we can link here for those who would like to learn more.
There was a problem hiding this comment.
Unfortunately MSA passthrough is an internal (and legacy) feature of the Microsoft Identity platform, and the only docs are for Microsoft employees only: https://review.learn.microsoft.com/en-us/identity/microsoft-identity-platform/stack-choices?branch=main#msa-passthrough
ldennington
approved these changes
Jul 31, 2023
Merged
ldennington
added a commit
that referenced
this pull request
Aug 1, 2023
**Changes since 2.2.2:** - Fix a GCM/Git Trace2 file locking issue - Issue: #1323 - PR: #1340 - Remove symlinks to `git-credential-manager-core` exe - Issue: #1322 - PR: #1327 - Add fallback http uri to `diagnose` command - Issue: #1215 - PR: #1339 - Workaround MSAL tenant issue with silent auth - Issue: #1297 - PR: #1321
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When we have a Microsoft Account (MSA) in the cache and attempt to do a silent authentication, if we're an MSA-PT app we need to specify the special MSA transfer tenant ID to make sure we get the a token silently, correctly.
See the issue in the MSAL repo for more information.
Fixes: #1297