Fallback to interactive browser auth if broker is enabled (#598)

pwoosam · Patrick Woo-Sam · web-flow · commit f47384441a6e · 2025-11-10T16:35:39.000-08:00
If broker auth is enabled but fails, then try interactive browser auth,
before device code.

---------

Co-authored-by: Patrick Woo-Sam &lt;pwoosam@Patricks-Mac-mini.local&gt;
diff --git a/CredentialProvider.Microsoft/CredentialProviders/Vsts/MsalTokenProvidersFactory.cs b/CredentialProvider.Microsoft/CredentialProviders/Vsts/MsalTokenProvidersFactory.cs
@@ -7,6 +7,7 @@
 using System.Threading.Tasks;
 using Microsoft.Artifacts.Authentication;
 using Microsoft.Extensions.Logging;
+using Microsoft.Identity.Client;
 using Microsoft.Identity.Client.Extensions.Msal;
 using NuGetCredentialProvider.Util;
 
@@ -29,7 +30,7 @@ public async Task<IEnumerable<ITokenProvider>> GetAsync(Uri authority)
                 cache = await MsalCache.GetMsalCacheHelperAsync(EnvUtil.GetMsalCacheLocation(), logger);
             }
 
-            var builder = AzureArtifacts.CreateDefaultBuilder(authority)
+            var app = AzureArtifacts.CreateDefaultBuilder(authority)
                 .WithHttpClientFactory(HttpClientFactory.Default)
                 .WithLogging(
                     (Microsoft.Identity.Client.LogLevel level, string message, bool containsPii) =>
@@ -38,18 +39,36 @@ public async Task<IEnumerable<ITokenProvider>> GetAsync(Uri authority)
                         logger.LogTrace("MSAL Log ({level}): {message}", level, message);
                     },
                     enablePiiLogging: EnvUtil.GetLogPIIEnabled()
-                );
-
-            var app = builder
-                .Build();
-            var appInteractiveBroker = builder
-                .WithBroker(EnvUtil.MsalAllowBrokerEnabled(), EnvUtil.GetMsalBrokerWindowHandle(), logger)
+                )
                 .Build();
 
+            var brokerEnabled = EnvUtil.MsalAllowBrokerEnabled();
+            #nullable enable
+            IPublicClientApplication? appInteractiveBroker = null;
+            #nullable disable
+            if (brokerEnabled)
+            {
+                appInteractiveBroker = AzureArtifacts.CreateDefaultBuilder(authority)
+                    .WithHttpClientFactory(HttpClientFactory.Default)
+                    .WithLogging(
+                        (Microsoft.Identity.Client.LogLevel level, string message, bool containsPii) =>
+                        {
+                            // We ignore containsPii param because we are passing in enablePiiLogging below.
+                            logger.LogTrace("MSAL Log ({level}): {message}", level, message);
+                        },
+                        enablePiiLogging: EnvUtil.GetLogPIIEnabled()
+                    )
+                    .WithBroker(brokerEnabled, EnvUtil.GetMsalBrokerWindowHandle(), logger)
+                    .Build();
+            }
+
             cache?.RegisterCache(app.UserTokenCache);
-            cache?.RegisterCache(appInteractiveBroker.UserTokenCache);
+            if (appInteractiveBroker != null)
+            {
+                cache?.RegisterCache(appInteractiveBroker.UserTokenCache);
+            }
 
-            return MsalTokenProviders.Get(app, appInteractiveBroker, logger);
+            return MsalTokenProviders.Get(app, logger, appInteractiveBroker: appInteractiveBroker);
         }
     }
 }
diff --git a/src/Authentication/MsalTokenProviders.cs b/src/Authentication/MsalTokenProviders.cs
@@ -9,7 +9,7 @@ namespace Microsoft.Artifacts.Authentication;
 
 public class MsalTokenProviders
 {
-    public static IEnumerable<ITokenProvider> Get(IPublicClientApplication app, IPublicClientApplication appInteractiveBroker, ILogger logger)
+    public static IEnumerable<ITokenProvider> Get(IPublicClientApplication app, ILogger logger, IPublicClientApplication? appInteractiveBroker = null)
     {
         yield return new MsalServicePrincipalTokenProvider(app, logger);
         yield return new MsalManagedIdentityTokenProvider(app, logger);
@@ -22,7 +22,16 @@ public static IEnumerable<ITokenProvider> Get(IPublicClientApplication app, IPub
             yield return new MsalIntegratedWindowsAuthTokenProvider(app, logger);
         }
 
-        yield return new MsalInteractiveTokenProvider(appInteractiveBroker, logger);
+        // Use broker authentication first if enabled
+        if (appInteractiveBroker != null)
+        {
+            yield return new MsalInteractiveTokenProvider(appInteractiveBroker, logger);
+        }
+
+        // Fallback to non-broker interactive browser auth
+        yield return new MsalInteractiveTokenProvider(app, logger);
+
+        // Fallback to device code flow as last resort
         yield return new MsalDeviceCodeTokenProvider(app, logger);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@ namespace Microsoft.Artifacts.Authentication;`
`9`	`9`
`10`	`10`	`public class MsalTokenProviders`
`11`	`11`	`{`
`12`		`- public static IEnumerable<ITokenProvider> Get(IPublicClientApplication app, IPublicClientApplication appInteractiveBroker, ILogger logger)`
	`12`	`+ public static IEnumerable<ITokenProvider> Get(IPublicClientApplication app, ILogger logger, IPublicClientApplication? appInteractiveBroker = null)`
`13`	`13`	`{`
`14`	`14`	`yield return new MsalServicePrincipalTokenProvider(app, logger);`
`15`	`15`	`yield return new MsalManagedIdentityTokenProvider(app, logger);`
`@@ -22,7 +22,16 @@ public static IEnumerable<ITokenProvider> Get(IPublicClientApplication app, IPub`
`22`	`22`	`yield return new MsalIntegratedWindowsAuthTokenProvider(app, logger);`
`23`	`23`	`}`
`24`	`24`
`25`		`- yield return new MsalInteractiveTokenProvider(appInteractiveBroker, logger);`
	`25`	`+ // Use broker authentication first if enabled`
	`26`	`+ if (appInteractiveBroker != null)`
	`27`	`+ {`
	`28`	`+ yield return new MsalInteractiveTokenProvider(appInteractiveBroker, logger);`
	`29`	`+ }`
	`30`	`+`
	`31`	`+ // Fallback to non-broker interactive browser auth`
	`32`	`+ yield return new MsalInteractiveTokenProvider(app, logger);`
	`33`	`+`
	`34`	`+ // Fallback to device code flow as last resort`
`26`	`35`	`yield return new MsalDeviceCodeTokenProvider(app, logger);`
`27`	`36`	`}`
`28`	`37`	`}`