Login interactively using WAM (#17466)

* WAM

* address review comments

Co-authored-by: Yeming Liu <[email protected]>
Co-authored-by: Dingmeng Xue <[email protected]>

Author: 3 people

.azure-pipelines/security-tools.yml

@@ -31,7 +31,7 @@ jobs:
     condition: eq(variables.IsGenerateBased, true)
     inputs:
       versionSpec: 14.17.1
-  
+
   - task: PowerShell@2
     displayName: Install autorest
     condition: eq(variables.IsGenerateBased, true)
@@ -54,6 +54,13 @@ jobs:
       scanFolder: SecurityTmp
       suppressionsFile: tools/SecurityTools/CredScanSuppressions.json
 
+  - task: PowerShell@2
+    displayName: Copy PDB for BinSkim
+    inputs:
+      targetType: inline
+      script: ./src/lib/pdb/CopyPdbToArtifacts.ps1
+      pwsh: true
+
   - task: securedevelopmentteam.vss-secure-development-tools.build-task-binskim.BinSkim@3
     displayName: Run BinSkim
     inputs:

src/Accounts/Accounts/ChangeLog.md

@@ -19,6 +19,7 @@
 -->
 
 ## Upcoming Release
+* Supported Web Account Manager (WAM) as an opt-in interactive login experience. Enable it by `Update-AzConfig -EnableLoginByWam $true`.
 * Optimized the mechanism for assembly loading.
 * Enabled AzKeyStore with keyring in Linux.
 * Fixed a typo in GetAzureRmContextAutosaveSetting.cs changing the cmdlet class name to GetAzureRmContextAutosaveSetting

src/Accounts/Accounts/help/Clear-AzConfig.md

@@ -22,7 +22,8 @@ Clear-AzConfig [-Force] [-PassThru] [-AppliesTo <String>] [-Scope <ConfigScope>]
 ```
 Clear-AzConfig [-PassThru] [-AppliesTo <String>] [-Scope <ConfigScope>]
  [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [-DefaultSubscriptionForLogin]
- [-DisplayBreakingChangeWarning] [-DisplaySurveyMessage] [-EnableDataCollection] [<CommonParameters>]
+ [-DisplayBreakingChangeWarning] [-DisplaySurveyMessage] [-EnableDataCollection] [-EnableLoginByWam]
+ [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -145,6 +146,24 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -EnableLoginByWam
+\[Preview\] When enabled, Web Account Manager (WAM) will be the default interactive login experience.
+It will fall back to using the browser if the platform does not support WAM.
+Note that this feature is under preview. Microsoft Account (MSA) is currently not supported.
+Feel free to reach out to Azure PowerShell team if you have any feedbacks: https://aka.ms/azpsissue
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: ClearByKey
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -Force
 Do not ask for confirmation when clearing all configs.
 
@@ -183,7 +202,7 @@ By default it is CurrentUser.
 Type: Microsoft.Azure.PowerShell.Common.Config.ConfigScope
 Parameter Sets: (All)
 Aliases:
-Accepted values: CurrentUser, Process
+Accepted values: CurrentUser, Process, Default, Environment
 
 Required: False
 Position: Named

src/Accounts/Accounts/help/Connect-AzAccount.md

@@ -251,6 +251,21 @@ Account                     SubscriptionName TenantId                        Env
 xxxxxxxx-xxxx-xxxx-xxxxxxxx Subscription1    yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyy AzureCloud
 ```
 
+### Example 10: Connect interactively using WAM
+
+This example demonstrates how to enable the config for WAM (Web Account Manager) and use it to connect to Azure.
+
+```powershell
+Update-AzConfig -EnableLoginByWam $true
+Connect-AzAccount
+```
+
+```Output
+Account                     SubscriptionName TenantId                        Environment
+-------                     ---------------- --------                        -----------
+xxxxxxxx-xxxx-xxxx-xxxxxxxx Subscription1    yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyy AzureCloud
+```
+
 ## PARAMETERS
 
 ### -AccessToken

src/Accounts/Accounts/help/Get-AzConfig.md

@@ -15,7 +15,7 @@ Gets the configs of Azure PowerShell.
 ```
 Get-AzConfig [-AppliesTo <String>] [-Scope <ConfigScope>] [-DefaultProfile <IAzureContextContainer>]
  [-DefaultSubscriptionForLogin] [-DisplayBreakingChangeWarning] [-DisplaySurveyMessage] [-EnableDataCollection]
- [<CommonParameters>]
+ [-EnableLoginByWam] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -157,6 +157,24 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -EnableLoginByWam
+\[Preview\] When enabled, Web Account Manager (WAM) will be the default interactive login experience.
+It will fall back to using the browser if the platform does not support WAM.
+Note that this feature is under preview. Microsoft Account (MSA) is currently not supported.
+Feel free to reach out to Azure PowerShell team if you have any feedbacks: https://aka.ms/azpsissue
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -Scope
 Determines the scope of config changes, for example, whether changes apply only to the current process, or to all sessions started by this user.
 By default it is CurrentUser.

src/Accounts/Accounts/help/Update-AzConfig.md

@@ -15,7 +15,8 @@ Updates the configs of Azure PowerShell.
 ```
 Update-AzConfig [-AppliesTo <String>] [-Scope <ConfigScope>] [-DefaultProfile <IAzureContextContainer>]
  [-WhatIf] [-Confirm] [-DefaultSubscriptionForLogin <String>] [-DisplayBreakingChangeWarning <Boolean>]
- [-DisplaySurveyMessage <Boolean>] [-EnableDataCollection <Boolean>] [<CommonParameters>]
+ [-DisplaySurveyMessage <Boolean>] [-EnableDataCollection <Boolean>] [-EnableLoginByWam <Boolean>]
+ [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -168,6 +169,24 @@ Accept pipeline input: True (ByPropertyName)
 Accept wildcard characters: False
 ```
 
+### -EnableLoginByWam
+\[Preview\] When enabled, Web Account Manager (WAM) will be the default interactive login experience.
+It will fall back to using the browser if the platform does not support WAM.
+Note that this feature is under preview. Microsoft Account (MSA) is currently not supported.
+Feel free to reach out to Azure PowerShell team if you have any feedbacks: https://aka.ms/azpsissue
+
+```yaml
+Type: System.Boolean
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
 ### -Scope
 Determines the scope of config changes, for example, whether changes apply only to the current process, or to all sessions started by this user.
 By default it is CurrentUser.
@@ -176,7 +195,7 @@ By default it is CurrentUser.
 Type: Microsoft.Azure.PowerShell.Common.Config.ConfigScope
 Parameter Sets: (All)
 Aliases:
-Accepted values: CurrentUser, Process
+Accepted values: CurrentUser, Process, Default, Environment
 
 Required: False
 Position: Named

src/Accounts/AssemblyLoading/ConditionalAssemblyProvider.cs

@@ -43,11 +43,14 @@ public static void Initialize(string rootPath, IConditionalAssemblyContext conte
                 // todo: consider moving the list to a standalone config file
                 #region AssemblyList
                 CreateAssembly("netcoreapp2.1", "Azure.Core", "1.25.0.0").WithPowerShellCore(),
-                CreateAssembly("netcoreapp2.1", "Microsoft.Identity.Client", "4.46.2.0").WithPowerShellCore(),
+                CreateAssembly("netcoreapp2.1", "Microsoft.Identity.Client", "4.49.1.0").WithPowerShellCore(),
                 CreateAssembly("netcoreapp3.1", "Microsoft.Identity.Client.Extensions.Msal", "2.23.0.0").WithPowerShellCore(),
 
                 CreateAssembly("netstandard2.0", "Azure.Identity", "1.6.1.0"),
+                CreateAssembly("netstandard2.0", "Azure.Identity.BrokeredAuthentication", "1.0.0.0"),
                 CreateAssembly("netstandard2.0", "Microsoft.Bcl.AsyncInterfaces", "1.0.0.0"),
+                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client.Broker", "4.49.1.0"),
+                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client.NativeInterop", "0.13.3.0"),
                 CreateAssembly("netstandard2.0", "Microsoft.IdentityModel.Abstractions", "6.22.1.0"),
                 CreateAssembly("netstandard2.0", "System.Memory.Data", "1.0.2.0"),
                 CreateAssembly("netstandard2.0", "System.Text.Json", "4.0.1.2"),
@@ -62,7 +65,7 @@ public static void Initialize(string rootPath, IConditionalAssemblyContext conte
                 CreateAssembly("netstandard2.0", "System.Threading.Tasks.Extensions", "4.2.0.1").WithWindowsPowerShell(),
 
                 CreateAssembly("netfx", "Azure.Core", "1.25.0.0").WithWindowsPowerShell(),
-                CreateAssembly("netfx", "Microsoft.Identity.Client", "4.46.2.0").WithWindowsPowerShell(),
+                CreateAssembly("netfx", "Microsoft.Identity.Client", "4.49.1.0").WithWindowsPowerShell(),
                 CreateAssembly("netfx", "Microsoft.Identity.Client.Extensions.Msal", "2.23.0.0").WithWindowsPowerShell(),
                 CreateAssembly("netfx", "Newtonsoft.Json", "12.0.0.0").WithWindowsPowerShell(),
                 CreateAssembly("netfx", "System.Diagnostics.DiagnosticSource", "4.0.4.0").WithWindowsPowerShell(),

src/Accounts/Authentication.Test/TelemetryTests.cs

@@ -245,8 +245,10 @@ public void DataCollectionHandlesWriteErrors()
             AzureSession.Instance.DataStore = mock.Object;
             try
             {
+#pragma warning disable CS0436 // Type conflicts with imported type. ConfigKeys.cs is included in the referenced projects.
                 Assert.True(AzureSession.Instance.TryGetComponent<IConfigManager>(nameof(IConfigManager), out var manager)
                     && manager.GetConfigValue<bool>(ConfigKeys.EnableDataCollection));
+#pragma warning restore CS0436 // Type conflicts with imported type
             }
             finally
             {

src/Accounts/Authentication/Authentication.csproj

@@ -3,7 +3,7 @@
   <PropertyGroup>
     <PsModuleName>Accounts</PsModuleName>
   </PropertyGroup>
-  
+
   <Import Project="$(MSBuildThisFileDirectory)..\..\Az.props" />
 
   <PropertyGroup>
@@ -13,7 +13,8 @@
 
   <ItemGroup>
     <PackageReference Include="Azure.Identity" Version="1.6.1" />
-    <PackageReference Include="Microsoft.Identity.Client" Version="4.46.2" />
+    <PackageReference Include="Azure.Identity.BrokeredAuthentication" Version="1.0.0-beta.3" />
+    <PackageReference Include="Microsoft.Identity.Client" Version="4.49.1" />
     <PackageReference Include="Microsoft.Identity.Client.Extensions.Msal" Version="2.23.0" />
   </ItemGroup>
 

src/Accounts/Authentication/Authentication/AdalConfiguration.cs

@@ -23,12 +23,6 @@ namespace Microsoft.Azure.Commands.Common.Authentication
     /// </summary>
     public class AdalConfiguration
     {
-        //
-        // These constants define the default values to use for AD authentication
-        // against RDFE
-        //
-        public const string PowerShellClientId = "1950a258-227b-4e31-a9cf-717495945fc2";
-
         public static readonly Uri PowerShellRedirectUri = new Uri("urn:ietf:wg:oauth:2.0:oob");
 
         // ID for site to pass to enable EBD (email-based differentiation)
@@ -50,7 +44,7 @@ public class AdalConfiguration
 
         public AdalConfiguration()
         {
-            ClientId = PowerShellClientId;
+            ClientId = Constants.PowerShellClientId;
             ClientRedirectUri = PowerShellRedirectUri;
             ValidateAuthority = true;
             AdEndpoint = string.Empty;