Add support for broker on MacOS (Azure#50999)

Author: christothes

eng/Packages.Data.props

@@ -177,9 +177,9 @@
     <!-- Other approved packages -->
     <PackageReference Update="Microsoft.Azure.Amqp" Version="2.7.0" />
     <PackageReference Update="Microsoft.Azure.WebPubSub.Common" Version="1.4.0" />
-    <PackageReference Update="Microsoft.Identity.Client" Version="4.71.1" />
-    <PackageReference Update="Microsoft.Identity.Client.Extensions.Msal" Version="4.71.1" />
-    <PackageReference Update="Microsoft.Identity.Client.Broker" Version="4.71.1" />
+    <PackageReference Update="Microsoft.Identity.Client" Version="4.73.1" />
+    <PackageReference Update="Microsoft.Identity.Client.Extensions.Msal" Version="4.73.1" />
+    <PackageReference Update="Microsoft.Identity.Client.Broker" Version="4.73.1" />
     <PackageReference Update="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="6.35.0" />
     <PackageReference Update="Microsoft.IdentityModel.Tokens" Version="6.35.0" />
     <PackageReference Update="System.IdentityModel.Tokens.Jwt" Version="6.35.0" />

sdk/identity/Azure.Identity.Broker/CHANGELOG.md

@@ -4,6 +4,8 @@
 
 ### Features Added
 
+- Support Microsoft Broker on macOS.
+
 ### Breaking Changes
 
 ### Bugs Fixed

sdk/identity/Azure.Identity.Broker/README.md

@@ -34,11 +34,14 @@ Microsoft accounts (MSA) are personal accounts created by users to access Micros
 
 ## Redirect URIs
 
-Microsoft Entra applications rely on redirect URIs to determine where to send the authentication response after a user has logged in. To enable brokered authentication through WAM, a redirect URI matching the following pattern should be registered to the application:
-
-```
-ms-appx-web://Microsoft.AAD.BrokerPlugin/{client_id}
-```
+Microsoft Entra applications rely on redirect URIs to determine where to send the authentication response after a user has logged in. To enable brokered authentication, a redirect URI matching the following pattern should be registered to the application:
+
+| Platform    | Redirect URI                                                                                                          |
+|-------------|-----------------------------------------------------------------------------------------------------------------------|
+| Windows 10+ | `ms-appx-web://Microsoft.AAD.BrokerPlugin/your_client_id`                                                             |
+| macOS       | `msauth.com.msauth.unsignedapp://auth` for unsigned applications<br>`msauth.BUNDLE_ID://auth` for signed applications |
+| WSL         | `ms-appx-web://Microsoft.AAD.BrokerPlugin/your_client_id`                                                             |
+| Linux       | `https://login.microsoftonline.com/common/oauth2/nativeclient`                                                        |
 
 ## Examples
 

sdk/identity/Azure.Identity.Broker/src/DevelopmentBrokerOptions.cs

@@ -3,6 +3,7 @@
 
 using System;
 using System.Diagnostics.CodeAnalysis;
+using System.Runtime.InteropServices;
 using Microsoft.Identity.Client;
 using Microsoft.Identity.Client.Broker;
 
@@ -31,6 +32,12 @@ internal class DevelopmentBrokerOptions : InteractiveBrowserCredentialOptions, I
         public DevelopmentBrokerOptions() : base()
         {
             _beforeBuildClient = AddBroker;
+
+            // Set default value for UseDefaultBrokerAccount on macOS
+            if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX))
+            {
+                RedirectUri = new(Constants.MacBrokerRedirectUri);
+            }
         }
 
         Action<PublicClientApplicationBuilder> IMsalSettablePublicClientInitializerOptions.BeforeBuildClient
@@ -44,7 +51,7 @@ Action<PublicClientApplicationBuilder> IMsalSettablePublicClientInitializerOptio
         private void AddBroker(PublicClientApplicationBuilder builder)
         {
             builder.WithParentActivityOrWindow(() => IntPtr.Zero);
-            var options = new BrokerOptions(BrokerOptions.OperatingSystems.Windows | BrokerOptions.OperatingSystems.Linux);
+            var options = new BrokerOptions(BrokerOptions.OperatingSystems.Windows | BrokerOptions.OperatingSystems.Linux | BrokerOptions.OperatingSystems.OSX);
             if (IsLegacyMsaPassthroughEnabled.HasValue)
             {
                 options.MsaPassthrough = IsLegacyMsaPassthroughEnabled.Value;

sdk/identity/Azure.Identity.Broker/src/InteractiveBrowserCredentialBrokerOptions.cs

@@ -2,6 +2,7 @@
 // Licensed under the MIT License.
 
 using System;
+using System.Runtime.InteropServices;
 using Microsoft.Identity.Client;
 using Microsoft.Identity.Client.Broker;
 
@@ -32,14 +33,20 @@ public class InteractiveBrowserCredentialBrokerOptions : InteractiveBrowserCrede
         public InteractiveBrowserCredentialBrokerOptions(IntPtr parentWindowHandle) : base()
         {
             _parentWindowHandle = parentWindowHandle;
+
+            // Set default value for UseDefaultBrokerAccount on macOS
+            if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX))
+            {
+                RedirectUri = new(Constants.MacBrokerRedirectUri);
+            }
         }
 
         Action<PublicClientApplicationBuilder> IMsalPublicClientInitializerOptions.BeforeBuildClient => AddBroker;
 
         private void AddBroker(PublicClientApplicationBuilder builder)
         {
             builder.WithParentActivityOrWindow(() => _parentWindowHandle);
-            var options = new BrokerOptions(BrokerOptions.OperatingSystems.Windows | BrokerOptions.OperatingSystems.Linux);
+            var options = new BrokerOptions(BrokerOptions.OperatingSystems.Windows | BrokerOptions.OperatingSystems.Linux | BrokerOptions.OperatingSystems.OSX);
             if (IsLegacyMsaPassthroughEnabled.HasValue)
             {
                 options.MsaPassthrough = IsLegacyMsaPassthroughEnabled.Value;

sdk/identity/Azure.Identity/TROUBLESHOOTING.md

@@ -24,7 +24,7 @@ This troubleshooting guide covers failure investigation techniques, common error
 - [Troubleshoot AzureCliCredential authentication issues](#troubleshoot-azureclicredential-authentication-issues)
 - [Troubleshoot AzurePowerShellCredential authentication issues](#troubleshoot-azurepowershellcredential-authentication-issues)
 - [Troubleshoot multi-tenant authentication issues](#troubleshoot-multi-tenant-authentication-issues)
-- [Troubleshoot Web Account Manager (WAM) brokered authentication issues](#troubleshoot-web-account-manager-wam-brokered-authentication-issues)
+- [Troubleshoot brokered authentication issues](#troubleshoot-brokered-authentication-issues)
 - [Troubleshoot AzurePipelinesCredential authentication issues](#troubleshoot-azurepipelinescredential-authentication-issues)
 - [Get additional help](#get-additional-help)
 
@@ -335,8 +335,9 @@ Get-AzAccessToken -ResourceUrl "https://management.core.windows.net"
 |---|---|---|
 |The current credential is not configured to acquire tokens for tenant <tenant ID>|<p>The application must configure the credential to allow token acquisition from the requested tenant.|Make one of the following changes in your app:<ul><li>Add the requested tenant ID to `AdditionallyAllowedTenants` on the credential options.</li><li>Add `*` to `AdditionallyAllowedTenants` to allow token acquisition for any tenant.</li></ul></p><p>This exception was added as part of a breaking change to multi-tenant authentication in version `1.7.0`. Users experiencing this error after upgrading can find details on the change and migration in [BREAKING_CHANGES.md](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/BREAKING_CHANGES.md#170).</p> |
 
-## Troubleshoot Web Account Manager (WAM) brokered authentication issues
+## Troubleshoot brokered authentication issues
 
+### Common error messages for Web Account Manager (WAM)
 | Error Message |Description| Mitigation |
 |---|---|---|
 |AADSTS50011|The application is missing the expected redirect URI.|Ensure that one of redirect URIs registered for the Microsoft Entra application matches the following URI pattern: `ms-appx-web://Microsoft.AAD.BrokerPlugin/{client_id}`|
@@ -359,6 +360,12 @@ You may also log in another MSA account by selecting "Microsoft account":
 
 ![Microsoft account](./images/MSA4.png)
 
+### Common errors for broker on macOS
+
+| Error Message |Description| Mitigation |
+|---|---|---|
+|0xffffffffffff5bf0 - Application's teamId is missing, and redirectUri is not matching unsigned format|For console applications using the broker on macOS, the following `RedirectUri` should be set: `msauth.com.msauth.unsignedapp://auth`|
+
 ## Troubleshoot AzurePipelinesCredential authentication issues
 
 | Error Message | Description | Mitigation |

sdk/identity/Azure.Identity/src/Constants.cs

@@ -53,5 +53,6 @@ internal class Constants
         public const string ManagedIdentityCredential = "managedidentitycredential";
         public const string InteractiveBrowserCredential = "interactivebrowsercredential";
         public const string BrokerAuthenticationCredential = "brokerauthenticationcredential";
+        public const string MacBrokerRedirectUri = "msauth.com.msauth.unsignedapp://auth";
     }
 }

sdk/identity/Azure.Identity/src/Credentials/DevelopmentBrokerOptions.cs

@@ -2,6 +2,7 @@
 // Licensed under the MIT License.
 
 using System;
+using System.Diagnostics.CodeAnalysis;
 using Microsoft.Identity.Client;
 
 namespace Azure.Identity
@@ -37,5 +38,17 @@ Action<PublicClientApplicationBuilder> IMsalSettablePublicClientInitializerOptio
         }
 
         Action<PublicClientApplicationBuilder> IMsalPublicClientInitializerOptions.BeforeBuildClient => _beforeBuildClient;
+
+        internal override T Clone<[DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.PublicParameterlessConstructor | DynamicallyAccessedMemberTypes.NonPublicConstructors)] T>()
+        {
+            var clone = base.Clone<T>();
+
+            if (clone is DevelopmentBrokerOptions dboClone)
+            {
+                dboClone.IsLegacyMsaPassthroughEnabled = IsLegacyMsaPassthroughEnabled;
+                dboClone.UseDefaultBrokerAccount = UseDefaultBrokerAccount;
+            }
+            return clone;
+        }
     }
 }

sdk/identity/Azure.Identity/src/Credentials/InteractiveBrowserCredentialOptions.cs

@@ -3,6 +3,7 @@
 
 using System;
 using System.Collections.Generic;
+using System.Diagnostics.CodeAnalysis;
 using System.Threading;
 using Microsoft.Identity.Client;
 
@@ -71,5 +72,32 @@ public string TenantId
         /// The options for customizing the browser for interactive authentication.
         /// </summary>
         public BrowserCustomizationOptions BrowserCustomization { get; set; }
+
+        internal override T Clone<[DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.PublicParameterlessConstructor | DynamicallyAccessedMemberTypes.NonPublicConstructors)] T>()
+        {
+            var clone = base.Clone<T>();
+            if (clone is InteractiveBrowserCredentialOptions ibcoClone)
+            {
+                ibcoClone.DisableAutomaticAuthentication = DisableAutomaticAuthentication;
+                ibcoClone.TenantId = _tenantId;
+                ibcoClone.AdditionallyAllowedTenants = AdditionallyAllowedTenants;
+                ibcoClone.ClientId = ClientId;
+                ibcoClone.TokenCachePersistenceOptions = TokenCachePersistenceOptions?.Clone();
+                ibcoClone.RedirectUri = RedirectUri;
+                ibcoClone.AuthenticationRecord = AuthenticationRecord;
+                ibcoClone.LoginHint = LoginHint;
+                ibcoClone.DisableInstanceDiscovery = DisableInstanceDiscovery;
+                if (BrowserCustomization != null)
+                {
+                    ibcoClone.BrowserCustomization = new BrowserCustomizationOptions
+                    {
+                        ErrorMessage = BrowserCustomization.ErrorMessage,
+                        SuccessMessage = BrowserCustomization.SuccessMessage,
+                        UseEmbeddedWebView = BrowserCustomization.UseEmbeddedWebView ?? false
+                    };
+                }
+            }
+            return clone;
+        }
     }
 }

sdk/identity/Azure.Identity/src/DefaultAzureCredentialFactory.cs

@@ -4,6 +4,7 @@
 using System;
 using System.Collections.Generic;
 using System.Reflection;
+using System.Runtime.InteropServices;
 using Azure.Core;
 
 namespace Azure.Identity
@@ -240,6 +241,7 @@ public TokenCredential CreateBrokerAuthenticationCredential(InteractiveBrowserCr
         {
             var options = Options.Clone<DevelopmentBrokerOptions>();
             ((IMsalSettablePublicClientInitializerOptions)options).BeforeBuildClient = ((IMsalSettablePublicClientInitializerOptions)brokerOptions).BeforeBuildClient;
+            options.RedirectUri = brokerOptions.RedirectUri;
 
             options.TokenCachePersistenceOptions = new TokenCachePersistenceOptions();
 
@@ -322,6 +324,12 @@ internal static bool TryCreateDevelopmentBrokerOptions(out InteractiveBrowserCre
                 ConstructorInfo optionsCtor = optionsType?.GetConstructor(Type.EmptyTypes);
                 object optionsInstance = optionsCtor?.Invoke(null);
                 options = optionsInstance as InteractiveBrowserCredentialOptions;
+                options.IsChainedCredential = true;
+                // Set default value for UseDefaultBrokerAccount on macOS
+                if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX))
+                {
+                    options.RedirectUri = new(Constants.MacBrokerRedirectUri);
+                }
 
                 return options != null;
             }