Move Microsoft authentication in-proc

Move Microsoft authentication in-process when no external helper
application is present. This simplifies the scenario on .NET Framework
(Windows) where MSAL supports WinForms-based UI.

Author: mjcheetham

Git-Credential-Manager.sln

@@ -21,10 +21,6 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "TestInfrastructure", "src\s
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "GitHub", "src\shared\GitHub\GitHub.csproj", "{3C840B06-A595-4FD9-9A76-56CD45B14780}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.Authentication.Helper.Windows", "src\windows\Microsoft.Authentication.Helper.Windows\Microsoft.Authentication.Helper.Windows.csproj", "{8B984F78-4EAF-4BC0-A34E-BA3949700ED4}"
-EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.Authentication.Helper.Windows.Tests", "src\windows\Microsoft.Authentication.Helper.Windows.Tests\Microsoft.Authentication.Helper.Windows.Tests.csproj", "{E0391B02-16D5-4B49-9C33-349B25717011}"
-EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "shared", "shared", "{D5277A0E-997E-453A-8CB9-4EFCC8B16A29}"
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "GitHub.Tests", "src\shared\GitHub.Tests\GitHub.Tests.csproj", "{3E524EA8-D31A-4394-997C-14B522E3D6FD}"
@@ -160,22 +156,6 @@ Global
 		{3C840B06-A595-4FD9-9A76-56CD45B14780}.MacDebug|Any CPU.Build.0 = Debug|Any CPU
 		{3C840B06-A595-4FD9-9A76-56CD45B14780}.MacRelease|Any CPU.ActiveCfg = Release|Any CPU
 		{3C840B06-A595-4FD9-9A76-56CD45B14780}.MacRelease|Any CPU.Build.0 = Release|Any CPU
-		{8B984F78-4EAF-4BC0-A34E-BA3949700ED4}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{8B984F78-4EAF-4BC0-A34E-BA3949700ED4}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{8B984F78-4EAF-4BC0-A34E-BA3949700ED4}.WindowsDebug|Any CPU.ActiveCfg = Debug|Any CPU
-		{8B984F78-4EAF-4BC0-A34E-BA3949700ED4}.WindowsDebug|Any CPU.Build.0 = Debug|Any CPU
-		{8B984F78-4EAF-4BC0-A34E-BA3949700ED4}.WindowsRelease|Any CPU.ActiveCfg = Release|Any CPU
-		{8B984F78-4EAF-4BC0-A34E-BA3949700ED4}.WindowsRelease|Any CPU.Build.0 = Release|Any CPU
-		{8B984F78-4EAF-4BC0-A34E-BA3949700ED4}.MacDebug|Any CPU.ActiveCfg = Debug|Any CPU
-		{8B984F78-4EAF-4BC0-A34E-BA3949700ED4}.MacRelease|Any CPU.ActiveCfg = Release|Any CPU
-		{E0391B02-16D5-4B49-9C33-349B25717011}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{E0391B02-16D5-4B49-9C33-349B25717011}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{E0391B02-16D5-4B49-9C33-349B25717011}.WindowsDebug|Any CPU.ActiveCfg = Debug|Any CPU
-		{E0391B02-16D5-4B49-9C33-349B25717011}.WindowsDebug|Any CPU.Build.0 = Debug|Any CPU
-		{E0391B02-16D5-4B49-9C33-349B25717011}.WindowsRelease|Any CPU.ActiveCfg = Release|Any CPU
-		{E0391B02-16D5-4B49-9C33-349B25717011}.WindowsRelease|Any CPU.Build.0 = Release|Any CPU
-		{E0391B02-16D5-4B49-9C33-349B25717011}.MacDebug|Any CPU.ActiveCfg = Debug|Any CPU
-		{E0391B02-16D5-4B49-9C33-349B25717011}.MacRelease|Any CPU.ActiveCfg = Release|Any CPU
 		{3E524EA8-D31A-4394-997C-14B522E3D6FD}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{3E524EA8-D31A-4394-997C-14B522E3D6FD}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{3E524EA8-D31A-4394-997C-14B522E3D6FD}.Release|Any CPU.ActiveCfg = Release|Any CPU
@@ -242,7 +222,6 @@ Global
 	EndGlobalSection
 	GlobalSection(NestedProjects) = preSolution
 		{66722747-1B61-40E4-A89B-1AC8E6D62EA9} = {A7FC1234-95E3-4496-B5F7-4306F41E6A0E}
-		{8B984F78-4EAF-4BC0-A34E-BA3949700ED4} = {66722747-1B61-40E4-A89B-1AC8E6D62EA9}
 		{D5277A0E-997E-453A-8CB9-4EFCC8B16A29} = {A7FC1234-95E3-4496-B5F7-4306F41E6A0E}
 		{28F06D44-AB25-4CF5-93F9-978C23FAA9D6} = {D5277A0E-997E-453A-8CB9-4EFCC8B16A29}
 		{3C840B06-A595-4FD9-9A76-56CD45B14780} = {D5277A0E-997E-453A-8CB9-4EFCC8B16A29}
@@ -251,7 +230,6 @@ Global
 		{97DC6241-1240-4A85-8035-F8404A983A82} = {D5277A0E-997E-453A-8CB9-4EFCC8B16A29}
 		{AD41FA1E-51F5-4E4F-B7DA-32F921491313} = {D5277A0E-997E-453A-8CB9-4EFCC8B16A29}
 		{5A7D9E8B-C1D2-4C5C-BE98-648C41D1F8BD} = {D5277A0E-997E-453A-8CB9-4EFCC8B16A29}
-		{E0391B02-16D5-4B49-9C33-349B25717011} = {66722747-1B61-40E4-A89B-1AC8E6D62EA9}
 		{3E524EA8-D31A-4394-997C-14B522E3D6FD} = {D5277A0E-997E-453A-8CB9-4EFCC8B16A29}
 		{3D279E2D-E011-45CF-8EA8-3D71D1300443} = {A7FC1234-95E3-4496-B5F7-4306F41E6A0E}
 		{206430B1-CEED-4C84-8D49-D0A399632202} = {3D279E2D-E011-45CF-8EA8-3D71D1300443}

src/shared/Microsoft.AzureRepos.Tests/AzureReposHostProviderTests.cs

@@ -164,7 +164,7 @@ public async Task AzureReposProvider_GetCredentialAsync_ReturnsCredential()
                         .ReturnsAsync(personalAccessToken);
 
             var msAuthMock = new Mock<IMicrosoftAuthentication>();
-            msAuthMock.Setup(x => x.GetAccessTokenAsync(authorityUrl, expectedClientId, expectedRedirectUri, expectedResource, remoteUri))
+            msAuthMock.Setup(x => x.GetAccessTokenAsync(authorityUrl, expectedClientId, expectedRedirectUri, expectedResource, remoteUri, null))
                       .ReturnsAsync(accessToken);
 
             var provider = new AzureReposHostProvider(context, azDevOpsMock.Object, msAuthMock.Object);

src/shared/Microsoft.AzureRepos/AzureReposHostProvider.cs

@@ -79,7 +79,8 @@ public override async Task<ICredential> GenerateCredentialAsync(InputArguments i
                 AzureDevOpsConstants.AadClientId,
                 AzureDevOpsConstants.AadRedirectUri,
                 AzureDevOpsConstants.AadResourceId,
-                remoteUri);
+                remoteUri,
+                null);
             string atUser = accessToken.GetAzureUserName();
             Context.Trace.WriteLineSecrets($"Acquired Azure access token. User='{atUser}' Token='{{0}}'", new object[] {accessToken.EncodedToken});
 

src/shared/Microsoft.Git.CredentialManager/Authentication/MicrosoftAuthentication.cs

@@ -3,16 +3,19 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.Net.Http;
 using System.Reflection;
 using System.Threading.Tasks;
+using Microsoft.Identity.Client;
+using Microsoft.Identity.Client.Extensions.Msal;
 using Microsoft.IdentityModel.JsonWebTokens;
 
 namespace Microsoft.Git.CredentialManager.Authentication
 {
     public interface IMicrosoftAuthentication
     {
         Task<JsonWebToken> GetAccessTokenAsync(string authority, string clientId, Uri redirectUri, string resource,
-            Uri remoteUri);
+            Uri remoteUri, string userName);
     }
 
     public class MicrosoftAuthentication : AuthenticationBase, IMicrosoftAuthentication
@@ -27,18 +30,38 @@ public class MicrosoftAuthentication : AuthenticationBase, IMicrosoftAuthenticat
         public MicrosoftAuthentication(ICommandContext context)
             : base(context) {}
 
-        public async Task<JsonWebToken> GetAccessTokenAsync(string authority, string clientId, Uri redirectUri,
-            string resource, Uri remoteUri)
+        #region IMicrosoftAuthentication
+
+        public async Task<JsonWebToken> GetAccessTokenAsync(
+            string authority, string clientId, Uri redirectUri, string resource, Uri remoteUri, string userName)
         {
-            string helperPath = FindHelperExecutablePath();
+            // If we find an external authentication helper we should delegate everything to it
+            if (TryFindHelperExecutablePath(out string helperPath))
+            {
+                return await GetAccessTokenViaHelperAsync(helperPath,
+                    authority, clientId, redirectUri, resource, remoteUri, userName);
+            }
+
+            // Try to acquire an access token in the current process
+            string[] scopes = { $"{resource}/.default" };
+            return await GetAccessTokenInProcAsync(authority, clientId, redirectUri, scopes, userName);
+        }
 
+        #endregion
+
+        #region Authentication strategies
+
+        private async Task<JsonWebToken> GetAccessTokenViaHelperAsync(string helperPath,
+            string authority, string clientId, Uri redirectUri, string resource, Uri remoteUri, string userName)
+        {
             var inputDict = new Dictionary<string, string>
             {
-                ["authority"]   = authority,
-                ["clientId"]    = clientId,
+                ["authority"] = authority,
+                ["clientId"] = clientId,
                 ["redirectUri"] = redirectUri.AbsoluteUri,
-                ["resource"]    = resource,
-                ["remoteUrl"]   = remoteUri.ToString(),
+                ["resource"] = resource,
+                ["remoteUrl"] = remoteUri.ToString(),
+                ["username"] = userName,
             };
 
             IDictionary<string, string> resultDict = await InvokeHelperAsync(helperPath, null, inputDict);
@@ -51,7 +74,101 @@ public async Task<JsonWebToken> GetAccessTokenAsync(string authority, string cli
             return new JsonWebToken(accessToken);
         }
 
-        private string FindHelperExecutablePath()
+        private async Task<JsonWebToken> GetAccessTokenInProcAsync(string authority, string clientId, Uri redirectUri, string[] scopes, string userName)
+        {
+            IPublicClientApplication app = await CreatePublicClientApplicationAsync(authority, clientId, redirectUri);
+
+            AuthenticationResult result = null;
+
+            // Try silent authentication first if we know about an existing user
+            if (!string.IsNullOrWhiteSpace(userName))
+            {
+                result = await GetAccessTokenSilentlyAsync(app, scopes, userName);
+            }
+
+            // If we failed to acquire an AT silently (either because we don't have an existing user, or the user's RT has expired)
+            // we need to prompt the user for credentials.
+            // Depending on the current platform and session type we try to show the most appropriate authentication interface.
+            if (result is null)
+            {
+#if NETFRAMEWORK
+                if (PlatformUtils.IsInteractiveSession())
+                {
+                    result = await app.AcquireTokenInteractive(scopes)
+                        .WithPrompt(Prompt.SelectAccount)
+                        .WithUseEmbeddedWebView(true)
+                        .ExecuteAsync();
+                }
+#elif NETSTANDARD
+                // MSAL requires the application redirect URI is a loopback address to use the System WebView
+                if (PlatformUtils.IsInteractiveSession() && app.IsSystemWebViewAvailable && redirectUri.IsLoopback)
+                {
+                    result = await app.AcquireTokenInteractive(scopes)
+                        .WithPrompt(Prompt.SelectAccount)
+                        .WithSystemWebViewOptions(GetSystemWebViewOptions())
+                        .ExecuteAsync();
+                }
+#endif
+                // If we do not have a way to show a GUI, use device code flow over the TTY
+                else
+                {
+                    EnsureTerminalPromptsEnabled();
+
+                    result = await app.AcquireTokenWithDeviceCode(scopes, ShowDeviceCodeInTty).ExecuteAsync();
+                }
+            }
+
+            return new JsonWebToken(result.AccessToken);
+        }
+
+        private async Task<AuthenticationResult> GetAccessTokenSilentlyAsync(IPublicClientApplication app, string[] scopes, string userName)
+        {
+            try
+            {
+                Context.Trace.WriteLine($"Attempting to acquire token silently for user '{userName}'...");
+
+                // We can either call `app.GetAccountsAsync` and filter through the IAccount objects for the instance with the correct user name,
+                // or we can just pass the user name string we have as the `loginHint` and let MSAL do exactly that for us instead!
+                return await app.AcquireTokenSilent(scopes, loginHint: userName).ExecuteAsync();
+            }
+            catch (MsalUiRequiredException)
+            {
+                Context.Trace.WriteLine("Failed to acquire token silently; user interaction is required.");
+                return null;
+            }
+        }
+
+        private async Task<IPublicClientApplication> CreatePublicClientApplicationAsync(string authority, string clientId, Uri redirectUri)
+        {
+            var httpFactoryAdaptor = new MsalHttpClientFactoryAdaptor(Context.HttpClientFactory);
+
+            var appBuilder = PublicClientApplicationBuilder.Create(clientId)
+                .WithAuthority(authority)
+                .WithRedirectUri(redirectUri.ToString())
+                .WithHttpClientFactory(httpFactoryAdaptor);
+
+            // Listen to MSAL logs if GCM_TRACE_MSAUTH is set
+            if (Context.Settings.IsMsalTracingEnabled)
+            {
+                // If GCM secret tracing is enabled also enable "PII" logging in MSAL
+                bool enablePiiLogging = Context.Trace.IsSecretTracingEnabled;
+
+                appBuilder.WithLogging(OnMsalLogMessage, LogLevel.Verbose, enablePiiLogging, false);
+            }
+
+            IPublicClientApplication app = appBuilder.Build();
+
+            // Try to register the application with the VS token cache
+            await RegisterVisualStudioTokenCacheAsync(app);
+
+            return app;
+        }
+
+        #endregion
+
+        #region Helpers
+
+        private bool TryFindHelperExecutablePath(out string path)
         {
             string helperName = Constants.MicrosoftAuthHelperName;
 
@@ -61,14 +178,76 @@ private string FindHelperExecutablePath()
             }
 
             string executableDirectory = Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location);
-            string path = Path.Combine(executableDirectory, helperName);
-            if (!Context.FileSystem.FileExists(path))
+            path = Path.Combine(executableDirectory, helperName);
+            return Context.FileSystem.FileExists(path);
+        }
+
+        private async Task RegisterVisualStudioTokenCacheAsync(IPublicClientApplication app)
+        {
+            Context.Trace.WriteLine("Configuring Visual Studio token cache...");
+
+            // We currently only support Visual Studio on Windows
+            if (PlatformUtils.IsWindows())
             {
-                // We expect to have a helper on Windows and Mac
-                throw new Exception($"Cannot find required helper '{helperName}' in '{executableDirectory}'");
+                // The Visual Studio MSAL cache is located at "%LocalAppData%\.IdentityService\msal.cache" on Windows.
+                // We use the MSAL extension library to provide us consistent cache file access semantics (synchronisation, etc)
+                // as Visual Studio itself follows, as well as other Microsoft developer tools such as the Azure PowerShell CLI.
+                const string cacheFileName = "msal.cache";
+                string appData = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
+                string cacheDirectory = Path.Combine(appData, ".IdentityService");
+
+                var storageProps = new StorageCreationPropertiesBuilder(cacheFileName, cacheDirectory, app.AppConfig.ClientId).Build();
+
+                var helper = await MsalCacheHelper.CreateAsync(storageProps);
+                helper.RegisterCache(app.UserTokenCache);
+
+                Context.Trace.WriteLine("Visual Studio token cache configured.");
             }
+            else
+            {
+                string osType = PlatformUtils.GetPlatformInformation().OperatingSystemType;
+                Context.Trace.WriteLine($"Visual Studio token cache integration is not supported on {osType}.");
+            }
+        }
 
-            return path;
+        private static SystemWebViewOptions GetSystemWebViewOptions()
+        {
+            // TODO: add nicer HTML success and error pages
+            return new SystemWebViewOptions();
         }
+
+        private Task ShowDeviceCodeInTty(DeviceCodeResult dcr)
+        {
+            Context.Terminal.WriteLine(dcr.Message);
+
+            return Task.CompletedTask;
+        }
+
+        private void OnMsalLogMessage(LogLevel level, string message, bool containspii)
+        {
+            Context.Trace.WriteLine($"[{level.ToString()}] {message}", memberName: "MSAL");
+        }
+
+        private class MsalHttpClientFactoryAdaptor : IMsalHttpClientFactory
+        {
+            private readonly IHttpClientFactory _factory;
+            private HttpClient _instance;
+
+            public MsalHttpClientFactoryAdaptor(IHttpClientFactory factory)
+            {
+                EnsureArgument.NotNull(factory, nameof(factory));
+
+                _factory = factory;
+            }
+
+            public HttpClient GetHttpClient()
+            {
+                // MSAL calls this method each time it wants to use an HTTP client.
+                // We ensure we only create a single instance to avoid socket exhaustion.
+                return _instance ?? (_instance = _factory.CreateClient());
+            }
+        }
+
+        #endregion
     }
 }

src/shared/Microsoft.Git.CredentialManager/Microsoft.Git.CredentialManager.csproj

@@ -17,6 +17,8 @@
   <ItemGroup>
     <PackageReference Include="LibGit2Sharp.NativeBinaries" Version="2.0.278" />
     <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="5.5.0" />
+    <PackageReference Include="Microsoft.Identity.Client" Version="4.3.0" />
+    <PackageReference Include="Microsoft.Identity.Client.Extensions.Msal" Version="2.1.0-preview" />
   </ItemGroup>
 
 </Project>

src/shared/Microsoft.Git.CredentialManager/PlatformUtils.cs

@@ -7,6 +7,15 @@ namespace Microsoft.Git.CredentialManager
 {
     public static class PlatformUtils
     {
+        /// <summary>
+        /// Determine if the current session is interactive (can display UI).
+        /// </summary>
+        /// <returns>True if the session is interactive, false otherwise.</returns>
+        public static bool IsInteractiveSession()
+        {
+            return Environment.UserInteractive;
+        }
+
         /// <summary>
         /// Get information about the current platform (OS and CLR details).
         /// </summary>

src/windows/Installer.Windows/Setup.iss

@@ -80,16 +80,17 @@ Filename: "{app}\git-credential-manager-core.exe"; Parameters: "unconfigure"; Fl
 
 [Files]
 Source: "{#PayloadDir}\git-credential-manager-core.exe";               DestDir: "{app}"; Flags: ignoreversion
+Source: "{#PayloadDir}\git-credential-manager-core.exe.config";        DestDir: "{app}"; Flags: ignoreversion
+Source: "{#PayloadDir}\git2-572e4d8.dll";                              DestDir: "{app}"; Flags: ignoreversion
 Source: "{#PayloadDir}\GitHub.dll";                                    DestDir: "{app}"; Flags: ignoreversion
 Source: "{#PayloadDir}\GitHub.UI.dll";                                 DestDir: "{app}"; Flags: ignoreversion
 Source: "{#PayloadDir}\GitHub.Authentication.Helper.exe";              DestDir: "{app}"; Flags: ignoreversion
-Source: "{#PayloadDir}\git2-572e4d8.dll";                              DestDir: "{app}"; Flags: ignoreversion
-Source: "{#PayloadDir}\Microsoft.Authentication.Helper.exe";           DestDir: "{app}"; Flags: ignoreversion
-Source: "{#PayloadDir}\Microsoft.Authentication.Helper.exe.config";    DestDir: "{app}"; Flags: ignoreversion
+Source: "{#PayloadDir}\GitHub.Authentication.Helper.exe.config";       DestDir: "{app}"; Flags: ignoreversion
 Source: "{#PayloadDir}\Microsoft.AzureRepos.dll";                      DestDir: "{app}"; Flags: ignoreversion
 Source: "{#PayloadDir}\Microsoft.Git.CredentialManager.dll";           DestDir: "{app}"; Flags: ignoreversion
 Source: "{#PayloadDir}\Microsoft.Identity.Client.dll";                 DestDir: "{app}"; Flags: ignoreversion
 Source: "{#PayloadDir}\Microsoft.Identity.Client.Extensions.Msal.dll"; DestDir: "{app}"; Flags: ignoreversion
-Source: "{#PayloadDir}\Microsoft.IdentityModel.JsonWebTokens.dll"; DestDir: "{app}"; Flags: ignoreversion
-Source: "{#PayloadDir}\Microsoft.IdentityModel.Logging.dll"; DestDir: "{app}"; Flags: ignoreversion
-Source: "{#PayloadDir}\Microsoft.IdentityModel.Tokens.dll"; DestDir: "{app}"; Flags: ignoreversion
+Source: "{#PayloadDir}\Microsoft.IdentityModel.JsonWebTokens.dll";     DestDir: "{app}"; Flags: ignoreversion
+Source: "{#PayloadDir}\Microsoft.IdentityModel.Logging.dll";           DestDir: "{app}"; Flags: ignoreversion
+Source: "{#PayloadDir}\Microsoft.IdentityModel.Tokens.dll";            DestDir: "{app}"; Flags: ignoreversion
+Source: "{#PayloadDir}\Newtonsoft.Json.dll";                           DestDir: "{app}"; Flags: ignoreversion