msauth: include better warning message on Keychain errors

mjcheetham · mjcheetham · commit 49ca302ea08a · 2021-03-10T13:59:37.000Z
Sometimes the login Keychain is not accessible and the MSAL.Extensions
library cannot read/write the token cache. The specific error
encountered internally is `errSecAuthFailed` - neither we nor the MSAL
team know why this happens sometimes.

Locking and then unlocking the login Keychain manually, or simply
restarting the computer appears to fix the problem.

Include the lock+unlock/restart remedy in the warning message on macOS.
diff --git a/src/shared/Microsoft.Git.CredentialManager/Authentication/MicrosoftAuthentication.cs b/src/shared/Microsoft.Git.CredentialManager/Authentication/MicrosoftAuthentication.cs
@@ -236,13 +236,23 @@ private async Task RegisterTokenCacheAsync(IPublicClientApplication app)
             }
             catch (MsalCachePersistenceException ex)
             {
-                Context.Streams.Error.WriteLine("warning: cannot persist Microsoft Authentication data securely!");
+                Context.Streams.Error.WriteLine("warning: cannot persist Microsoft authentication token cache securely!");
                 Context.Trace.WriteLine("Cannot persist Microsoft Authentication data securely!");
                 Context.Trace.WriteException(ex);
 
-                // On Linux the SecretService/keyring might not be available so we must fall-back to a plaintext file.
-                if (PlatformUtils.IsLinux())
+                if (PlatformUtils.IsMacOS())
                 {
+                    // On macOS sometimes the Keychain returns the "errSecAuthFailed" error - we don't know why
+                    // but it appears to be something to do with not being able to access the keychain.
+                    // Locking and unlocking (or restarting) often fixes this.
+                    Context.Streams.Error.WriteLine(
+                        "warning: there is a problem accessing the login Keychain - either manually lock and unlock the " +
+                        "login Keychain, or restart the computer to remedy this");
+                }
+                else if (PlatformUtils.IsLinux())
+                {
+                    // On Linux the SecretService/keyring might not be available so we must fall-back to a plaintext file.
+                    Context.Streams.Error.WriteLine("warning: using plain-text fallback token cache");
                     Context.Trace.WriteLine("Using fall-back plaintext token cache on Linux.");
                     var storageProps = CreateTokenCacheProps(clientId, useLinuxFallback: true);
                     helper = await MsalCacheHelper.CreateAsync(storageProps);
