msauth: use new Windows broker based on MSALRuntime

mjcheetham · mjcheetham · commit ac5289a7e16e · 2023-04-07T13:48:54.000-07:00
Use the new Windows broker which is based on the MSALRuntime; an export
wrapper around a native, cross-platform MSAL library.

In this new set up, we drop the `.Desktop` package in favour of the
`.Broker` package that also means we drop the WebView2Loader.dll, which
we didn't make use of anyway. There are a few new binaries to be
distrubuted in the new model, including a P/Invoke layer, IdentityModel
abstractions library, and the native msalruntime_x86.dll.

Note that GCM still only support x86 on Windows, and only supports
broker use on Windows. For this reason we don't bother adding the broker
package on non-.NET Framework builds to keep the sizes on Mac/Linux to a
minimium.
diff --git a/src/shared/Core/Authentication/MicrosoftAuthentication.cs b/src/shared/Core/Authentication/MicrosoftAuthentication.cs
@@ -7,7 +7,7 @@
 using Microsoft.Identity.Client.Extensions.Msal;
 
 #if NETFRAMEWORK
-using Microsoft.Identity.Client.Desktop;
+using Microsoft.Identity.Client.Broker;
 #endif
 
 namespace GitCredentialManager.Authentication
@@ -41,55 +41,6 @@ public class MicrosoftAuthentication : AuthenticationBase, IMicrosoftAuthenticat
             "live", "liveconnect", "liveid",
         };
 
-        #region Broker Initialization
-
-        public static bool IsBrokerInitialized { get; private set; }
-
-        public static void InitializeBroker()
-        {
-            if (IsBrokerInitialized)
-            {
-                return;
-            }
-
-            IsBrokerInitialized = true;
-
-            // Broker is only supported on Windows 10 and later
-            if (!PlatformUtils.IsWindowsBrokerSupported())
-            {
-                return;
-            }
-
-            // Nothing to do when not an elevated user
-            if (!PlatformUtils.IsElevatedUser())
-            {
-                return;
-            }
-
-            // Lower COM security so that MSAL can make the calls to WAM
-            int result = Interop.Windows.Native.Ole32.CoInitializeSecurity(
-                IntPtr.Zero,
-                -1,
-                IntPtr.Zero,
-                IntPtr.Zero,
-                Interop.Windows.Native.Ole32.RpcAuthnLevel.None,
-                Interop.Windows.Native.Ole32.RpcImpLevel.Impersonate,
-                IntPtr.Zero,
-                Interop.Windows.Native.Ole32.EoAuthnCap.None,
-                IntPtr.Zero
-            );
-
-            if (result != 0)
-            {
-                throw new Exception(
-                    $"Failed to set COM process security to allow Windows broker from an elevated process (0x{result:x})." +
-                    Environment.NewLine +
-                    $"See {Constants.HelpUrls.GcmWamComSecurity} for more information.");
-            }
-        }
-
-        #endregion
-
         public MicrosoftAuthentication(ICommandContext context)
             : base(context) { }
 
@@ -99,17 +50,10 @@ public async Task<IMicrosoftAuthenticationResult> GetTokenAsync(
             string authority, string clientId, Uri redirectUri, string[] scopes, string userName)
         {
             // Check if we can and should use OS broker authentication
-            bool useBroker = false;
-            if (CanUseBroker(Context))
-            {
-                // Can only use the broker if it has been initialized
-                useBroker = IsBrokerInitialized;
-
-                if (IsBrokerInitialized)
-                    Context.Trace.WriteLine("OS broker is available and enabled.");
-                else
-                    Context.Trace.WriteLine("OS broker has not been initialized and cannot not be used.");
-            }
+            bool useBroker = CanUseBroker();
+            Context.Trace.WriteLine(useBroker
+                ? "OS broker is available and enabled."
+                : "OS broker has not been initialized and cannot not be used.");
 
             // Create the public client application for authentication
             IPublicClientApplication app = await CreatePublicClientApplicationAsync(authority, clientId, redirectUri, useBroker);
@@ -287,12 +231,19 @@ private async Task<IPublicClientApplication> CreatePublicClientApplicationAsync(
                 appBuilder.WithParentActivityOrWindow(() => new IntPtr(hWndInt));
             }
 
-            // On Windows 10+ & .NET Framework try and use the WAM broker
-            if (enableBroker && PlatformUtils.IsWindowsBrokerSupported())
+            // Configure the broker if enabled
+            // Currently only supported on Windows so only included in the .NET Framework builds
+            // to save on the distribution size of the .NET builds (no need for MSALRuntime bits).
+            if (enableBroker)
             {
 #if NETFRAMEWORK
-                appBuilder.WithExperimentalFeatures();
-                appBuilder.WithWindowsBroker();
+                appBuilder.WithBroker(
+                    new BrokerOptions(BrokerOptions.OperatingSystems.Windows)
+                    {
+                        Title = "Git Credential Manager",
+                        MsaPassthrough = true,
+                    }
+                );
 #endif
             }
 
@@ -458,19 +409,19 @@ public HttpClient GetHttpClient()
 
         #region Auth flow capability detection
 
-        public static bool CanUseBroker(ICommandContext context)
+        public bool CanUseBroker()
         {
 #if NETFRAMEWORK
             // We only support the broker on Windows 10+ and in an interactive session
-            if (!context.SessionManager.IsDesktopSession || !PlatformUtils.IsWindowsBrokerSupported())
+            if (!Context.SessionManager.IsDesktopSession || !PlatformUtils.IsWindowsBrokerSupported())
             {
                 return false;
             }
 
             // Default to not using the OS broker
             const bool defaultValue = false;
 
-            if (context.Settings.TryGetSetting(Constants.EnvironmentVariables.MsAuthUseBroker,
+            if (Context.Settings.TryGetSetting(Constants.EnvironmentVariables.MsAuthUseBroker,
                     Constants.GitConfiguration.Credential.SectionName,
                     Constants.GitConfiguration.Credential.MsAuthUseBroker,
                     out string valueStr))
diff --git a/src/shared/Core/Core.csproj b/src/shared/Core/Core.csproj
@@ -13,7 +13,7 @@
   <ItemGroup Condition="'$(TargetFramework)' == 'net472'">
     <Reference Include="System.Net.Http" />
     <Reference Include="System.Web" />
-    <PackageReference Include="Microsoft.Identity.Client.Desktop" Version="4.52.0" />
+    <PackageReference Include="Microsoft.Identity.Client.Broker" Version="4.52.0" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/src/shared/Core/Diagnostics/MicrosoftAuthenticationDiagnostic.cs b/src/shared/Core/Diagnostics/MicrosoftAuthenticationDiagnostic.cs
@@ -15,27 +15,8 @@ public MicrosoftAuthenticationDiagnostic(ICommandContext context)
 
         protected override async Task<bool> RunInternalAsync(StringBuilder log, IList<string> additionalFiles)
         {
-            if (MicrosoftAuthentication.CanUseBroker(CommandContext))
-            {
-                log.Append("Checking broker initialization state...");
-                if (MicrosoftAuthentication.IsBrokerInitialized)
-                {
-                    log.AppendLine(" Initialized");
-                }
-                else
-                {
-                    log.AppendLine("  Not initialized");
-                    log.Append("Initializing broker...");
-                    MicrosoftAuthentication.InitializeBroker();
-                    log.AppendLine("OK");
-                }
-            }
-            else
-            {
-                log.AppendLine("Broker not supported.");
-            }
-
             var msAuth = new MicrosoftAuthentication(CommandContext);
+            log.AppendLine(msAuth.CanUseBroker() ? "Broker is enabled." : "Broker is not enabled.");
             log.AppendLine($"Flow type is: {msAuth.GetFlowType()}");
 
             log.Append("Gathering MSAL token cache data...");
diff --git a/src/shared/Git-Credential-Manager/Program.cs b/src/shared/Git-Credential-Manager/Program.cs
@@ -25,22 +25,6 @@ public static void Main(string[] args)
                 // Write the start and version events
                 context.Trace2.Start(context.ApplicationPath, args);
 
-                // Workaround for https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/2560
-                if (MicrosoftAuthentication.CanUseBroker(context))
-                {
-                    try
-                    {
-                        MicrosoftAuthentication.InitializeBroker();
-                    }
-                    catch (Exception ex)
-                    {
-                        context.Streams.Error.WriteLine(
-                            "warning: broker initialization failed{0}{1}",
-                            Environment.NewLine, ex.Message
-                        );
-                    }
-                }
-
                 //
                 // Git Credential Manager's executable used to be named "git-credential-manager-core" before
                 // dropping the "-core" suffix. In order to prevent "helper not found" errors for users who
diff --git a/src/windows/Installer.Windows/Setup.iss b/src/windows/Installer.Windows/Setup.iss
@@ -125,20 +125,19 @@ Source: "{#PayloadDir}\Microsoft.AzureRepos.dll";                       DestDir:
 Source: "{#PayloadDir}\gcmcore.dll";                                    DestDir: "{app}"; Flags: ignoreversion
 Source: "{#PayloadDir}\gcmcoreui.dll";                                  DestDir: "{app}"; Flags: ignoreversion
 Source: "{#PayloadDir}\gcmcoreuiwpf.dll";                               DestDir: "{app}"; Flags: ignoreversion
-Source: "{#PayloadDir}\Microsoft.Identity.Client.Desktop.dll";          DestDir: "{app}"; Flags: ignoreversion
+Source: "{#PayloadDir}\Microsoft.Identity.Client.Broker.dll";           DestDir: "{app}"; Flags: ignoreversion
 Source: "{#PayloadDir}\Microsoft.Identity.Client.dll";                  DestDir: "{app}"; Flags: ignoreversion
 Source: "{#PayloadDir}\Microsoft.Identity.Client.Extensions.Msal.dll";  DestDir: "{app}"; Flags: ignoreversion
-Source: "{#PayloadDir}\Microsoft.Web.WebView2.Core.dll";                DestDir: "{app}"; Flags: ignoreversion
-Source: "{#PayloadDir}\Microsoft.Web.WebView2.WinForms.dll";            DestDir: "{app}"; Flags: ignoreversion
-Source: "{#PayloadDir}\Microsoft.Web.WebView2.Wpf.dll";                 DestDir: "{app}"; Flags: ignoreversion
+Source: "{#PayloadDir}\Microsoft.Identity.Client.NativeInterop.dll";    DestDir: "{app}"; Flags: ignoreversion
+Source: "{#PayloadDir}\Microsoft.IdentityModel.Abstractions.dll";       DestDir: "{app}"; Flags: ignoreversion
+Source: "{#PayloadDir}\msalruntime_x86.dll";                            DestDir: "{app}"; Flags: ignoreversion
 Source: "{#PayloadDir}\Newtonsoft.Json.dll";                            DestDir: "{app}"; Flags: ignoreversion
 Source: "{#PayloadDir}\NOTICE";                                         DestDir: "{app}"; Flags: ignoreversion
 Source: "{#PayloadDir}\System.Buffers.dll";                             DestDir: "{app}"; Flags: ignoreversion
 Source: "{#PayloadDir}\System.CommandLine.dll";                         DestDir: "{app}"; Flags: ignoreversion
 Source: "{#PayloadDir}\System.Memory.dll";                              DestDir: "{app}"; Flags: ignoreversion
 Source: "{#PayloadDir}\System.Numerics.Vectors.dll";                    DestDir: "{app}"; Flags: ignoreversion
 Source: "{#PayloadDir}\System.Runtime.CompilerServices.Unsafe.dll";     DestDir: "{app}"; Flags: ignoreversion
-Source: "{#PayloadDir}\WebView2Loader.dll";                             DestDir: "{app}"; Flags: ignoreversion
 
 [Code]
 // Don't allow installing conflicting architectures
