msauth: use default OS account when enabled

Add the ability to configure MSAL to use the default OS account when the
broker is enabled.

Default to disabled.

Author: mjcheetham

docs/configuration.md

@@ -564,6 +564,27 @@ git config --global credential.msauthUseBroker true
 
 ---
 
+### credential.msauthUseDefaultAccount _(experimental)_
+
+Use the current operating system account by default when the broker is enabled.
+
+Defaults to `false`. This default is subject to change in the future.
+
+Value|Description
+-|-
+`true`|Use the current operating system account by default.
+`false` _(default)_|Do not assume any account to use by default.
+
+#### Example
+
+```shell
+git config --global credential.msauthUseDefaultAccount true
+```
+
+**Also see: [GCM_MSAUTH_USEDEFAULTACCOUNT][gcm-msauth-usedefaultaccount]**
+
+---
+
 ### credential.useHttpPath
 
 Tells Git to pass the entire repository URL, rather than just the hostname, when
@@ -690,6 +711,7 @@ git config --global credential.azreposCredentialType oauth
 [gcm-interactive]: environment.md#GCM_INTERACTIVE
 [gcm-msauth-flow]: environment.md#GCM_MSAUTH_FLOW
 [gcm-msauth-usebroker]: environment.md#GCM_MSAUTH_USEBROKER-experimental
+[gcm-msauth-usedefaultaccount]: environment.md#GCM_MSAUTH_USEDEFAULTACCOUNT-experimental
 [gcm-namespace]: environment.md#GCM_NAMESPACE
 [gcm-plaintext-store-path]: environment.md#GCM_PLAINTEXT_STORE_PATH
 [gcm-provider]: environment.md#GCM_PROVIDER

docs/environment.md

@@ -803,6 +803,33 @@ export GCM_MSAUTH_USEBROKER="false"
 
 ---
 
+### GCM_MSAUTH_USEDEFAULTACCOUNT _(experimental)_
+
+Use the current operating system account by default when the broker is enabled.
+
+Defaults to `false`. This default is subject to change in the future.
+
+Value|Description
+-|-
+`true`|Use the current operating system account by default.
+`false` _(default)_|Do not assume any account to use by default.
+
+#### Windows
+
+```batch
+SET GCM_MSAUTH_USEDEFAULTACCOUNT="true"
+```
+
+#### macOS/Linux
+
+```bash
+export GCM_MSAUTH_USEDEFAULTACCOUNT="false"
+```
+
+**Also see: [credential.msauthUseDefaultAccount][credential-msauth-usedefaultaccount]**
+
+---
+
 ### GCM_AZREPOS_CREDENTIALTYPE
 
 Specify the type of credential the Azure Repos host provider should return.
@@ -849,6 +876,7 @@ export GCM_AZREPOS_CREDENTIALTYPE="oauth"
 [credential-namespace]: configuration.md#credentialnamespace
 [credential-msauth-flow]: configuration.md#credentialmsauthflow
 [credential-msauth-usebroker]: configuration.md#credentialmsauthusebroker-experimental
+[credential-msauth-usedefaultaccount]: configuration.md#credentialmsauthusedefaultaccount-experimental
 [credential-plain-text-store]: configuration.md#credentialplaintextstorepath
 [credential-provider]: configuration.md#credentialprovider
 [credential-stores]: credstores.md

docs/windows-broker.md

@@ -34,6 +34,15 @@ fewer multi-factor authentication prompts, and the ability to use additional
 authentication technologies like smart cards and Windows Hello. These
 convenience and security features make a good case for enabling WAM.
 
+## Using the current OS account by default
+
+Enabling WAM does not currently automatically use the current Windows account
+for authentication. In order to opt-in to this behavior you can set the
+[`GCM_MSAUTH_USEDEFAULTACCOUNT`][GCM_MSAUTH_USEDEFAULTACCOUNT] environment
+variable or set the
+[`credential.msauthUseDefaultAccount`][credential.msauthUseDefaultAccount] Git
+configuration value to `true`.
+
 ## Surprising behaviors
 
 The WAM and Windows identity systems are complex, addressing a very broad range
@@ -175,7 +184,9 @@ In order to fix the problem, there are a few options:
 [azure-conditional-access]: https://docs.microsoft.com/azure/active-directory/conditional-access/overview
 [azure-devops]: https://dev.azure.com
 [GCM_MSAUTH_USEBROKER]: environment.md#GCM_MSAUTH_USEBROKER
+[GCM_MSAUTH_USEDEFAULTACCOUNTR]: environment.md#GCM_MSAUTH_USEDEFAULTACCOUNTR
 [credential.msauthUseBroker]: configuration.md#credentialmsauthusebroker
+[credential.msauthUseDefaultAccount]: configuration.md#credentialmsauthusedefaultaccount
 [aad-questions]: img/aad-questions.png
 [aad-questions-21h1]: img/aad-questions-21H1.png
 [aad-bitlocker]: img/aad-bitlocker.png

src/shared/Core/Authentication/MicrosoftAuthentication.cs

@@ -6,8 +6,11 @@
 using GitCredentialManager.Interop.Windows.Native;
 using Microsoft.Identity.Client;
 using Microsoft.Identity.Client.Extensions.Msal;
+using System.Text;
 using System.Threading;
-using System.Runtime.InteropServices;
+using GitCredentialManager.UI;
+using GitCredentialManager.UI.ViewModels;
+using GitCredentialManager.UI.Views;
 
 #if NETFRAMEWORK
 using System.Drawing;
@@ -72,7 +75,8 @@ public async Task<IMicrosoftAuthenticationResult> GetTokenAsync(
                 AuthenticationResult result = null;
 
                 // Try silent authentication first if we know about an existing user
-                if (!string.IsNullOrWhiteSpace(userName))
+                bool hasExistingUser = !string.IsNullOrWhiteSpace(userName);
+                if (hasExistingUser)
                 {
                     result = await GetAccessTokenSilentlyAsync(app, scopes, userName);
                 }
@@ -106,12 +110,29 @@ public async Task<IMicrosoftAuthenticationResult> GetTokenAsync(
                     // If we're using the OS broker then delegate everything to that
                     if (useBroker)
                     {
-                        Context.Trace.WriteLine("Performing interactive auth with broker...");
-                        result = await app.AcquireTokenInteractive(scopes)
-                            .WithPrompt(Prompt.SelectAccount)
-                            // We must configure the system webview as a fallback
-                            .WithSystemWebViewOptions(GetSystemWebViewOptions())
-                            .ExecuteAsync();
+                        // If the user has enabled the default account feature then we can try to acquire an access
+                        // token 'silently' without knowing the user's UPN. Whilst this could be done truly silently,
+                        // we still prompt the user to confirm this action because if the OS account is the incorrect
+                        // account then the user may become stuck in a loop of authentication failures.
+                        if (!hasExistingUser && Context.Settings.UseMsAuthDefaultAccount)
+                        {
+                            result = await GetAccessTokenSilentlyAsync(app, scopes, null);
+
+                            if (result is null || !await UseDefaultAccountAsync(result.Account.Username))
+                            {
+                                result = null;
+                            }
+                        }
+
+                        if (result is null)
+                        {
+                            Context.Trace.WriteLine("Performing interactive auth with broker...");
+                            result = await app.AcquireTokenInteractive(scopes)
+                                .WithPrompt(Prompt.SelectAccount)
+                                // We must configure the system webview as a fallback
+                                .WithSystemWebViewOptions(GetSystemWebViewOptions())
+                                .ExecuteAsync();
+                        }
                     }
                     else
                     {
@@ -173,6 +194,61 @@ public async Task<IMicrosoftAuthenticationResult> GetTokenAsync(
             }
         }
 
+        private async Task<bool> UseDefaultAccountAsync(string userName)
+        {
+            ThrowIfUserInteractionDisabled();
+
+            if (Context.SessionManager.IsDesktopSession && Context.Settings.IsGuiPromptsEnabled)
+            {
+                if (TryFindHelperCommand(out string command, out string args))
+                {
+                    var sb = new StringBuilder(args);
+                    sb.Append("default-account");
+                    sb.AppendFormat(" --username {0}", QuoteCmdArg(userName));
+
+                    IDictionary<string, string> result = await InvokeHelperAsync(command, sb.ToString());
+
+                    if (result.TryGetValue("use_default_account", out string str) && !string.IsNullOrWhiteSpace(str))
+                    {
+                        return str.ToBooleanyOrDefault(false);
+                    }
+                    else
+                    {
+                        throw new Trace2Exception(Context.Trace2, "Missing use_default_account in response");
+                    }
+                }
+
+                var viewModel = new DefaultAccountViewModel(Context.Environment)
+                {
+                    UserName = userName
+                };
+
+                await AvaloniaUi.ShowViewAsync<DefaultAccountView>(
+                    viewModel, GetParentWindowHandle(), CancellationToken.None);
+
+                ThrowIfWindowCancelled(viewModel);
+
+                return viewModel.UseDefaultAccount;
+            }
+            else
+            {
+                string question = $"Continue with current account ({userName})?";
+
+                var menu = new TerminalMenu(Context.Terminal, question);
+                TerminalMenuItem yesItem = menu.Add("Yes");
+                TerminalMenuItem noItem = menu.Add("No, use another account");
+                TerminalMenuItem choice = menu.Show();
+
+                if (choice == yesItem)
+                    return true;
+
+                if (choice == noItem)
+                    return false;
+
+                throw new Exception();
+            }
+        }
+
         internal MicrosoftAuthenticationFlowType GetFlowType()
         {
             if (Context.Settings.TryGetSetting(
@@ -209,11 +285,20 @@ private async Task<AuthenticationResult> GetAccessTokenSilentlyAsync(IPublicClie
         {
             try
             {
-                Context.Trace.WriteLine($"Attempting to acquire token silently for user '{userName}'...");
+                if (userName is null)
+                {
+                    Context.Trace.WriteLine("Attempting to acquire token silently for current operating system account...");
+
+                    return await app.AcquireTokenSilent(scopes, PublicClientApplication.OperatingSystemAccount).ExecuteAsync();
+                }
+                else
+                {
+                    Context.Trace.WriteLine($"Attempting to acquire token silently for user '{userName}'...");
 
-                // We can either call `app.GetAccountsAsync` and filter through the IAccount objects for the instance with the correct user name,
-                // or we can just pass the user name string we have as the `loginHint` and let MSAL do exactly that for us instead!
-                return await app.AcquireTokenSilent(scopes, loginHint: userName).ExecuteAsync();
+                    // We can either call `app.GetAccountsAsync` and filter through the IAccount objects for the instance with the correct user name,
+                    // or we can just pass the user name string we have as the `loginHint` and let MSAL do exactly that for us instead!
+                    return await app.AcquireTokenSilent(scopes, loginHint: userName).ExecuteAsync();
+                }
             }
             catch (MsalUiRequiredException)
             {
@@ -429,6 +514,16 @@ private void OnMsalLogMessage(LogLevel level, string message, bool containspii)
             Context.Trace.WriteLine($"[{level.ToString()}] {message}", memberName: "MSAL");
         }
 
+        private bool TryFindHelperCommand(out string command, out string args)
+        {
+            return TryFindHelperCommand(
+                Constants.EnvironmentVariables.GcmUiHelper,
+                Constants.GitConfiguration.Credential.UiHelper,
+                Constants.DefaultUiHelper,
+                out command,
+                out args);
+        }
+
         private class MsalHttpClientFactoryAdaptor : IMsalHttpClientFactory
         {
             private readonly IHttpClientFactory _factory;

src/shared/Core/Constants.cs

@@ -83,6 +83,7 @@ public static class EnvironmentVariables
             public const string GcmParentWindow       = "GCM_MODAL_PARENTHWND";
             public const string MsAuthFlow            = "GCM_MSAUTH_FLOW";
             public const string MsAuthUseBroker       = "GCM_MSAUTH_USEBROKER";
+            public const string MsAuthUseDefaultAccount = "GCM_MSAUTH_USEDEFAULTACCOUNT";
             public const string GcmCredNamespace      = "GCM_NAMESPACE";
             public const string GcmCredentialStore    = "GCM_CREDENTIAL_STORE";
             public const string GcmCredCacheOptions   = "GCM_CREDENTIAL_CACHE_OPTIONS";
@@ -141,6 +142,7 @@ public static class Credential
                 public const string GuiPromptsEnabled = "guiPrompt";
                 public const string UiHelper = "uiHelper";
                 public const string DevUseLegacyUiHelpers = "devUseLegacyUiHelpers";
+                public const string MsAuthUseDefaultAccount = "msauthUseDefaultAccount";
 
                 public const string OAuthAuthenticationModes = "oauthAuthModes";
                 public const string OAuthClientId            = "oauthClientId";
@@ -198,6 +200,7 @@ public static class HelpUrls
             public const string GcmWamComSecurity      = "https://aka.ms/gcm/wamadmin";
             public const string GcmAutoDetect          = "https://aka.ms/gcm/autodetect";
             public const string GcmExecRename          = "https://aka.ms/gcm/rename";
+            public const string GcmDefaultAccount      = "https://aka.ms/gcm/defaultaccount";
         }
 
         private static Version _gcmVersion;

src/shared/Core/Settings.cs

@@ -172,6 +172,12 @@ public interface ISettings : IDisposable
         /// </summary>
         int AutoDetectProviderTimeout { get; }
 
+        /// <summary>
+        /// Automatically use the default/current operating system account if no other account information is given
+        /// for Microsoft Authentication.
+        /// </summary>
+        bool UseMsAuthDefaultAccount { get; }
+
         /// <summary>
         /// Get TRACE2 settings.
         /// </summary>
@@ -768,6 +774,15 @@ ProxyConfiguration CreateConfiguration(Uri uri, bool isLegacy = false)
                 ? credStore
                 : null;
 
+        public bool UseMsAuthDefaultAccount =>
+            TryGetSetting(
+                KnownEnvars.MsAuthUseDefaultAccount,
+                KnownGitCfg.Credential.SectionName,
+                KnownGitCfg.Credential.MsAuthUseDefaultAccount,
+                out string str)
+            ? str.IsTruthy()
+            : false;
+
         #region IDisposable
 
         public void Dispose()

src/shared/Core/UI/Assets/Images.axaml

@@ -1,5 +1,16 @@
 <ResourceDictionary xmlns="https://github.com/avaloniaui"
                     xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml">
+    <ResourceDictionary.ThemeDictionaries>
+        <ResourceDictionary x:Key="Default">
+            <Color x:Key="IconColor">#FF25292F</Color>
+            <SolidColorBrush x:Key="IconBrush" Color="{StaticResource IconColor}"/>
+        </ResourceDictionary>
+        <ResourceDictionary x:Key="Dark">
+            <Color x:Key="IconColor">White</Color>
+            <SolidColorBrush x:Key="IconBrush" Color="{StaticResource IconColor}"/>
+        </ResourceDictionary>
+    </ResourceDictionary.ThemeDictionaries>
+
     <DrawingImage x:Key="GcmLogo">
         <DrawingImage.Drawing>
             <DrawingGroup>
@@ -10,4 +21,33 @@
             </DrawingGroup>
         </DrawingImage.Drawing>
     </DrawingImage>
+    <DrawingImage x:Key="PersonIcon">
+        <DrawingImage.Drawing>
+            <DrawingGroup>
+                <DrawingGroup.Children>
+                    <GeometryDrawing Brush="{DynamicResource IconBrush}" Geometry="M12 2.5a5.5 5.5 0 0 1 3.096 10.047 9.005 9.005 0 0 1 5.9 8.181.75.75 0 1 1-1.499.044 7.5 7.5 0 0 0-14.993 0 .75.75 0 0 1-1.5-.045 9.005 9.005 0 0 1 5.9-8.18A5.5 5.5 0 0 1 12 2.5ZM8 8a4 4 0 1 0 8 0 4 4 0 0 0-8 0Z"/>
+                </DrawingGroup.Children>
+            </DrawingGroup>
+        </DrawingImage.Drawing>
+    </DrawingImage>
+    <DrawingImage x:Key="InfoIcon">
+        <DrawingImage.Drawing>
+            <DrawingGroup>
+                <DrawingGroup.Children>
+                    <GeometryDrawing Brush="{DynamicResource IconBrush}" Geometry="M13 7.5a1 1 0 1 1-2 0 1 1 0 0 1 2 0Zm-3 3.75a.75.75 0 0 1 .75-.75h1.5a.75.75 0 0 1 .75.75v4.25h.75a.75.75 0 0 1 0 1.5h-3a.75.75 0 0 1 0-1.5h.75V12h-.75a.75.75 0 0 1-.75-.75Z"/>
+                    <GeometryDrawing Brush="{DynamicResource IconBrush}" Geometry="M12 1c6.075 0 11 4.925 11 11s-4.925 11-11 11S1 18.075 1 12 5.925 1 12 1ZM2.5 12a9.5 9.5 0 0 0 9.5 9.5 9.5 9.5 0 0 0 9.5-9.5A9.5 9.5 0 0 0 12 2.5 9.5 9.5 0 0 0 2.5 12Z"/>
+                </DrawingGroup.Children>
+            </DrawingGroup>
+        </DrawingImage.Drawing>
+    </DrawingImage>
+    <DrawingImage x:Key="HelpIcon">
+        <DrawingImage.Drawing>
+            <DrawingGroup>
+                <DrawingGroup.Children>
+                    <GeometryDrawing Brush="{DynamicResource IconBrush}" Geometry="M10.97 8.265a1.45 1.45 0 0 0-.487.57.75.75 0 0 1-1.341-.67c.2-.402.513-.826.997-1.148C10.627 6.69 11.244 6.5 12 6.5c.658 0 1.369.195 1.934.619a2.45 2.45 0 0 1 1.004 2.006c0 1.033-.513 1.72-1.027 2.215-.19.183-.399.358-.579.508l-.147.123a4.329 4.329 0 0 0-.435.409v1.37a.75.75 0 1 1-1.5 0v-1.473c0-.237.067-.504.247-.736.22-.28.486-.517.718-.714l.183-.153.001-.001c.172-.143.324-.27.47-.412.368-.355.569-.676.569-1.136a.953.953 0 0 0-.404-.806C12.766 8.118 12.384 8 12 8c-.494 0-.814.121-1.03.265ZM13 17a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"/>
+                    <GeometryDrawing Brush="{DynamicResource IconBrush}" Geometry="M12 1c6.075 0 11 4.925 11 11s-4.925 11-11 11S1 18.075 1 12 5.925 1 12 1ZM2.5 12a9.5 9.5 0 0 0 9.5 9.5 9.5 9.5 0 0 0 9.5-9.5A9.5 9.5 0 0 0 12 2.5 9.5 9.5 0 0 0 2.5 12Z"/>
+                </DrawingGroup.Children>
+            </DrawingGroup>
+        </DrawingImage.Drawing>
+    </DrawingImage>
 </ResourceDictionary>