MSAL support for sf tasks (#18977)

Author: Ozan AYDIN

Tasks/Common/ServiceFabricHelpers/Connect-ServiceFabricClusterFromServiceEndpoint.ps1

@@ -35,23 +35,82 @@ function Get-AadSecurityToken
     $clientApplicationId = $connectResult.AzureActiveDirectoryMetadata.ClientApplication
     Write-Host (Get-VstsLocString -Key ClientAppId -ArgumentList $clientApplicationId)
 
-    # Acquire AAD access token
-    Add-Type -LiteralPath "$PSScriptRoot\Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
-    $authContext = Create-Object -TypeName Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext -ArgumentList @($authority)
-    $authParams = $ConnectedServiceEndpoint.Auth.Parameters
-    $userCredential = Create-Object -TypeName Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential -ArgumentList @($authParams.Username, $authParams.Password)
-
-    try
+    # MSAL flag
+    $useMSAL = $false
+    $rawOverrideUseMSAL = Get-VstsTaskVariable -Name 'USE_MSAL'
+    try 
+    {
+        if($rawOverrideUseMSAL) {
+            Write-Verbose "MSAL - USE_MSAL override is found: $rawOverrideUseMSAL"
+            $useMSAL = [bool]::Parse($rawOverrideUseMSAL)
+        }
+    } 
+    catch 
     {
-        # Acquiring a token using UserCredential implies a non-interactive flow. No credential prompts will occur.
-        $accessToken = $authContext.AcquireToken($clusterApplicationId, $clientApplicationId, $userCredential).AccessToken
+        # this is not a blocker error, so we're informing
+        $exceptionMessage = $_.Exception.Message.ToString()
+        Write-Verbose "MSAL - USE_MSAL couldn't be parsed due to error $exceptionMessage. useMSAL=$useMSAL is used instead"
     }
-    catch
+    
+    # Acquire AAD access token - MSAL
+    if ($useMSAL) 
     {
-        throw (Get-VstsLocString -Key ErrorOnAcquireToken -ArgumentList $_)
+        $accessToken = @{
+            token_type = $null
+            access_token = $null
+            expires_on = $null
+        }
+
+        $tenantId = $connectResult.AzureActiveDirectoryMetadata.TenantId
+
+        # load the MSAL library
+        Add-Type -Path "$PSScriptRoot\msal\Microsoft.Identity.Client.dll"
+
+        $authParams = $ConnectedServiceEndpoint.Auth.Parameters
+        
+        $msalClientInstance = [Microsoft.Identity.Client.PublicClientApplicationBuilder]::Create($clientApplicationId).WithAuthority($authority, $tenantId).Build()
+        
+        # scopes
+        $azureActiveDirectoryResourceId = $clusterApplicationId + "/.default"
+        $scopes = [Collections.Generic.List[string]]@($azureActiveDirectoryResourceId)
+
+        # fetch
+        try {
+            Write-Verbose "Fetching Access Token - MSAL"
+            $tokenResult = $msalClientInstance.AcquireTokenByUsernamePassword($scopes, $authParams.Username, $authParams.Password).ExecuteAsync().GetAwaiter().GetResult()
+        }
+        catch {
+            $exceptionMessage = $_.Exception.Message.ToString()
+            Write-Error "ExceptionMessage: $exceptionMessage (in function: Get-AadSecurityToken) (MSAL)"
+            throw (Get-VstsLocString -Key ErrorOnAcquireToken -ArgumentList $_)
+        }
+
+        $accessToken.token_type = $tokenResult.TokenType
+        $accessToken.access_token = $tokenResult.AccessToken
+        $accessToken.expires_on = $tokenResult.ExpiresOn.ToUnixTimeSeconds()
+
+        return $accessToken.access_token
     }
+    # Acquire AAD access token - ADAL
+    else 
+    {
+        Add-Type -LiteralPath "$PSScriptRoot\Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
+        $authContext = Create-Object -TypeName Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext -ArgumentList @($authority)
+        $authParams = $ConnectedServiceEndpoint.Auth.Parameters
+        $userCredential = Create-Object -TypeName Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential -ArgumentList @($authParams.Username, $authParams.Password)
 
-    return $accessToken
+        try
+        {
+            # Acquiring a token using UserCredential implies a non-interactive flow. No credential prompts will occur.
+            $accessToken = $authContext.AcquireToken($clusterApplicationId, $clientApplicationId, $userCredential).AccessToken
+        }
+        catch
+        {
+            throw (Get-VstsLocString -Key ErrorOnAcquireToken -ArgumentList $_)
+        }
+
+        return $accessToken
+    }
 }
 
 function Add-Certificate

Tasks/Common/ServiceFabricHelpers/make.json

@@ -10,6 +10,28 @@
                         "source": "lib/net45/Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
                     }
                 ]
+            },
+            {
+                "name": "Microsoft.Identity.Client",
+                "version": "4.48.0",
+                "repository": "https://www.nuget.org/api/v2/",
+                "cp": [
+                    {
+                        "source": "lib/net45/Microsoft.Identity.Client.dll",
+                        "dest": "msal"
+                    }
+                ]
+            },
+            {
+                "name": "Microsoft.IdentityModel.Abstractions",
+                "version": "6.22.0",
+                "repository": "https://www.nuget.org/api/v2/",
+                "cp": [
+                    {
+                        "source": "lib/net45/Microsoft.IdentityModel.Abstractions.dll",
+                        "dest": "msal"
+                    }
+                ]
             }
         ]
     }

Tasks/ServiceFabricComposeDeployV0/task.json

@@ -17,7 +17,7 @@
     "author": "Microsoft Corporation",
     "version": {
         "Major": 0,
-        "Minor": 198,
+        "Minor": 228,
         "Patch": 0
     },
     "demands": [

Tasks/ServiceFabricComposeDeployV0/task.loc.json

@@ -17,7 +17,7 @@
   "author": "Microsoft Corporation",
   "version": {
     "Major": 0,
-    "Minor": 198,
+    "Minor": 228,
     "Patch": 0
   },
   "demands": [

Tasks/ServiceFabricDeployV1/task.json

@@ -17,7 +17,7 @@
     ],
     "version": {
         "Major": 1,
-        "Minor": 205,
+        "Minor": 228,
         "Patch": 0
     },
     "demands": [

Tasks/ServiceFabricDeployV1/task.loc.json

@@ -17,7 +17,7 @@
   ],
   "version": {
     "Major": 1,
-    "Minor": 198,
+    "Minor": 228,
     "Patch": 0
   },
   "demands": [

Tasks/ServiceFabricPowerShellV1/task.json

@@ -17,7 +17,7 @@
     "author": "Microsoft Corporation",
     "version": {
         "Major": 1,
-        "Minor": 198,
+        "Minor": 228,
         "Patch": 0
     },
     "demands": [

Tasks/ServiceFabricPowerShellV1/task.loc.json

@@ -17,7 +17,7 @@
   "author": "Microsoft Corporation",
   "version": {
     "Major": 1,
-    "Minor": 198,
+    "Minor": 228,
     "Patch": 0
   },
   "demands": [