Enable MSA Passthrough for WAM (#37567)

sdk/identity/Azure.Identity.BrokeredAuthentication/CHANGELOG.md

@@ -4,6 +4,8 @@
 
 ### Features Added
 
+- Added support for MSA passthrough. Note this is only available for legacy 1st party applications.
+
 ### Breaking Changes
 
 ### Bugs Fixed

sdk/identity/Azure.Identity.BrokeredAuthentication/api/Azure.Identity.BrokeredAuthentication.net6.0.cs

@@ -3,10 +3,12 @@ namespace Azure.Identity.BrokeredAuthentication
     public partial class InteractiveBrowserCredentialBrokerOptions : Azure.Identity.InteractiveBrowserCredentialOptions
     {
         public InteractiveBrowserCredentialBrokerOptions(System.IntPtr parentWindowHandle) { }
+        public bool? IsMsaPassthroughEnabled { get { throw null; } set { } }
     }
     public partial class SharedTokenCacheCredentialBrokerOptions : Azure.Identity.SharedTokenCacheCredentialOptions
     {
         public SharedTokenCacheCredentialBrokerOptions() { }
         public SharedTokenCacheCredentialBrokerOptions(Azure.Identity.TokenCachePersistenceOptions tokenCacheOptions) { }
+        public bool? IsMsaPassthroughEnabled { get { throw null; } set { } }
     }
 }

sdk/identity/Azure.Identity.BrokeredAuthentication/api/Azure.Identity.BrokeredAuthentication.netstandard2.0.cs

@@ -3,10 +3,12 @@ namespace Azure.Identity.BrokeredAuthentication
     public partial class InteractiveBrowserCredentialBrokerOptions : Azure.Identity.InteractiveBrowserCredentialOptions
     {
         public InteractiveBrowserCredentialBrokerOptions(System.IntPtr parentWindowHandle) { }
+        public bool? IsMsaPassthroughEnabled { get { throw null; } set { } }
     }
     public partial class SharedTokenCacheCredentialBrokerOptions : Azure.Identity.SharedTokenCacheCredentialOptions
     {
         public SharedTokenCacheCredentialBrokerOptions() { }
         public SharedTokenCacheCredentialBrokerOptions(Azure.Identity.TokenCachePersistenceOptions tokenCacheOptions) { }
+        public bool? IsMsaPassthroughEnabled { get { throw null; } set { } }
     }
 }

sdk/identity/Azure.Identity.BrokeredAuthentication/src/InteractiveBrowserCredentialBrokerOptions.cs

@@ -12,7 +12,13 @@ namespace Azure.Identity.BrokeredAuthentication
     /// </summary>
     public class InteractiveBrowserCredentialBrokerOptions : InteractiveBrowserCredentialOptions, IMsalPublicClientInitializerOptions
     {
-        private IntPtr _parentWindowHandle;
+        private readonly IntPtr _parentWindowHandle;
+
+        /// <summary>
+        /// Gets or sets whether Microsoft Account (MSA) passthough.
+        /// </summary>
+        /// <value></value>
+        public bool? IsMsaPassthroughEnabled { get; set; }
 
         /// <summary>
         /// Creates a new instance of <see cref="InteractiveBrowserCredentialBrokerOptions"/> to configure a <see cref="InteractiveBrowserCredential"/>.
@@ -27,7 +33,13 @@ public InteractiveBrowserCredentialBrokerOptions(IntPtr parentWindowHandle) : ba
 
         private void AddBroker(PublicClientApplicationBuilder builder)
         {
-            builder.WithBroker().WithParentActivityOrWindow(() => _parentWindowHandle);
+            builder.WithParentActivityOrWindow(() => _parentWindowHandle);
+            var options = new BrokerOptions(BrokerOptions.OperatingSystems.Windows);
+            if (IsMsaPassthroughEnabled.HasValue)
+            {
+                options.MsaPassthrough = IsMsaPassthroughEnabled.Value;
+            }
+            builder.WithBroker(options);
         }
     }
 }

sdk/identity/Azure.Identity.BrokeredAuthentication/src/SharedTokenCacheCredentialBrokerOptions.cs

@@ -12,6 +12,12 @@ namespace Azure.Identity.BrokeredAuthentication
     /// </summary>
     public class SharedTokenCacheCredentialBrokerOptions : SharedTokenCacheCredentialOptions, IMsalPublicClientInitializerOptions
     {
+        /// <summary>
+        /// Gets or sets whether Microsoft Account (MSA) passthough.
+        /// </summary>
+        /// <value></value>
+        public bool? IsMsaPassthroughEnabled { get; set; }
+
         /// <summary>
         /// Initializes a new instance of <see cref="SharedTokenCacheCredentialBrokerOptions"/>.
         /// </summary>
@@ -32,7 +38,12 @@ public SharedTokenCacheCredentialBrokerOptions(TokenCachePersistenceOptions toke
 
         private void AddBroker(PublicClientApplicationBuilder builder)
         {
-            builder.WithBroker();
+            var options = new BrokerOptions(BrokerOptions.OperatingSystems.Windows);
+            if (IsMsaPassthroughEnabled.HasValue)
+            {
+                options.MsaPassthrough = IsMsaPassthroughEnabled.Value;
+            }
+            builder.WithBroker(options);
         }
     }
 }

sdk/identity/Azure.Identity.BrokeredAuthentication/tests/InteractiveBrowserCredentialBrokerOptionsTests.cs

@@ -0,0 +1,51 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Reflection;
+using Microsoft.Identity.Client;
+using NUnit.Framework;
+
+namespace Azure.Identity.BrokeredAuthentication.Tests
+{
+    public class InteractiveBrowserCredentialBrokerOptionsTests
+    {
+        [Test]
+        public void RespectsMsaPassthrough(
+            [Values(true, false, null)] bool? enableMsaPassthrough)
+        {
+            IntPtr parentWindowHandle = new(1234);
+            IMsalPublicClientInitializerOptions credentialOptions;
+            if (enableMsaPassthrough.HasValue)
+            {
+                credentialOptions = new InteractiveBrowserCredentialBrokerOptions(parentWindowHandle) { IsMsaPassthroughEnabled = enableMsaPassthrough.Value } as IMsalPublicClientInitializerOptions;
+            }
+            else
+            {
+                credentialOptions = new InteractiveBrowserCredentialBrokerOptions(parentWindowHandle) as IMsalPublicClientInitializerOptions;
+            }
+            PublicClientApplicationBuilder builder = PublicClientApplicationBuilder
+                .Create(Guid.NewGuid().ToString());
+
+            credentialOptions.BeforeBuildClient(builder);
+
+            (BrokerOptions Options, Func<object> Parent) = GetBrokerOptions(builder);
+            Assert.AreEqual(enableMsaPassthrough ?? false, Options?.MsaPassthrough);
+            Assert.AreEqual(parentWindowHandle, Parent());
+        }
+
+        private static (BrokerOptions Options, Func<object> Parent) GetBrokerOptions(PublicClientApplicationBuilder builder)
+        {
+            var config = builder
+                .GetType()
+                .BaseType.GetProperty("Config", BindingFlags.NonPublic | BindingFlags.Instance).GetValue(builder);
+            Console.WriteLine(config);
+
+            var options = config.GetType().GetProperty("BrokerOptions").GetValue(config);
+            Console.WriteLine(options);
+            var parent = config.GetType().GetProperty("ParentActivityOrWindowFunc").GetValue(config);
+
+            return (options as BrokerOptions, parent as Func<object>);
+        }
+    }
+}

sdk/identity/Azure.Identity.BrokeredAuthentication/tests/SharedTokenCacheCredentialBrokerOptionsTests.cs

@@ -1,6 +1,9 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+using System;
+using System.Reflection;
+using Microsoft.Identity.Client;
 using NUnit.Framework;
 
 namespace Azure.Identity.BrokeredAuthentication.Tests
@@ -10,12 +13,45 @@ public class SharedTokenCacheCredentialBrokerOptionsTests
         [Test]
         public void VerifyTokenCacheOptionsCtorParam()
         {
-            // verify passed in TokenCachePeristenceOptions are honored
+            // verify passed in TokenCachePersistenceOptions are honored
             var persistenceOptions = new TokenCachePersistenceOptions { Name = "mocktokencachename" };
 
             var credentialOptions = new SharedTokenCacheCredentialBrokerOptions(persistenceOptions);
 
             Assert.AreEqual(persistenceOptions, credentialOptions.TokenCachePersistenceOptions);
         }
+
+        [Test]
+        public void RespectsMsaPassthrough([Values(true, false, null)] bool? enableMsaPassthrough)
+        {
+            IMsalPublicClientInitializerOptions credentialOptions;
+            if (enableMsaPassthrough.HasValue)
+            {
+                credentialOptions = new SharedTokenCacheCredentialBrokerOptions { IsMsaPassthroughEnabled = enableMsaPassthrough.Value };
+            }
+            else
+            {
+                credentialOptions = new SharedTokenCacheCredentialBrokerOptions();
+            }
+            PublicClientApplicationBuilder builder = PublicClientApplicationBuilder
+                .Create(Guid.NewGuid().ToString());
+
+            credentialOptions.BeforeBuildClient(builder);
+
+            BrokerOptions options = GetBrokerOptions(builder);
+            Assert.AreEqual(enableMsaPassthrough ?? false, options?.MsaPassthrough);
+        }
+
+        private BrokerOptions GetBrokerOptions(PublicClientApplicationBuilder builder)
+        {
+            var config = builder
+                .GetType()
+                .BaseType.GetProperty("Config", BindingFlags.NonPublic | BindingFlags.Instance).GetValue(builder);
+            Console.WriteLine(config);
+
+            var options = config.GetType().GetProperty("BrokerOptions").GetValue(config);
+            Console.WriteLine(options);
+            return options as BrokerOptions;
+        }
     }
 }

sdk/identity/Azure.Identity/src/Properties/AssemblyInfo.cs

@@ -6,5 +6,6 @@
 [assembly: InternalsVisibleTo("Microsoft.Extensions.Azure.Tests, PublicKey=0024000004800000940000000602000000240000525341310004000001000100d15ddcb29688295338af4b7686603fe614abd555e09efba8fb88ee09e1f7b1ccaeed2e8f823fa9eef3fdd60217fc012ea67d2479751a0b8c087a4185541b851bd8b16f8d91b840e51b1cb0ba6fe647997e57429265e85ef62d565db50a69ae1647d54d7bd855e4db3d8a91510e5bcbd0edfbbecaa20a7bd9ae74593daa7b11b4")]
 [assembly: InternalsVisibleTo("Azure.Identity.Tests, PublicKey=0024000004800000940000000602000000240000525341310004000001000100d15ddcb29688295338af4b7686603fe614abd555e09efba8fb88ee09e1f7b1ccaeed2e8f823fa9eef3fdd60217fc012ea67d2479751a0b8c087a4185541b851bd8b16f8d91b840e51b1cb0ba6fe647997e57429265e85ef62d565db50a69ae1647d54d7bd855e4db3d8a91510e5bcbd0edfbbecaa20a7bd9ae74593daa7b11b4")]
 [assembly: InternalsVisibleTo("Azure.Identity.BrokeredAuthentication, PublicKey=0024000004800000940000000602000000240000525341310004000001000100097ad52abbeaa2e1a1982747cc0106534f65cfea6707eaed696a3a63daea80de2512746801a7e47f88e7781e71af960d89ba2e25561f70b0e2dbc93319e0af1961a719ccf5a4d28709b2b57a5d29b7c09dc8d269a490ebe2651c4b6e6738c27c5fb2c02469fe9757f0a3479ac310d6588a50a28d7dd431b907fd325e18b9e8ed")]
+[assembly: InternalsVisibleTo("Azure.Identity.BrokeredAuthentication.Tests, PublicKey=0024000004800000940000000602000000240000525341310004000001000100d15ddcb29688295338af4b7686603fe614abd555e09efba8fb88ee09e1f7b1ccaeed2e8f823fa9eef3fdd60217fc012ea67d2479751a0b8c087a4185541b851bd8b16f8d91b840e51b1cb0ba6fe647997e57429265e85ef62d565db50a69ae1647d54d7bd855e4db3d8a91510e5bcbd0edfbbecaa20a7bd9ae74593daa7b11b4")]
 [assembly: InternalsVisibleTo("DynamicProxyGenAssembly2, PublicKey=0024000004800000940000000602000000240000525341310004000001000100c547cac37abd99c8db225ef2f6c8a3602f3b3606cc9891605d02baa56104f4cfc0734aa39b93bf7852f7d9266654753cc297e7d2edfe0bac1cdcf9f717241550e0a7b191195b7667bb4f64bcb8e2121380fd1d9d46ad2d92d2d15605093924cceaf74c4861eff62abf69b9291ed0a340e113be11e6a7d3113e92484cf7045cc7")]
 [assembly: Azure.Core.AzureResourceProviderNamespace("Microsoft.AAD")]