Provide options to override MS authentication flows #210

mjcheetham · 2020-11-06T12:08:30Z

At the moment we force users to use a particular Microsoft authentication flow (via MSAL) based on the current environment.

If there's an interactive session..
- ..on Windows we use the embedded browser flow.
- ..on non-Windows..
  - ..with a native UI helper we use that helper.
  - ..without a native UI helper we use the system browser.
If there's no interactive session we use device code flow.

The user should be free to select the flow they prefer, rather than forcing them to use the one we deem "best". The system browser or device-code flows can be used enable scenarios like FIDO or Windows Hello, which may be desirable.

Visual Studio already offers an option to change the authentication flow.

This can be implemented pretty easily by introduction of a GCM_MSAUTH_FLOW/credential.msAuthFlow or similar setting that is respected by the MicrosoftAuthentication component.

Note: Use of the system browser requires a localhost redirect be set in the AAD configuration. We would need to ensure this was set correctly.

The text was updated successfully, but these errors were encountered:

mjcheetham added enhancement New feature or request platform:windows Specific to the Windows platform auth:microsoft Specific to Microsoft AAD/MSA authentication labels Nov 6, 2020

mjcheetham mentioned this issue Nov 6, 2020

Allow user to override which interactive authentication flow used for MS auth #212

Merged

mjcheetham closed this as completed in #212 Nov 9, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Provide options to override MS authentication flows #210

Provide options to override MS authentication flows #210

mjcheetham commented Nov 6, 2020

Provide options to override MS authentication flows #210

Provide options to override MS authentication flows #210

Comments

mjcheetham commented Nov 6, 2020