Adopt the MSAL broker to talk to the OS for Microsoft auth

[TylerLeonhardt]

This adopts the NativeBrokerPlugin provided by @azure/msal-node-extensions to provide the ability to use auth state from the OS, and show native auth dialogs instead of going to the browser.

This has several pieces:

• The adoption of the broker in the microsoft-authentication extension:
  • Adding NativeBrokerPlugin to our PCAs
  • Using the proposed handle API to pass the native window handle down to MSAL calls (btw, this API will change in a follow up PR)
  • Adopting an AccountAccess layer to handle:
    • giving the user control of which accounts VS Code uses
    • an eventing layer so that auth state can be updated across multiple windows
• Getting the extension to build properly and only build what it really needs. This required several package.json/webpack hacks:
  • Use a fake keytar since we don't use the feature in @azure/msal-node-extensions that uses keytar
  • Use a fake dpapi layer since we don't use the feature in @azure/msal-node-extensions that uses it
  • Ensure the msal runtime .node and .dll files are included in the bundle
• Get the VS Code build to allow a native node module in an extension: by having a list of native extensions that will be built in the "ci" part of the build - in other words when VS Code is building on the target platform

There are a couple of followups:

• Refactor the handle API to handle (heh) Auxiliary Windows Proposed API for window handle #233106
• Separate the call to acquireTokenSilent and acquireTokenInteractive and all the usage of this native node module into a separate process or maybe in Core... we'll see. Something to experiment with after we have something working. NEEDS FOLLOW UP ISSUE

Fixes #229431

Copilot reviewed 5 out of 16 changed files in this pull request and generated no suggestions.

Files not reviewed (11)

• extensions/microsoft-authentication/.vscodeignore: Language not supported
• extensions/microsoft-authentication/package-lock.json: Language not supported
• extensions/microsoft-authentication/package.json: Language not supported
• extensions/microsoft-authentication/packageMocks/keytar/package.json: Language not supported
• extensions/microsoft-authentication/tsconfig.json: Language not supported
• build/lib/extensions.js: Evaluated as low risk
• extensions/microsoft-authentication/src/node/publicClientCache.ts: Evaluated as low risk
• build/gulpfile.extensions.js: Evaluated as low risk
• build/gulpfile.vscode.js: Evaluated as low risk
• extensions/microsoft-authentication/src/node/authProvider.ts: Evaluated as low risk
• build/lib/extensions.ts: Evaluated as low risk

Comments skipped due to low confidence (7)

extensions/microsoft-authentication/src/node/cachedPublicClientApplication.ts:7

• Ensure that the NativeBrokerPlugin is correctly imported and used.

import { NativeBrokerPlugin } from '@azure/msal-node-extensions';

extensions/microsoft-authentication/src/node/cachedPublicClientApplication.ts:29

• Verify that ScopedAccountAccess is correctly instantiated and used.

private readonly _accountAccess = new ScopedAccountAccess(this._secretStorage, this._cloudName, this._clientId, this._authority);

extensions/microsoft-authentication/src/node/cachedPublicClientApplication.ts:89

• Ensure that initialize method is correctly called and handled.

await this._accountAccess.initialize();

extensions/microsoft-authentication/src/node/cachedPublicClientApplication.ts:126

• Ensure that setAllowedAccess method is correctly called and handled.

await this._accountAccess.setAllowedAccess(result.account!, true);

extensions/microsoft-authentication/src/node/cachedPublicClientApplication.ts:134

• Ensure that setAllowedAccess method is correctly called and handled.

return this._accountAccess.setAllowedAccess(account, false);

extensions/microsoft-authentication/src/node/cachedPublicClientApplication.ts:141

• Ensure that onDidAccountAccessChange method is correctly called and handled.

return this._accountAccess.onDidAccountAccessChange(() => this._update());

extensions/microsoft-authentication/src/node/cachedPublicClientApplication.ts:180

• Ensure that isAllowedAccess method is correctly called and handled.

after = after.filter(a => this._accountAccess.isAllowedAccess(a));

Tip: If you use Visual Studio Code, you can request a review from Copilot before you push from the "Source Control" tab. Learn more

[TylerLeonhardt]

This can go away when this is released: AzureAD/microsoft-authentication-library-for-js#7412

[deepak1556]

Reviewed the build part. LGTM overall, minor nits

[deepak1556]

Running a full build for sanity https://monacotools.visualstudio.com/Monaco/_build/results?buildId=304750&view=results

[TylerLeonhardt]

New sanity build after changes: https://monacotools.visualstudio.com/Monaco/_build/results?buildId=304949&view=results

[deepak1556]

Not sure why the universal build fails on the parcel watcher, I will take a look at it today.

[TylerLeonhardt]

Sanity build here: https://monacotools.visualstudio.com/Monaco/_build/results?buildId=305103&view=results ✅

smoke tested on macOS and Windows and everything seems operational.

[deepak1556]

Not going to block the PR on this, but is building the native extensions have an effect in the web pipeline. Maybe we should skip the native ones ?

[TylerLeonhardt]

In Microsoft Auth's case, it has web code as well that doesn't use any native stuff... so it actually does need to be built for web... but for efficiency we could build everything in compile.

[deepak1556]

Thanks for cleaning up the extension tasks and adding the support to include native modules with them. 🚀