Skip to content

Enable WAM broker authentication with automatic redirect URI configuration #155

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sellakumaran merged 3 commits into from
Jan 15, 2026
Merged

Enable WAM broker authentication with automatic redirect URI configuration #155

sellakumaran merged 3 commits into from
Jan 15, 2026

Conversation

@sellakumaran
Copy link
Contributor

@sellakumaran sellakumaran commented Jan 13, 2026

Summary

Fixes Windows Authentication Manager (WAM) broker authentication by properly configuring redirect URIs and window handles for console applications.

Fixes #146
Fixes #151

Changes

WAM Broker Support

  • Added Microsoft.Identity.Client.Broker package for WAM support
  • Implemented window handle detection using P/Invoke (GetConsoleWindow, GetForegroundWindow, GetDesktopWindow) with fallback chain
  • Platform-specific authentication: WAM on Windows, system browser on macOS/Linux

Auto-Configuration of Redirect URIs

  • Added WAM broker redirect URI format: ms-appx-web://microsoft.aad.brokerplugin/{client-id}
  • ClientAppValidator.EnsureRedirectUrisAsync now automatically configures the WAM broker redirect URI alongside the localhost URI
  • Added AuthenticationConstants.GetRequiredRedirectUris(clientAppId) helper method

Caller Updates

  • Updated InteractiveGraphAuthService, AuthenticationService, and BlueprintSubcommand to let MsalBrowserCredential determine the appropriate redirect URI
  • Updated log messages to reflect WAM usage on Windows

Testing

  • All 796 tests pass
  • Manually verified WAM authentication flow on Windows
  • Confirmed auto-configuration of WAM redirect URI in app registration

@sellakumaran
Fix WAM auth issues: use MSAL system browser for login
dae8fc3 
Replaces InteractiveBrowserCredential with custom MsalBrowserCredential to force system browser authentication and avoid Windows Authentication Broker (WAM) issues (GH #146, #151). Updates all authentication flows to use the new credential. Adjusts ARM auth to exclude browser credential by default. Adds tests and documentation for the WAM workaround. Updates CLI engineering guidelines. Improves cross-platform reliability for interactive login.
@sellakumaran
Enable WAM authentication on Windows; update auth flows
f4cf742 
- MsalBrowserCredential now supports WAM on Windows and system browser on macOS/Linux, using Microsoft.Identity.Client.Broker.
- AuthenticationConstants generates WAM broker redirect URIs and validates all required URIs for client apps.
- ClientAppValidator and tests require WAM broker URI for proper registration.
- All interactive auth code paths use platform-specific MsalBrowserCredential.
- Project files updated to include Microsoft.Identity.Client.Broker.
- Documentation updated for cross-platform compatibility.
@sellakumaran sellakumaran requested a review from a team as a code owner January 13, 2026 23:03
Copilot AI review requested due to automatic review settings January 13, 2026 23:03
@sellakumaran sellakumaran requested a review from a team as a code owner January 13, 2026 23:03
mengyimicro
mengyimicro reviewed Jan 13, 2026
View reviewed changes
Copilot AI reviewed Jan 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request enables Windows Authentication Manager (WAM) broker authentication for console applications by properly configuring redirect URIs and window handles, fixing issues #146 and #151 where users experienced AADSTS50011 redirect URI mismatches and "window handle must be configured" errors.

Changes:

  • Introduces MsalBrowserCredential class that uses WAM on Windows with proper window handle detection (console/foreground/desktop window fallback chain) and uses system browser on macOS/Linux
  • Automatically configures the WAM broker redirect URI (ms-appx-web://microsoft.aad.brokerplugin/{client-id}) alongside localhost URIs in app registrations
  • Updates authentication flows in InteractiveGraphAuthService, AuthenticationService, and BlueprintSubcommand to use the new credential

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 13 comments.

Show a summary per file
File Description
src/Microsoft.Agents.A365.DevTools.Cli/Services/MsalBrowserCredential.cs New credential class implementing WAM on Windows with P/Invoke window handle detection and browser fallback for other platforms
src/Microsoft.Agents.A365.DevTools.Cli/Constants/AuthenticationConstants.cs Adds WAM broker redirect URI format constant and helper method to get all required redirect URIs
src/Microsoft.Agents.A365.DevTools.Cli/Services/InteractiveGraphAuthService.cs Replaces InteractiveBrowserCredential with MsalBrowserCredential for Graph authentication
src/Microsoft.Agents.A365.DevTools.Cli/Services/AuthenticationService.cs Updates to use MsalBrowserCredential for interactive authentication flows
src/Microsoft.Agents.A365.DevTools.Cli/Services/ClientAppValidator.cs Updates redirect URI validation to include WAM broker URI using new helper method
src/Microsoft.Agents.A365.DevTools.Cli/Commands/SetupSubcommands/BlueprintSubcommand.cs Updates token acquisition to use MsalBrowserCredential
src/Microsoft.Agents.A365.DevTools.Cli/Services/AzureWebAppCreator.cs Excludes InteractiveBrowserCredential from DefaultAzureCredential to avoid WAM issues
src/Directory.Packages.props Adds Microsoft.Identity.Client.Broker package version 4.78.0
src/Microsoft.Agents.A365.DevTools.Cli/Microsoft.Agents.A365.DevTools.Cli.csproj References the new broker package
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/InteractiveGraphAuthServiceTests.cs Adds basic constructor tests and documentation for WAM configuration
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/ClientAppValidatorTests.cs Updates test to include WAM broker URI in expected redirect URIs
.github/copilot-instructions.md Adds Agent365 CLI development guidelines and engineering principles

mengyimicro
mengyimicro previously approved these changes Jan 13, 2026
View reviewed changes
@sellakumaran
Switch to MSAL WAM/browser auth; add tests and docs
14cd008 
Refactor interactive authentication to use MsalBrowserCredential, enabling platform-appropriate login (WAM on Windows, browser elsewhere). Replace AuthenticationFailedException with MsalAuthenticationFailedException. Improve window handle detection for WAM and update platform checks. Add comprehensive unit tests for credential behavior and exception types. Update documentation and workspace settings to reflect new authentication flow and platform-specific behaviors.
@sellakumaran sellakumaran enabled auto-merge (squash) January 14, 2026 21:37
@sellakumaran sellakumaran disabled auto-merge January 15, 2026 00:33
@sellakumaran sellakumaran merged commit 270b084 into main Jan 15, 2026
5 checks passed
@sellakumaran sellakumaran deleted the users/sellak/fix-wam-broker-auth branch January 15, 2026 16:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@tmlsousa tmlsousa tmlsousa approved these changes

@mengyimicro mengyimicro mengyimicro approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

4 participants

@sellakumaran @tmlsousa @mengyimicro