Skip to content

Optimize Auth flow and switch from DCF to Interactive Authentication#172

Merged
mengyimicro merged 3 commits intomainfrom
users/mengyixu/InteractiveBrowserAuth
Jan 24, 2026
Merged

Optimize Auth flow and switch from DCF to Interactive Authentication#172
mengyimicro merged 3 commits intomainfrom
users/mengyixu/InteractiveBrowserAuth

Conversation

@mengyimicro
Copy link
Contributor

@mengyimicro mengyimicro commented Jan 22, 2026

Summary

Switch from Device Code Flow (DCF) to Interactive Browser Authentication across the entire Agent365-devTools CLI to comply with production tenant security policies that discourage DCF usage.

This PR implements interactive browser authentication (WAM on Windows, browser on other platforms) while maintaining comprehensive token caching to ensure users only authenticate 1-2 times total for all CLI commands.

Changes

Authentication Method Changes (4 files)

  1. AuthenticationService.cs

    • Changed default useInteractiveBrowser parameter from false to true (2 methods)
    • Now uses MsalBrowserCredential by default instead of DeviceCodeCredential
    • Added comprehensive class-level documentation explaining authentication strategy and token caching

  2. MicrosoftGraphTokenProvider.cs

    • Changed default useDeviceCode parameter from true to false
    • Interactive browser authentication is now the default for PowerShell Graph operations
    • Added documentation about authentication method and caching strategy

  3. AzureWebAppCreator.cs

    • Changed ExcludeInteractiveBrowserCredential from true to false
    • Allows DefaultAzureCredential to use interactive browser when Azure CLI is not authenticated
    • Updated comments to clarify credential chain order

  4. InteractiveGraphAuthService.cs

    • Removed entire device code fallback logic (~68 lines)
    • Now exclusively uses browser authentication with no DCF fallback
    • Infrastructure errors throw immediately instead of falling back to DCF

Documentation & Logging Improvements (3 files)

  1. AuthenticationService.cs - Added comprehensive documentation:

    • Authentication strategy (interactive browser, no DCF)
    • Token caching location: %LocalApplicationData%\Agent365\token-cache.json
    • Cache key format: {resourceUrl}:tenant:{tenantId}
    • Multi-command workflow (1-2 prompts total, 0 for subsequent commands)
    • Cache expiration (5-minute buffer) and automatic refresh

  2. GraphApiService.cs - Enhanced EnsureGraphHeadersAsync:

    • Clear authentication strategy comments
    • Better debug logging for auth method selection (scopes vs Azure CLI)
    • Improved error messages with actionable guidance
    • Explicit handling for token provider vs Azure CLI fallback

  3. MicrosoftGraphTokenProvider.cs - Added documentation:

    • Interactive browser as default (not device code)
    • In-memory and persistent caching explanation
    • Integration with overall CLI auth strategy

User Experience

Authentication Prompts

First-Time Run: 2 prompts

  1. Azure CLI Authentication - For infrastructure/resource management
  2. Microsoft Graph Authentication - For agent blueprints, permissions, service principals

Subsequent Runs: 0 prompts (tokens cached and reused)

Token Caching Strategy

  • Azure CLI session: Managed by az CLI (~1 hour persistence)
  • Graph tokens: Cached in %LocalApplicationData%\Agent365\token-cache.json
  • Cache validation: 5-minute buffer before token expiry
  • Cross-command reuse: All CLI commands share the same token cache

Example Workflow

# First time - 2 authentication prompts
a365 setup all                    # Prompts: Azure CLI + Graph

# All subsequent commands - 0 prompts (uses cached tokens)
a365 deploy app                   # No prompt
a365 develop list-available       # No prompt
a365 setup permissions            # No prompt
a365 cleanup blueprint            # No prompt

mengyimicro and others added 2 commits January 21, 2026 20:56
@mengyimicro @claude
Switch from Device Code Flow to Interactive Browser Authentication
fc539fb 
Remove Device Code Flow (DCF) across the entire CLI to comply with production
tenant security policies. Replace all DCF usage with interactive browser
authentication (WAM on Windows, browser on other platforms).

Changes:
- AuthenticationService: Change default useInteractiveBrowser from false to true
- MicrosoftGraphTokenProvider: Change default useDeviceCode from true to false
- AzureWebAppCreator: Remove ExcludeInteractiveBrowserCredential flag to allow browser auth
- InteractiveGraphAuthService: Remove device code fallback, use browser-only authentication

Token caching remains in place to minimize the number of authentication prompts
to 1-2 times per session.

All 844 tests passing (17 intentionally skipped).

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@mengyimicro @claude
Improve authentication flow logging and documentation
f195411 
Add comprehensive documentation and better logging to clarify the authentication
strategy used across all CLI commands. This helps users understand the 1-2
authentication prompt experience.

Changes:
- AuthenticationService: Add detailed class-level documentation explaining:
  * Interactive browser authentication (no DCF)
  * Token caching strategy and location
  * Multi-command workflow (1-2 prompts total)
  * Cache expiration and automatic refresh

- GraphApiService: Improve EnsureGraphHeadersAsync with:
  * Clear authentication strategy comments
  * Better debug logging for auth method selection
  * Improved error messages with actionable guidance
  * Explicit handling for scopes vs Azure CLI fallback

- MicrosoftGraphTokenProvider: Document:
  * Interactive browser as default (not device code)
  * In-memory and persistent caching
  * Integration with overall CLI auth strategy

Result: Users clearly understand why they only authenticate 1-2 times for
entire CLI usage, with tokens cached across all commands and sessions.

All 844 tests passing (17 intentionally skipped).

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@mengyimicro mengyimicro requested review from a team as code owners January 22, 2026 05:16
Copilot AI review requested due to automatic review settings January 22, 2026 05:16
@mengyimicro mengyimicro changed the title Users/mengyixu/interactive browser auth Optimize Auth flow and switch from DCF to Interactive Browser Authentication and Jan 22, 2026
@mengyimicro mengyimicro changed the title Optimize Auth flow and switch from DCF to Interactive Browser Authentication and Optimize Auth flow and switch from DCF to Interactive Browser Authentication Jan 22, 2026
Copilot AI reviewed Jan 22, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request switches the Agent365-devTools CLI from Device Code Flow (DCF) to Interactive Browser Authentication to comply with production tenant security policies that discourage DCF usage. The change implements browser-based authentication using MsalBrowserCredential (WAM on Windows, browser on other platforms) while maintaining comprehensive token caching to minimize authentication prompts.

Changes:

  • Modified default authentication method from Device Code Flow to Interactive Browser Authentication across all authentication services
  • Removed device code fallback logic in favor of clear error messages when browser authentication fails
  • Enhanced documentation explaining authentication strategy, token caching location, cache key format, and expected user experience (1-2 prompts for entire workflow)

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
AuthenticationService.cs Changed default useInteractiveBrowser parameter to true in two public methods; added comprehensive class-level documentation about authentication strategy and token caching
MicrosoftGraphTokenProvider.cs Changed default useDeviceCode parameter to false; added documentation explaining interactive browser as default with token caching details
AzureWebAppCreator.cs Enabled interactive browser credential in DefaultAzureCredential chain by setting ExcludeInteractiveBrowserCredential to false; updated credential chain documentation
InteractiveGraphAuthService.cs Removed ~68 lines of device code fallback logic; infrastructure/connectivity errors now throw immediately with clear error messages
GraphApiService.cs Enhanced EnsureGraphHeadersAsync with clearer authentication strategy comments and improved debug logging for auth method selection

pontemonti
pontemonti previously approved these changes Jan 22, 2026
View reviewed changes
@mengyimicro @claude
Fix cleanup command documentation and refine authentication terminology
cebab90 
Minor improvements based on review:
1. Update endpoint cleanup guidance to include --endpoint-only flag
2. Refine authentication documentation wording from "interactive browser" to "interactive"

Changes:
- BlueprintSubcommand: Fix cleanup command example to use 'a365 cleanup blueprint --endpoint-only'
- AuthenticationService: Update documentation to use "interactive authentication" terminology

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@mengyimicro mengyimicro changed the title Optimize Auth flow and switch from DCF to Interactive Browser Authentication Optimize Auth flow and switch from DCF to Interactive Authentication Jan 23, 2026
@mengyimicro mengyimicro merged commit d5f1d83 into main Jan 24, 2026
6 checks passed
@mengyimicro mengyimicro deleted the users/mengyixu/InteractiveBrowserAuth branch January 24, 2026 00:49
sellakumaran pushed a commit that referenced this pull request Feb 27, 2026
@mengyimicro @claude
Optimize Auth flow and switch from DCF to Interactive Authentication (#…
94494d9 
…172)

* Switch from Device Code Flow to Interactive Browser Authentication

Remove Device Code Flow (DCF) across the entire CLI to comply with production
tenant security policies. Replace all DCF usage with interactive browser
authentication (WAM on Windows, browser on other platforms).

Changes:
- AuthenticationService: Change default useInteractiveBrowser from false to true
- MicrosoftGraphTokenProvider: Change default useDeviceCode from true to false
- AzureWebAppCreator: Remove ExcludeInteractiveBrowserCredential flag to allow browser auth
- InteractiveGraphAuthService: Remove device code fallback, use browser-only authentication

Token caching remains in place to minimize the number of authentication prompts
to 1-2 times per session.

All 844 tests passing (17 intentionally skipped).

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* Improve authentication flow logging and documentation

Add comprehensive documentation and better logging to clarify the authentication
strategy used across all CLI commands. This helps users understand the 1-2
authentication prompt experience.

Changes:
- AuthenticationService: Add detailed class-level documentation explaining:
  * Interactive browser authentication (no DCF)
  * Token caching strategy and location
  * Multi-command workflow (1-2 prompts total)
  * Cache expiration and automatic refresh

- GraphApiService: Improve EnsureGraphHeadersAsync with:
  * Clear authentication strategy comments
  * Better debug logging for auth method selection
  * Improved error messages with actionable guidance
  * Explicit handling for scopes vs Azure CLI fallback

- MicrosoftGraphTokenProvider: Document:
  * Interactive browser as default (not device code)
  * In-memory and persistent caching
  * Integration with overall CLI auth strategy

Result: Users clearly understand why they only authenticate 1-2 times for
entire CLI usage, with tokens cached across all commands and sessions.

All 844 tests passing (17 intentionally skipped).

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* Fix cleanup command documentation and refine authentication terminology

Minor improvements based on review:
1. Update endpoint cleanup guidance to include --endpoint-only flag
2. Refine authentication documentation wording from "interactive browser" to "interactive"

Changes:
- BlueprintSubcommand: Fix cleanup command example to use 'a365 cleanup blueprint --endpoint-only'
- AuthenticationService: Update documentation to use "interactive authentication" terminology

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pontemonti pontemonti pontemonti approved these changes

@tmlsousa tmlsousa tmlsousa approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mengyimicro @pontemonti @tmlsousa