Enable WAM Broker support for Entra ID Auth modes#4288
Draft
cheenamalhotra wants to merge 1 commit into
Draft
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds WAM broker support to the Azure extension authentication provider for Entra ID public-client authentication flows on Windows.
Changes:
- Adds
Microsoft.Identity.Client.Brokerdependency and broker configuration during PCA creation. - Adds parent-window callback API and Windows interop helpers for WAM prompt parenting.
- Adds basic tests and a draft feature spec for WAM broker support.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
Directory.Packages.props |
Adds centralized MSAL broker package version. |
src/Microsoft.Data.SqlClient.Extensions/Azure/src/Azure.csproj |
References the broker package from the Azure extension. |
src/Microsoft.Data.SqlClient.Extensions/Azure/src/ActiveDirectoryAuthenticationProvider.cs |
Makes the provider partial, adds parent-window callback API, and configures WAM broker on Windows. |
src/Microsoft.Data.SqlClient.Extensions/Azure/src/ActiveDirectoryAuthenticationProvider.Windows.cs |
Adds Windows-specific parent-window discovery for broker UI. |
src/Microsoft.Data.SqlClient.Extensions/Azure/src/Interop/Interop.GetAncestor.cs |
Adds user32.GetAncestor interop helper. |
src/Microsoft.Data.SqlClient.Extensions/Azure/src/Interop/Interop.GetConsoleWindow.cs |
Adds kernel32.GetConsoleWindow interop helper. |
src/Microsoft.Data.SqlClient.Extensions/Azure/test/WamBrokerTests.cs |
Adds basic tests for the new parent-window setter. |
specs/002-wam-broker/spec.md |
Adds the draft WAM broker feature specification. |
Comments suppressed due to low confidence (5)
src/Microsoft.Data.SqlClient.Extensions/Azure/src/ActiveDirectoryAuthenticationProvider.cs:766
- The parent-window delegate is captured on the cached PublicClientApplication, but the static PCA cache key does not include the new SetParentActivityOrWindow callback. A later provider instance with the same authority/client/redirect can reuse an app built with an earlier provider's delegate, causing WAM prompts to be parented to the wrong window (or to ignore the later callback). Include the callback identity in the cache key or avoid capturing provider instance state in the cached app.
builder.WithParentActivityOrWindow(GetBrokerParentWindow);
}
#else
builder.WithParentActivityOrWindow(GetBrokerParentWindow);
src/Microsoft.Data.SqlClient.Extensions/Azure/src/ActiveDirectoryAuthenticationProvider.cs:752
- The tests added for this feature only exercise the setter and do not verify that Windows PCA construction actually enables the broker or wires the parent-window callback. Please add unit coverage around CreateClientAppInstance (or an observable wrapper) so regressions in the WAM configuration are caught without relying solely on manual integration testing.
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
builder.WithBroker(new BrokerOptions(BrokerOptions.OperatingSystems.Windows));
specs/002-wam-broker/spec.md:70
- This API description says Func can return IWin32Window, but the implementation only accepts IntPtr from this callback and silently ignores any other object type before falling back to console detection. Please either document only the supported return type or handle IWin32Window here as described.
// Cross-platform API to set the parent window/activity for WAM dialog // On Windows: accepts IntPtr (window handle) or IWin32Window via Func<object> // On Unix: no-op (WAM not available) public void SetParentActivityOrWindow(Func<object> parentActivityOrWindowFunc);specs/002-wam-broker/spec.md:131
- This rollout note is inaccurate: SetIWin32WindowFunc is not changed to delegate to SetParentActivityOrWindow; it still stores a separate _iWin32WindowFunc and the new callback is independent. Please update the spec or implementation so consumers and maintainers do not rely on a delegation behavior that is not present.
- WAM broker is **always enabled** on Windows when using PCA flows - No opt-in connection string keyword needed (aligns with MSAL PCA compliance requirements) - Existing `SetIWin32WindowFunc` remains as a backward-compatible API on .NET Framework, delegating to `SetParentActivityOrWindow`src/Microsoft.Data.SqlClient.Extensions/Azure/src/ActiveDirectoryAuthenticationProvider.cs:749
- This comment overstates the behavior: the code still uses AcquireTokenByIntegratedWindowsAuth, AcquireTokenByUsernamePassword, and AcquireTokenWithDeviceCode for those modes, so broker configuration does not make every supported authentication mode a WAM flow. Please narrow the comment to the modes MSAL will actually broker or update the acquisition paths accordingly.
// Enable WAM broker on Windows for all supported authentication modes. // The broker provides enhanced security by enabling device-based Conditional Access // policies through the Windows Account Manager (WAM).
|
|
||
| /// <summary> | ||
| /// Sets a function to return the parent activity or window handle to be used for | ||
| /// WAM (Web Account Manager) broker authentication prompts. |
Comment on lines
+750
to
+752
| if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) | ||
| { | ||
| builder.WithBroker(new BrokerOptions(BrokerOptions.OperatingSystems.Windows)); |
Comment on lines
+48
to
+49
| | `ActiveDirectoryDeviceCodeFlow` | Uses WAM for device code flow on Windows | | ||
| | `ActiveDirectoryPassword` | Uses WAM for username/password flow on Windows | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Enables WAM broker support for below Entra ID auth modes: