Skip browser auth on WSL by default; DARC_FORCE_BROWSER_AUTH to override

lewing · Copilot · lewing · commit 6c8a6028e618 · 2026-05-21T18:31:12.000-05:00
On WSL2, InteractiveBrowserCredential.Authenticate() blocks forever
without throwing: the browser opens on the Windows host but the OAuth
redirect targets localhost in the WSL network namespace, which Windows
cannot reach in default NAT mode. Detect WSL via the env vars WSL
itself sets and route straight to device code.

Users who have configured wslu + mirrored networking can opt back into
browser flow with DARC_FORCE_BROWSER_AUTH=1.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/src/Maestro/Maestro.Common/AppCredentials/CachedInteractiveBrowserCredential.cs b/src/Maestro/Maestro.Common/AppCredentials/CachedInteractiveBrowserCredential.cs
@@ -58,6 +58,29 @@ public CachedInteractiveBrowserCredential(
                 return Task.CompletedTask;
             },
         });
+
+        // On WSL the interactive browser flow opens a browser on the Windows host, but the
+        // OAuth redirect targets localhost in the WSL network namespace where MSAL's listener
+        // is bound. Windows localhost != WSL2 localhost, so the redirect never arrives and
+        // _browserCredential.Authenticate() blocks forever without throwing. Detect WSL up
+        // front via the env vars WSL itself sets and skip straight to device code.
+        if (IsWslEnvironment())
+        {
+            Interlocked.Exchange(ref _isDeviceCodeFallback, 1);
+        }
+    }
+
+    private static bool IsWslEnvironment()
+    {
+        // Escape hatch for users who have configured WSL2 for browser-based auth
+        // (wslu + mirrored networking, or equivalent). Set DARC_FORCE_BROWSER_AUTH=1.
+        if (string.Equals(Environment.GetEnvironmentVariable("DARC_FORCE_BROWSER_AUTH"), "1", StringComparison.Ordinal))
+        {
+            return false;
+        }
+
+        return !string.IsNullOrEmpty(Environment.GetEnvironmentVariable("WSL_DISTRO_NAME"))
+            || !string.IsNullOrEmpty(Environment.GetEnvironmentVariable("WSL_INTEROP"));
     }
 
     public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
