Azure · billwert · Mar 22, 2024 · Mar 19, 2024 · Mar 19, 2024 · Mar 19, 2024
@@ -40,6 +40,14 @@ public void configureCredentialForWindows() {
         // END: com.azure.identity.broker.interactivebrowserbrokercredentialbuilder.useinteractivebrowserbroker.windows
     }
 
+    public void configureCredentialForDefaultAccount() {
+        // BEGIN: com.azure.identity.broker.interactivebrowserbrokercredentialbuilder.useinteractivebrowserbroker.defaultaccount
+        InteractiveBrowserCredential cred = new InteractiveBrowserBrokerCredentialBuilder()
+            .useDefaultBrokerAccount(true)
+            .build();
+        // END: com.azure.identity.broker.interactivebrowserbrokercredentialbuilder.useinteractivebrowserbroker.defaultaccount
+    }
+
     private long getWindowHandle() {
         return 0;
     }

@@ -4,6 +4,8 @@
 
 ### Features Added
 
+- Added support for using the default broker account
+
 ### Breaking Changes
 
 ### Bugs Fixed

@@ -89,6 +89,16 @@ InteractiveBrowserCredential cred = new InteractiveBrowserBrokerCredentialBuilde
     .build();
 ```
 
+#### Use the default account for sign-in
+
+When this option is enabled, the credential will attempt to silently use the default broker account. If using the default account fails, the credential will fall back to interactive authentication.
+
+```java com.azure.identity.broker.interactivebrowserbrokercredentialbuilder.useinteractivebrowserbroker.defaultaccount
+InteractiveBrowserCredential cred = new InteractiveBrowserBrokerCredentialBuilder()
+    .useDefaultBrokerAccount(true)
+    .build();
+```
+
 #### Obtain a window handle
 
 ##### JavaFX

@@ -62,15 +62,13 @@ public InteractiveBrowserBrokerCredentialBuilder enableLegacyMsaPassthrough() {
     }
 
     /**
-     * Enables automatically using the signed-in user's account for brokered authentication instead of
-     * of prompting the user with a login dialog.
+     * Enables automatically using the signed-in user's account for brokered authentication instead
+     * of prompting the user with an account picker.
      *
-     * @param useOperatingSystemAccount Boolean value to determine if the operating system account should be used.
-     * @return An updated instance of this builder with useOperatingSystemAccount set.
+     * @return An updated instance of this builder with useDefaultBrokerAccount set.
      */
-    public InteractiveBrowserCredentialBuilder useOperatingSystemAccount(boolean useOperatingSystemAccount) {
-        CredentialBuilderBaseHelper.getClientOptions(this).
-            setUseOperatingSystemAccount(useOperatingSystemAccount);
+    public InteractiveBrowserCredentialBuilder useDefaultBrokerAccount() {
+        CredentialBuilderBaseHelper.getClientOptions(this).setUseDefaultBrokerAccount(true);
         return this;
     }
 

@@ -242,10 +242,10 @@ void proxyOptions() {
     }
 
     @Test
-    void setUseOperatingSystemAccount() {
+    void setDefaultBrokerAccount() {
         assertDoesNotThrow(() -> {
             InteractiveBrowserBrokerCredentialBuilder builder = new InteractiveBrowserBrokerCredentialBuilder();
-            builder.useOperatingSystemAccount(true);
+            builder.useDefaultBrokerAccount();
             builder.build();
         });
     }

@@ -823,24 +823,32 @@ public Mono<MsalToken> authenticateWithBrowserInteraction(TokenRequestContext re
             return Mono.error(LOGGER.logExceptionAsError(new RuntimeException(e)));
         }
 
-        if (options.isBrokerEnabled() && options.useOperatingSystemAccount()) {
-            return getPublicClientInstance(request).getValue().flatMap(pc ->
-                Mono.fromFuture(() ->
-                    acquireTokenFromPublicClientSilently(request, pc, null, false)).
-                    map(MsalToken::new));
-        } else {
+        // If the broker is enabled, try to get the token for the default account by passing
+        // a null account to MSAL. If that fails, show the dialog.
 
+        return getPublicClientInstance(request).getValue().flatMap(pc -> {
+            if (options.isBrokerEnabled() && options.useDefaultBrokerAccount()) {
+                return Mono.fromFuture(() ->
+                    acquireTokenFromPublicClientSilently(request, pc, null, false)).
+                    // if something bad happened we fall back.
+                    onErrorResume(t -> Mono.empty()).
+                    map(MsalToken::new);
+            } else {
+                return Mono.empty();
+            }
+        }).
+        switchIfEmpty(Mono.defer(() -> {
             InteractiveRequestParameters.InteractiveRequestParametersBuilder builder =
                 buildInteractiveRequestParameters(request, loginHint, redirectUri);
 
             SynchronizedAccessor<PublicClientApplication> publicClient = getPublicClientInstance(request);
 
-            Mono<IAuthenticationResult> acquireToken = publicClient.getValue()
-                .flatMap(pc -> Mono.fromFuture(() -> pc.acquireToken(builder.build())));
-
-            return acquireToken.onErrorMap(t -> new ClientAuthenticationException(
-                "Failed to acquire token with Interactive Browser Authentication.", null, t)).map(MsalToken::new);
-        }
+            return publicClient.getValue()
+                .flatMap(pc -> Mono.fromFuture(() -> pc.acquireToken(builder.build())))
+                .onErrorMap(t -> new ClientAuthenticationException(
+                    "Failed to acquire token with Interactive Browser Authentication.", null, t))
+                .map(MsalToken::new);
+        }));
     }
 
     /**

@@ -79,7 +79,7 @@ public final class IdentityClientOptions implements Cloneable {
     private long brokerWindowHandle;
     private boolean brokerEnabled;
     private boolean enableMsaPassthrough;
-    private boolean useOperatingSystemAccount;
+    private boolean useDefaultBrokerAccount;
 
     /**
      * Creates an instance of IdentityClientOptions with default settings.
@@ -784,11 +784,11 @@ public IdentityClientOptions setEnableLegacyMsaPassthrough(boolean enableMsaPass
 
     /**
      * Sets whether to use the logged-in user's account for broker authentication.
-     * @param useOperatingSystemAccount
+     * @param useDefaultBrokerAccount
      * @return the updated client options
      */
-    public IdentityClientOptions setUseOperatingSystemAccount(boolean useOperatingSystemAccount) {
-        this.useOperatingSystemAccount = useOperatingSystemAccount;
+    public IdentityClientOptions setUseDefaultBrokerAccount(boolean useDefaultBrokerAccount) {
+        this.useDefaultBrokerAccount = useDefaultBrokerAccount;
         return this;
     }
 
@@ -804,8 +804,8 @@ public boolean isMsaPassthroughEnabled() {
      * Gets the status whether to use the logged-in user's account for broker authentication.
      * @return the flag indicating if the logged-in user's account should be used for broker authentication.
      */
-    public boolean useOperatingSystemAccount() {
-        return this.useOperatingSystemAccount;
+    public boolean useDefaultBrokerAccount() {
+        return this.useDefaultBrokerAccount;
     }
 
     public IdentityClientOptions clone() {

@@ -337,12 +337,20 @@ public MsalToken authenticateWithBrowserInteraction(TokenRequestContext request,
         }
         PublicClientApplication pc = getPublicClientInstance(request).getValue();
 
-        if (options.isBrokerEnabled() && options.useOperatingSystemAccount()) {
-            return acquireTokenFromPublicClientSilently(request,
-                pc,
-                null,
-                false);
-        } else {
+        // If the broker is enabled, try to get the token for the default account by passing
+        // a null account to MSAL. If that fails, show the dialog.
+        MsalToken token = null;
+        if (options.isBrokerEnabled() && options.useDefaultBrokerAccount()) {
+            try {
+                token = acquireTokenFromPublicClientSilently(request,
+                    pc,
+                    null,
+                    false);
+            } catch (Exception e) {
+                // Ignore the exception and proceed with interactive authentication.
+            }
+        }
+        if (token == null) {
             InteractiveRequestParameters.InteractiveRequestParametersBuilder builder =
                 buildInteractiveRequestParameters(request, loginHint, redirectUri);
 
@@ -353,6 +361,7 @@ public MsalToken authenticateWithBrowserInteraction(TokenRequestContext request,
                     "Failed to acquire token with Interactive Browser Authentication.", null, e));
             }
         }
+        return token;
     }
 
     /**