WAM silent SSO using the signed in windows account (#39607)

Author: christothes

eng/Packages.Data.props

@@ -109,7 +109,7 @@
     <PackageReference Update="Azure.Communication.Common" Version="1.2.1" />
     <PackageReference Update="Azure.Core" Version="1.37.0" />
     <PackageReference Update="Azure.Core.Amqp" Version="1.3.0" />
-    <PackageReference Update="Azure.Core.Experimental" Version="0.1.0-preview.31" />
+    <PackageReference Update="Azure.Core.Experimental" Version="0.1.0-preview.32" />
     <PackageReference Update="Azure.Core.Expressions.DataFactory" Version="1.0.0-beta.6" />
     <PackageReference Update="Azure.Data.SchemaRegistry" Version="1.2.0" />
     <PackageReference Update="Azure.Data.Tables" Version="12.8.0" />

sdk/identity/Azure.Identity.Broker/CHANGELOG.md

@@ -4,6 +4,7 @@
 
 ### Features Added
 
+- `InteractiveBrowserCredentialBrokerOptions` and `SharedTokenCacheCredentialBrokerOptions` now support a `UseOperatingSystemAccount` property to enable the use of the currently logged in operating system account for authentication rather than prompting for a credential.
 - Preview support for Proof of Possession (PoP) tokens for `InteractiveBrowserCredential`. This feature is enabled via the `IsProofOfPossessionRequired` property on `InteractiveBrowserCredentialBrokerOptions`.
 
 ### Breaking Changes

sdk/identity/Azure.Identity.Broker/api/Azure.Identity.Broker.net462.cs

@@ -5,12 +5,14 @@ public partial class InteractiveBrowserCredentialBrokerOptions : Azure.Identity.
         public InteractiveBrowserCredentialBrokerOptions(System.IntPtr parentWindowHandle) { }
         public bool? IsLegacyMsaPassthroughEnabled { get { throw null; } set { } }
         public bool IsProofOfPossessionRequired { get { throw null; } set { } }
+        public bool UseOperatingSystemAccount { get { throw null; } set { } }
     }
     public partial class SharedTokenCacheCredentialBrokerOptions : Azure.Identity.SharedTokenCacheCredentialOptions
     {
         public SharedTokenCacheCredentialBrokerOptions() { }
         public SharedTokenCacheCredentialBrokerOptions(Azure.Identity.TokenCachePersistenceOptions tokenCacheOptions) { }
         public bool? IsLegacyMsaPassthroughEnabled { get { throw null; } set { } }
         public bool IsProofOfPossessionRequired { get { throw null; } set { } }
+        public bool UseOperatingSystemAccount { get { throw null; } set { } }
     }
 }

sdk/identity/Azure.Identity.Broker/api/Azure.Identity.Broker.net6.0.cs

@@ -5,12 +5,14 @@ public partial class InteractiveBrowserCredentialBrokerOptions : Azure.Identity.
         public InteractiveBrowserCredentialBrokerOptions(System.IntPtr parentWindowHandle) { }
         public bool? IsLegacyMsaPassthroughEnabled { get { throw null; } set { } }
         public bool IsProofOfPossessionRequired { get { throw null; } set { } }
+        public bool UseOperatingSystemAccount { get { throw null; } set { } }
     }
     public partial class SharedTokenCacheCredentialBrokerOptions : Azure.Identity.SharedTokenCacheCredentialOptions
     {
         public SharedTokenCacheCredentialBrokerOptions() { }
         public SharedTokenCacheCredentialBrokerOptions(Azure.Identity.TokenCachePersistenceOptions tokenCacheOptions) { }
         public bool? IsLegacyMsaPassthroughEnabled { get { throw null; } set { } }
         public bool IsProofOfPossessionRequired { get { throw null; } set { } }
+        public bool UseOperatingSystemAccount { get { throw null; } set { } }
     }
 }

sdk/identity/Azure.Identity.Broker/api/Azure.Identity.Broker.netstandard2.0.cs

@@ -5,12 +5,14 @@ public partial class InteractiveBrowserCredentialBrokerOptions : Azure.Identity.
         public InteractiveBrowserCredentialBrokerOptions(System.IntPtr parentWindowHandle) { }
         public bool? IsLegacyMsaPassthroughEnabled { get { throw null; } set { } }
         public bool IsProofOfPossessionRequired { get { throw null; } set { } }
+        public bool UseOperatingSystemAccount { get { throw null; } set { } }
     }
     public partial class SharedTokenCacheCredentialBrokerOptions : Azure.Identity.SharedTokenCacheCredentialOptions
     {
         public SharedTokenCacheCredentialBrokerOptions() { }
         public SharedTokenCacheCredentialBrokerOptions(Azure.Identity.TokenCachePersistenceOptions tokenCacheOptions) { }
         public bool? IsLegacyMsaPassthroughEnabled { get { throw null; } set { } }
         public bool IsProofOfPossessionRequired { get { throw null; } set { } }
+        public bool UseOperatingSystemAccount { get { throw null; } set { } }
     }
 }

sdk/identity/Azure.Identity.Broker/src/InteractiveBrowserCredentialBrokerOptions.cs

@@ -25,6 +25,11 @@ public class InteractiveBrowserCredentialBrokerOptions : InteractiveBrowserCrede
         /// </summary>
         public bool IsProofOfPossessionRequired { get; set; }
 
+        /// <summary>
+        /// Gets or sets whether to authenticate with the currently signed in user instead of prompting the user with a login dialog.
+        /// </summary>
+        public bool UseOperatingSystemAccount { get; set; }
+
         /// <summary>
         /// Creates a new instance of <see cref="InteractiveBrowserCredentialBrokerOptions"/> to configure a <see cref="InteractiveBrowserCredential"/>.
         /// </summary>

sdk/identity/Azure.Identity.Broker/src/SharedTokenCacheCredentialBrokerOptions.cs

@@ -23,6 +23,11 @@ public class SharedTokenCacheCredentialBrokerOptions : SharedTokenCacheCredentia
         /// </summary>
         public bool IsProofOfPossessionRequired { get; set; }
 
+        /// <summary>
+        /// Gets or sets whether to authenticate with the currently signed in user instead of prompting the user with a login dialog.
+        /// </summary>
+        public bool UseOperatingSystemAccount { get; set; }
+
         /// <summary>
         /// Initializes a new instance of <see cref="SharedTokenCacheCredentialBrokerOptions"/>.
         /// </summary>

sdk/identity/Azure.Identity.Broker/tests/InteractiveBrowserCredentialBrokerOptionsTests.cs

@@ -18,11 +18,11 @@ public void RespectsMsaPassthrough(
             IMsalPublicClientInitializerOptions credentialOptions;
             if (enableMsaPassthrough.HasValue)
             {
-                credentialOptions = new InteractiveBrowserCredentialBrokerOptions(parentWindowHandle) { IsLegacyMsaPassthroughEnabled = enableMsaPassthrough.Value } as IMsalPublicClientInitializerOptions;
+                credentialOptions = new InteractiveBrowserCredentialBrokerOptions(parentWindowHandle) { IsLegacyMsaPassthroughEnabled = enableMsaPassthrough.Value };
             }
             else
             {
-                credentialOptions = new InteractiveBrowserCredentialBrokerOptions(parentWindowHandle) as IMsalPublicClientInitializerOptions;
+                credentialOptions = new InteractiveBrowserCredentialBrokerOptions(parentWindowHandle);
             }
             PublicClientApplicationBuilder builder = PublicClientApplicationBuilder
                 .Create(Guid.NewGuid().ToString());
@@ -34,6 +34,20 @@ public void RespectsMsaPassthrough(
             Assert.AreEqual(parentWindowHandle, Parent());
         }
 
+        [Test]
+        public void RespectsUseOperatingSystemAccount(
+            [Values(true, false)] bool enableUseOperatingSystemAccount)
+        {
+            IntPtr parentWindowHandle = new(1234);
+            IMsalPublicClientInitializerOptions credentialOptions;
+                credentialOptions = new InteractiveBrowserCredentialBrokerOptions(parentWindowHandle) { UseOperatingSystemAccount = enableUseOperatingSystemAccount };
+            PublicClientApplicationBuilder builder = PublicClientApplicationBuilder
+                .Create(Guid.NewGuid().ToString());
+
+            var credential = new InteractiveBrowserCredential((InteractiveBrowserCredentialBrokerOptions)credentialOptions);
+            Assert.AreEqual(enableUseOperatingSystemAccount, credential.UseOperatingSystemAccount);
+        }
+
         private static (BrokerOptions Options, Func<object> Parent) GetBrokerOptions(PublicClientApplicationBuilder builder)
         {
             var config = builder

sdk/identity/Azure.Identity.Broker/tests/ManualInteractiveBrowserCredentialBrokerTests.cs

@@ -34,6 +34,19 @@ public async Task AuthenticateWithBrokerAsync()
             Assert.NotNull(token.Token);
         }
 
+        [Test]
+        [Ignore("This test is an integration test which can only be run with user interaction")]
+        public async Task AuthenticateWithBrokerWithUseOperatingSystemAccount_DoesNotPrompt()
+        {
+            IntPtr parentWindowHandle = GetForegroundWindow();
+
+            var cred = new InteractiveBrowserCredential(new InteractiveBrowserCredentialBrokerOptions(parentWindowHandle) { UseOperatingSystemAccount = true });
+
+            AccessToken token = await cred.GetTokenAsync(new TokenRequestContext(new string[] { "https://vault.azure.net/.default" })).ConfigureAwait(false);
+
+            Assert.NotNull(token.Token);
+        }
+
         [Test]
         [TestCase(true)]
         [TestCase(false)]

sdk/identity/Azure.Identity.Broker/tests/ManualSharedTokenCacheCredentialBrokerTests.cs

@@ -42,5 +42,16 @@ public async Task SilentAuthenticateWithBrokerAsync()
 
             Assert.NotNull(token.Token);
         }
+
+        [Test]
+        [Ignore("This test is an integration test which can only be run with user interaction")]
+        public async Task AuthenticateWithBrokerWithUseOperatingSystemAccount_DoesNotPrompt()
+        {
+            var cred = new SharedTokenCacheCredential(new SharedTokenCacheCredentialBrokerOptions() { UseOperatingSystemAccount = true });
+
+            AccessToken token = await cred.GetTokenAsync(new TokenRequestContext(new string[] { "https://vault.azure.net/.default" })).ConfigureAwait(false);
+
+            Assert.NotNull(token.Token);
+        }
     }
 }