Use Windows Integrated Auth when possible. Default to long-lived PATs instead of JWTs when interactive is required. (#40)

Author: zarenner

Build.props

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <PropertyGroup>
-    <CredentialProviderVersion>0.1.6</CredentialProviderVersion>
+    <CredentialProviderVersion>0.1.7</CredentialProviderVersion>
   </PropertyGroup>
 </Project>

CredentialProvider.Microsoft.Tests/CredentialProviders/Vsts/BearerTokenProviderTests.cs

@@ -49,7 +49,7 @@ public void TestInitialize()
         }
 
         [TestMethod]
-        public async Task Get_WithoutCachedToken_CallsUIFlow()
+        public async Task Get_WithoutCachedToken_CallsWindowsIntegratedFlow()
         {
             var source = new Uri("https://example.com/index.json");
             var isRetry = false;
@@ -58,13 +58,43 @@ public async Task Get_WithoutCachedToken_CallsUIFlow()
 
             var adalToken = "TestADALToken";
             MockCachedToken(null);
+            MockWindowsIntegratedToken(adalToken);
+
+            var bearerToken = await bearerTokenProvider.GetAsync(source, isRetry, isNonInteractive, canShowDialog, cancellationToken);
+            bearerToken.Token.Should().Be(adalToken);
+
+            mockAdalTokenProvider
+                .Verify(x => x.AcquireTokenSilentlyAsync(It.IsAny<CancellationToken>()), Times.Once);
+            mockAdalTokenProvider
+                .Verify(x => x.AcquireTokenWithWindowsIntegratedAuth(It.IsAny<CancellationToken>()), Times.Once);
+            mockAdalTokenProvider
+                .Verify(x => x.AcquireTokenWithUI(It.IsAny<CancellationToken>()), Times.Never);
+            mockAdalTokenProvider
+                .Verify(x => x.AcquireTokenWithDeviceFlowAsync(It.IsAny<Func<DeviceCodeResult, Task>>(), It.IsAny<CancellationToken>()), Times.Never);
+
+            VerifyAuthority(source);
+        }
+
+        [TestMethod]
+        public async Task Get_WithoutCachedTokenAndWindowsIntegratedFails_CallsUIFlow()
+        {
+            var source = new Uri("https://example.com/index.json");
+            var isRetry = false;
+            var isNonInteractive = false;
+            var canShowDialog = true;
+
+            var adalToken = "TestADALToken";
+            MockCachedToken(null);
+            MockWindowsIntegratedToken(null);
             MockUIToken(adalToken);
 
             var bearerToken = await bearerTokenProvider.GetAsync(source, isRetry, isNonInteractive, canShowDialog, cancellationToken);
-            bearerToken.Should().Be(adalToken);
+            bearerToken.Token.Should().Be(adalToken);
 
             mockAdalTokenProvider
                 .Verify(x => x.AcquireTokenSilentlyAsync(It.IsAny<CancellationToken>()), Times.Once);
+            mockAdalTokenProvider
+                .Verify(x => x.AcquireTokenWithWindowsIntegratedAuth(It.IsAny<CancellationToken>()), Times.Once);
             mockAdalTokenProvider
                 .Verify(x => x.AcquireTokenWithUI(It.IsAny<CancellationToken>()), Times.Once);
             mockAdalTokenProvider
@@ -74,7 +104,7 @@ public async Task Get_WithoutCachedToken_CallsUIFlow()
         }
 
         [TestMethod]
-        public async Task Get_WithoutCachedTokenAndUIFlowCanceled_CallsDeviceCodeFlow()
+        public async Task Get_WithoutCachedTokenAndWindowsIntegratedFailedAndUIFlowCanceled_CallsDeviceCodeFlow()
         {
             var source = new Uri("https://example.com/index.json");
             var isRetry = false;
@@ -83,14 +113,17 @@ public async Task Get_WithoutCachedTokenAndUIFlowCanceled_CallsDeviceCodeFlow()
 
             var adalToken = "TestADALToken";
             MockCachedToken(null);
+            MockWindowsIntegratedToken(null);
             MockUIToken(null);
             MockDeviceFlowToken(adalToken);
 
-            var bearerToken = await bearerTokenProvider.GetAsync(source, isRetry, isNonInteractive, canShowDialog, cancellationToken);
-            bearerToken.Should().Be(adalToken);
+            var bearerTokenResult = await bearerTokenProvider.GetAsync(source, isRetry, isNonInteractive, canShowDialog, cancellationToken);
+            bearerTokenResult.Token.Should().Be(adalToken);
 
             mockAdalTokenProvider
                 .Verify(x => x.AcquireTokenSilentlyAsync(It.IsAny<CancellationToken>()), Times.Once);
+            mockAdalTokenProvider
+                .Verify(x => x.AcquireTokenWithWindowsIntegratedAuth(It.IsAny<CancellationToken>()), Times.Once);
             mockAdalTokenProvider
                 .Verify(x => x.AcquireTokenWithUI(It.IsAny<CancellationToken>()), Times.Once);
             mockAdalTokenProvider
@@ -100,7 +133,7 @@ public async Task Get_WithoutCachedTokenAndUIFlowCanceled_CallsDeviceCodeFlow()
         }
 
         [TestMethod]
-        public async Task Get_WithCachedToken_DoesNotCallFlows()
+        public async Task Get_WithCachedToken_DoesNotCallAnyFlows()
         {
             var source = new Uri("https://example.com/index.json");
             var isRetry = false;
@@ -110,11 +143,13 @@ public async Task Get_WithCachedToken_DoesNotCallFlows()
             var adalToken = "TestADALToken";
             MockCachedToken(adalToken);
 
-            var bearerToken = await bearerTokenProvider.GetAsync(source, isRetry, isNonInteractive, canShowDialog, cancellationToken);
-            bearerToken.Should().Be(adalToken);
+            var bearerTokenResult = await bearerTokenProvider.GetAsync(source, isRetry, isNonInteractive, canShowDialog, cancellationToken);
+            bearerTokenResult.Token.Should().Be(adalToken);
 
             mockAdalTokenProvider
                 .Verify(x => x.AcquireTokenSilentlyAsync(It.IsAny<CancellationToken>()), Times.Once);
+            mockAdalTokenProvider
+                .Verify(x => x.AcquireTokenWithWindowsIntegratedAuth(It.IsAny<CancellationToken>()), Times.Never);
             mockAdalTokenProvider
                 .Verify(x => x.AcquireTokenWithUI(It.IsAny<CancellationToken>()), Times.Never);
             mockAdalTokenProvider
@@ -133,13 +168,16 @@ public async Task Get_IsRetry_DoesNotQueryCache()
 
             var adalToken = "TestADALToken";
             MockCachedToken("OldCachedToken");
+            MockWindowsIntegratedToken(null);
             MockUIToken(adalToken);
 
-            var bearerToken = await bearerTokenProvider.GetAsync(source, isRetry, isNonInteractive, canShowDialog, cancellationToken);
-            bearerToken.Should().Be(adalToken);
+            var bearerTokenResult = await bearerTokenProvider.GetAsync(source, isRetry, isNonInteractive, canShowDialog, cancellationToken);
+            bearerTokenResult.Token.Should().Be(adalToken);
 
             mockAdalTokenProvider
                 .Verify(x => x.AcquireTokenSilentlyAsync(It.IsAny<CancellationToken>()), Times.Never);
+            mockAdalTokenProvider
+                .Verify(x => x.AcquireTokenWithWindowsIntegratedAuth(It.IsAny<CancellationToken>()), Times.Once);
             mockAdalTokenProvider
                 .Verify(x => x.AcquireTokenWithUI(It.IsAny<CancellationToken>()), Times.Once);
             mockAdalTokenProvider
@@ -149,7 +187,7 @@ public async Task Get_IsRetry_DoesNotQueryCache()
         }
 
         [TestMethod]
-        public async Task Get_WithoutCachedTokenAndIsNonInteractive_DoesNotCallFlows()
+        public async Task Get_WithoutCachedTokenAndIsNonInteractive_DoesNotCallInteractiveFlows()
         {
             var source = new Uri("https://example.com/index.json");
             var isRetry = false;
@@ -158,11 +196,13 @@ public async Task Get_WithoutCachedTokenAndIsNonInteractive_DoesNotCallFlows()
 
             MockCachedToken(null);
 
-            var bearerToken = await bearerTokenProvider.GetAsync(source, isRetry, isNonInteractive, canShowDialog, cancellationToken);
-            bearerToken.Should().BeNull();
+            var bearerTokenResult = await bearerTokenProvider.GetAsync(source, isRetry, isNonInteractive, canShowDialog, cancellationToken);
+            bearerTokenResult.Should().BeNull();
 
             mockAdalTokenProvider
                 .Verify(x => x.AcquireTokenSilentlyAsync(It.IsAny<CancellationToken>()), Times.Once);
+            mockAdalTokenProvider
+                .Verify(x => x.AcquireTokenWithWindowsIntegratedAuth(It.IsAny<CancellationToken>()), Times.Once);
             mockAdalTokenProvider
                 .Verify(x => x.AcquireTokenWithUI(It.IsAny<CancellationToken>()), Times.Never);
             mockAdalTokenProvider
@@ -172,7 +212,7 @@ public async Task Get_WithoutCachedTokenAndIsNonInteractive_DoesNotCallFlows()
         }
 
         [TestMethod]
-        public async Task Get_WithCachedTokenAndIsNonInteractive_DoesNotCallFlows()
+        public async Task Get_WithCachedTokenAndIsNonInteractive_DoesNotCallAnyFlows()
         {
             var source = new Uri("https://example.com/index.json");
             var isRetry = false;
@@ -182,11 +222,13 @@ public async Task Get_WithCachedTokenAndIsNonInteractive_DoesNotCallFlows()
             var adalToken = "TestADALToken";
             MockCachedToken(adalToken);
 
-            var bearerToken = await bearerTokenProvider.GetAsync(source, isRetry, isNonInteractive, canShowDialog, cancellationToken);
-            bearerToken.Should().Be(adalToken);
+            var bearerTokenResult = await bearerTokenProvider.GetAsync(source, isRetry, isNonInteractive, canShowDialog, cancellationToken);
+            bearerTokenResult.Token.Should().Be(adalToken);
 
             mockAdalTokenProvider
                 .Verify(x => x.AcquireTokenSilentlyAsync(It.IsAny<CancellationToken>()), Times.Once);
+            mockAdalTokenProvider
+                .Verify(x => x.AcquireTokenWithWindowsIntegratedAuth(It.IsAny<CancellationToken>()), Times.Never);
             mockAdalTokenProvider
                 .Verify(x => x.AcquireTokenWithUI(It.IsAny<CancellationToken>()), Times.Never);
             mockAdalTokenProvider
@@ -203,8 +245,8 @@ public async Task Get_IsRetryIsNonInteractive_ShouldWarn()
             var isNonInteractive = true;
             var canShowDialog = false;
 
-            var bearerToken = await bearerTokenProvider.GetAsync(source, isRetry, isNonInteractive, canShowDialog, cancellationToken);
-            bearerToken.Should().BeNull();
+            var bearerTokenResult = await bearerTokenProvider.GetAsync(source, isRetry, isNonInteractive, canShowDialog, cancellationToken);
+            bearerTokenResult.Should().BeNull();
 
             mockAdalTokenProvider
                 .Verify(x => x.AcquireTokenSilentlyAsync(It.IsAny<CancellationToken>()), Times.Never);
@@ -226,6 +268,13 @@ private void MockCachedToken(string token)
                 .Returns(Task.FromResult<IAdalToken>(new AdalToken("Bearer", token)));
         }
 
+        private void MockWindowsIntegratedToken(string token)
+        {
+            mockAdalTokenProvider
+                .Setup(x => x.AcquireTokenWithWindowsIntegratedAuth(It.IsAny<CancellationToken>()))
+                .Returns(Task.FromResult<IAdalToken>(new AdalToken("Bearer", token)));
+        }
+
         private void MockDeviceFlowToken(string token)
         {
             mockAdalTokenProvider

CredentialProvider.Microsoft/CredentialProviders/Vsts/AdalTokenProvider.cs

@@ -3,9 +3,11 @@
 // Licensed under the MIT license.
 
 using System;
+using System.Security.Claims;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.IdentityModel.Clients.ActiveDirectory;
+using NuGetCredentialProvider.Util;
 
 namespace NuGetCredentialProvider.CredentialProviders.Vsts
 {
@@ -82,5 +84,31 @@ public async Task<IAdalToken> AcquireTokenWithUI(CancellationToken cancellationT
                 throw;
             }
         }
+
+        public async Task<IAdalToken> AcquireTokenWithWindowsIntegratedAuth(CancellationToken cancellationToken)
+        {
+            try
+            {
+                string upn = WindowsIntegratedAuthUtils.GetUserPrincipalName();
+                if (upn == null)
+                {
+                    return null;
+                }
+
+                var result = await authenticationContext.AcquireTokenAsync(resource, clientId, new UserCredential(upn));
+                cancellationToken.ThrowIfCancellationRequested();
+
+                return new AdalToken(result);
+            }
+            catch (AdalServiceException e)
+            {
+                if (e.ErrorCode == AdalError.AuthenticationCanceled)
+                {
+                    return null;
+                }
+
+                throw;
+            }
+        }
     }
 }

CredentialProvider.Microsoft/CredentialProviders/Vsts/BearerTokenProvider.cs

@@ -4,6 +4,7 @@
 
 using System;
 using System.Runtime.InteropServices;
+using System.Security.Claims;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.IdentityModel.Clients.ActiveDirectory;
@@ -33,7 +34,7 @@ public BearerTokenProvider(ILogger logger, IAdalTokenProviderFactory adalTokenPr
             this.authUtil = authUtil;
         }
 
-        public async Task<string> GetAsync(Uri uri, bool isRetry, bool isNonInteractive, bool canShowDialog, CancellationToken cancellationToken)
+        public async Task<BearerTokenResult> GetAsync(Uri uri, bool isRetry, bool isNonInteractive, bool canShowDialog, CancellationToken cancellationToken)
         {
             var authority = await authUtil.GetAadAuthorityUriAsync(uri, cancellationToken);
             logger.Verbose(string.Format(Resources.AdalUsingAuthority, authority));
@@ -50,14 +51,29 @@ public async Task<string> GetAsync(Uri uri, bool isRetry, bool isNonInteractive,
                 if (adalToken?.AccessToken != null)
                 {
                     logger.Verbose(Resources.AdalAcquireTokenSilentSuccess);
-                    return adalToken.AccessToken;
+                    return new BearerTokenResult(adalToken.AccessToken, obtainedInteractively: false);
                 }
                 else
                 {
                     logger.Verbose(Resources.AdalAcquireTokenSilentFailed);
                 }
             }
 
+            // Try Windows Integrated Auth if supported
+            if (WindowsIntegratedAuthUtils.SupportsWindowsIntegratedAuth())
+            {
+                adalToken = await adalTokenProvider.AcquireTokenWithWindowsIntegratedAuth(cancellationToken);
+                if (adalToken?.AccessToken != null)
+                {
+                    logger.Verbose(Resources.AdalAcquireTokenWIASuccess);
+                    return new BearerTokenResult(adalToken.AccessToken, obtainedInteractively: false);
+                }
+                else
+                {
+                    logger.Verbose(Resources.AdalAcquireTokenWIAFailed);
+                }
+            }
+
             // Interactive flows if allowed
             if (!isNonInteractive)
             {
@@ -69,7 +85,7 @@ public async Task<string> GetAsync(Uri uri, bool isRetry, bool isNonInteractive,
 
                     if (adalToken?.AccessToken != null)
                     {
-                        return adalToken.AccessToken;
+                        return new BearerTokenResult(adalToken.AccessToken, obtainedInteractively: true);
                     }
                 }
 #endif
@@ -88,7 +104,7 @@ public async Task<string> GetAsync(Uri uri, bool isRetry, bool isNonInteractive,
                 if (adalToken?.AccessToken != null)
                 {
                     logger.Verbose(Resources.AdalAcquireTokenDeviceFlowSuccess);
-                    return adalToken.AccessToken;
+                    return new BearerTokenResult(adalToken.AccessToken, obtainedInteractively: true);
                 }
                 else
                 {

CredentialProvider.Microsoft/CredentialProviders/Vsts/IAdalTokenProvider.cs

@@ -16,6 +16,8 @@ public interface IAdalTokenProvider
         Task<IAdalToken> AcquireTokenWithDeviceFlowAsync(Func<DeviceCodeResult, Task> deviceCodeHandler, CancellationToken cancellationToken);
 
         Task<IAdalToken> AcquireTokenWithUI(CancellationToken cancellationToken);
+
+        Task<IAdalToken> AcquireTokenWithWindowsIntegratedAuth(CancellationToken cancellationToken);
     }
 
     public interface IAdalToken

CredentialProvider.Microsoft/CredentialProviders/Vsts/IBearerTokenProvider.cs

@@ -10,6 +10,19 @@ namespace NuGetCredentialProvider.CredentialProviders.Vsts
 {
     public interface IBearerTokenProvider
     {
-        Task<string> GetAsync(Uri uri, bool isRetry, bool isNonInteractive, bool canShowDialog, CancellationToken cancellationToken);
+        Task<BearerTokenResult> GetAsync(Uri uri, bool isRetry, bool isNonInteractive, bool canShowDialog, CancellationToken cancellationToken);
+    }
+
+    public class BearerTokenResult
+    {
+        public BearerTokenResult(string token, bool obtainedInteractively)
+        {
+            Token = token;
+            ObtainedInteractively = obtainedInteractively;
+        }
+
+        public string Token { get; }
+
+        public bool ObtainedInteractively { get; }
     }
 }