Use broker or browser login instead of device flow (#2612)

Update CLI to attempt broker or browser-based authentication first; if you `Ctrl-C` to cancel it, you can fall back to device code login. Also updated the MSAL dependency to latest version and pass `allow_broker=True` which will allow the use of Web Account Manager (WAM), if it is available. Using browser auth requires the `http://localhost` redirect URI, and using the broker requires a special custom URI including the app ID (see code).
2025-06-17 20:38:06 +00:00 · 2022-11-15 09:13:36 +13:00
parent 0caac2fc00
commit c5840eb69b
4 changed files with 221 additions and 155 deletions
--- a/src/deployment/deploylib/registration.py
+++ b/src/deployment/deploylib/registration.py
@ -257,9 +257,6 @@ def create_application_registration(
    params = {
        "isDeviceOnlyAuthSupported": True,
        "displayName": name,
-        "publicClient": {
-            "redirectUris": ["https://%s.azurewebsites.net" % onefuzz_instance_name]
-        },
        "isFallbackPublicClient": True,
        "requiredResourceAccess": (
            [
@ -280,6 +277,23 @@ def create_application_registration(
        subscription=subscription_id,
    )

+    # next patch the redirect URIs; we must do this
+    # separately because we need the AppID to include
+    query_microsoft_graph(
+        method="PATCH",
+        resource=f"applications/{registered_app['id']}",
+        body={
+            "publicClient": {
+                "redirectUris": [
+                    "https://%s.azurewebsites.net" % onefuzz_instance_name,
+                    "http://localhost",  # required for browser auth
+                    f"ms-appx-web://Microsoft.AAD.BrokerPlugin/{app['appId']}",  # required for broker auth
+                ]
+            },
+        },
+        subscription=subscription_id,
+    )
+
    logger.info("creating service principal")

    service_principal_params = {