search

git-ecosystem / git-credential-manager

Secure, cross-platform Git credential storage with authentication to GitHub, Azure Repos, and other popular Git hosting services.
Other
6.67k stars 1.73k forks source link

git operations results in "fatal: User canceled authentication." and prompts for username and password #1617

Open mvanchaa opened 4 months ago

mvanchaa commented 4 months ago

Version

2.5.0+d34930736e131ad80e5690e5634ced1808aff3e2

Operating system

Windows

OS version or distribution

Windows 10.0.19045.4355

Git hosting provider(s)

Azure DevOps

Other hosting provider

No response

(Azure DevOps only) What format is your remote URL?

https://{org}.visualstudio.com

Can you access the remote repository directly in the browser?

Yes, I can access the repository

Expected behavior

git pull should successfully update the local version of a repo from a remote server

Actual behavior

git pull results in the following error: fatal: User canceled authentication. Username for 'https://dev.azure.com/{organization}/{project}/_git/{repository}':

We observed this behavior for other git commands too.

Logs

This problem has been intermittently affecting several office developers at Microsoft. The broker authentication is failing for some reason. However, we found a temporary solution by switching to a non-broker authentication mode in GCM by setting credential.msauthUseBroker flag to false in the git config file. Redacted logs are attached for further analysis. gitlogs.log

mvanchaa commented 3 months ago

Looks like it's a bug with MSAL broker flow and they just seemed to have fixed it https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4696 today. Once GCM consumes the latest MSAL, this issue would be fixed.

mvanchaa commented 3 months ago

MSAL fixed the bug and released a new version 4.61.1.

dscho commented 3 months ago

@mvanchaa could you build GCM with the new version and verify that it fixes your problem?

mvanchaa commented 1 month ago

@dscho We tested with the new version 2.5.1 and that unfortunately did not fix our problem. We think it's coming from MSAL and we filed a bug against MSAL here. But it would be really helpful if you can look into the attached logs and help us diagnose the issue. git.log

dscho commented 1 month ago

it would be really helpful if you can look into the attached logs and help us diagnose the issue.

@mvanchaa unfortunately, I am as much an expert in MSAL as you are...

mvanchaa commented 1 month ago

We don’t completely know whether MSAL is causing this issue, so we filed a bug against MSAL. But we warmed the broker cache successfully with our tool AzureAuth, which is locally configured with MSAL version 4.61.3 and then tried git pull again and it worked. So, we suspect whether the issue has something to do with GCM? Attaching the logs. git_after_warming_broker_cache_with_azureauth.txt git_before_warming_broker_cache_with_azureauth.log

mijpeterson commented 1 week ago

So I just debugged this a bit more. @dscho it appears that this is a bug with MSAL 4.61.3. I was able to somewhat replicate the issue with our own CLI tool that also takes a dependency on MSAL.

The problem appears only when run in an elevated/administrator shell. Unelevated shells work as expected. In elevated shells, after the call to retrieve a token interactively via the broker is made, it immediately exits early and throws an MsalClientException with the message "User canceled authentication".

I was able to reproduce this issue with Git v2.46.0 by simply attempting to clone a private Azure DevOps git repository in an elevated shell.

The good news is that this issue seems to go away after updating to MSAL 4.64. Would you all be able to upgrade your MSAL version?