Open mvanchaa opened 4 months ago
Looks like it's a bug with MSAL broker flow and they just seemed to have fixed it https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4696 today. Once GCM consumes the latest MSAL, this issue would be fixed.
MSAL fixed the bug and released a new version 4.61.1.
@mvanchaa could you build GCM with the new version and verify that it fixes your problem?
it would be really helpful if you can look into the attached logs and help us diagnose the issue.
@mvanchaa unfortunately, I am as much an expert in MSAL as you are...
We don’t completely know whether MSAL is causing this issue, so we filed a bug against MSAL. But we warmed the broker cache successfully with our tool AzureAuth, which is locally configured with MSAL version 4.61.3
and then tried git pull again and it worked. So, we suspect whether the issue has something to do with GCM? Attaching the logs.
git_after_warming_broker_cache_with_azureauth.txt
git_before_warming_broker_cache_with_azureauth.log
So I just debugged this a bit more. @dscho it appears that this is a bug with MSAL 4.61.3. I was able to somewhat replicate the issue with our own CLI tool that also takes a dependency on MSAL.
The problem appears only when run in an elevated/administrator shell. Unelevated shells work as expected. In elevated shells, after the call to retrieve a token interactively via the broker is made, it immediately exits early and throws an MsalClientException with the message "User canceled authentication".
I was able to reproduce this issue with Git v2.46.0 by simply attempting to clone a private Azure DevOps git repository in an elevated shell.
The good news is that this issue seems to go away after updating to MSAL 4.64. Would you all be able to upgrade your MSAL version?
Version
2.5.0+d34930736e131ad80e5690e5634ced1808aff3e2
Operating system
Windows
OS version or distribution
Windows 10.0.19045.4355
Git hosting provider(s)
Azure DevOps
Other hosting provider
No response
(Azure DevOps only) What format is your remote URL?
https://{org}.visualstudio.com
Can you access the remote repository directly in the browser?
Yes, I can access the repository
Expected behavior
git pull
should successfully update the local version of a repo from a remote serverActual behavior
git pull
results in the following error: fatal: User canceled authentication. Username for 'https://dev.azure.com/{organization}/{project}/_git/{repository}':We observed this behavior for other git commands too.
Logs
This problem has been intermittently affecting several office developers at Microsoft. The broker authentication is failing for some reason. However, we found a temporary solution by switching to a non-broker authentication mode in GCM by setting
credential.msauthUseBroker
flag tofalse
in the git config file. Redacted logs are attached for further analysis. gitlogs.log