Inconsistent account selection modal behavior across operating systems

[kartheekp-ms]

When executing the command dotnet .\CredentialProvider.Microsoft -Uri {Azure Artifacts private feed URL} -IsRetry false -CanShowDialog on Linux and Mac, the expected modal dialog, where users can select an account to obtain credentials, does not appear. Instead, the command displays device code login information, including a URL and device code for credential acquisition.

In contrast, on Windows and WSL, the same command prompts the user to select an account. If the user does not respond in time, it will revert to displaying the device code login information, including the URL and device code, in the console.

The documentation indicates that CanShowDialog (-C) If true, the user can be prompted for credentials via UI; if false, the device flow must be used [Default='True']. However, the UI prompt functions only on Windows and WSL, and not on other platforms.

[embetten]

For linux and mac the cred provider will not pop up a modal but will allow browser authentication. This is a MSAL limitation not something the cred provider has control over.

However, the reason that canShowDialog is not working is because canshowdialog is hardcoded to false in nuget.client implementation. (see definition and example usage). Whereas the VS/commandline implementations hardcodes to true. (see vs definition and command definition).

The cred provider exposes an environment variable to override the NuGet setting. Setting 'NUGET_CREDENTIALPROVIDER_FORCE_CANSHOWDIALOG_TO=true` will allow the system browser to pop up for mac and linux. Please see the README for more information. I am able to confirm the environment variable on my local mac and was able to log in with the browser when the variable is set.

[kartheekp-ms]

@embetten - thanks for the additional context & letting me know the system browser based auth works on Mac. When I created a Linux VM and executed dotnet .\CredentialProvider.Microsoft -Uri {Azure Artifacts private feed URL} -IsRetry false -CanShowDialog command. I didn't notice any system browser popping up, instead the credential provider printed device code login to the console. Did I miss anything during the repro?

[embetten]

correction - my earlier statement regarding canShowDialog being hard coded only applies when the cred provider is invoked as a plugin from the nuget client. I see that you are invoking the cred provider .dll directly in "stand alone mode." In this scenario, the "NUGET_CREDENTIALPROVIDER_FORCE_CANSHOWDIALOG_TO" should not need to be set. Passing -CanShowDialog as true will be respected in the latest version of the cred provider if noninteractive is true. I was again able to confirm this on a macOs.

For linux, please ensure you are not running the cred provider from a ssh window. MSAL ssh as inherently non interactive, so the interactive authentication will never be applicable from ssh. Please try RDP instead.

If any further issues occur, please pass -V Debug to get some logs to further debug the issue.