Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use System Web Browser for Web mode to avoid cache poisoning #160

Merged
merged 3 commits into from
Oct 24, 2022
Merged

Use System Web Browser for Web mode to avoid cache poisoning #160

merged 3 commits into from
Oct 24, 2022

Conversation

kyle-rader
Copy link
Contributor

@kyle-rader kyle-rader commented Oct 21, 2022
edited
Loading

With the build system using AzureAuth directly the last source of cache poisoning is using web mode when pre-warming ado auth for Nuget. We can avoid cache poisoning by going back to system web browser when web auth is needed. Falling back to web should rarely happen now that IWA and broker are both used before web. By using system web browser instead of embedded web view - we won't risk cache poisoning since the system web browser should always be able to pass the device management CA policy properly.

This does mean that the prompt hint will not show if being prompted with the web browser. Which is tragic. But we also expect to see it far less.

@kyle-rader kyle-rader requested a review from a team as a code owner October 21, 2022 23:28
@kyle-rader kyle-rader added the bug Something isn't working label Oct 21, 2022
@kyle-rader kyle-rader force-pushed the system-web branch 2 times, most recently from 081f2c5 to 4557276 Compare October 22, 2022 00:14
@kyle-rader kyle-rader self-assigned this Oct 24, 2022
reillysiemens
reillysiemens reviewed Oct 24, 2022
View reviewed changes
Copy link
Member

@reillysiemens reillysiemens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there an MSAL bug about the unreliability of embedded web view in combination with conditional access policies? If not, should we open one? That seems to me like the sort of thing that should be resolved, and I'd like to link to it in a comment.

src/MSALWrapper/PCAWrapper.cs Show resolved Hide resolved
Haard30
Haard30 approved these changes Oct 24, 2022
View reviewed changes
Copy link
Contributor

@Haard30 Haard30 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested on Windows.

@kyle-rader
Copy link
Contributor Author

Is there an MSAL bug about the unreliability of embedded web view in combination with conditional access policies? If not, should we open one? That seems to me like the sort of thing that should be resolved, and I'd like to link to it in a comment.

Discussed offline, unlikely that this is a priority for MSAL.NET as WAM is the future.

@kyle-rader kyle-rader merged commit ee27313 into main Oct 24, 2022
@kyle-rader kyle-rader deleted the system-web branch October 24, 2022 22:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Haard30 Haard30 Haard30 approved these changes

@reillysiemens reillysiemens reillysiemens approved these changes

Assignees

@kyle-rader kyle-rader

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kyle-rader @reillysiemens @Haard30