TfsCmdlets icon indicating copy to clipboard operation
TfsCmdlets copied to clipboard
verified publisher icon igoravl

Fix interactive authentication for PowerShell Core 7+ by using system browser

Open Copilot opened this issue 8 months ago • 6 comments

Problem

When using interactive authentication (Connect-TfsTeamProjectCollection -Interactive) in PowerShell Core 7+, users encounter the following error:

Connect-TfsTeamProjectCollection: A window handle must be configured. See https://aka.ms/msal-net-wam#parent-window-handles

This prevents users from authenticating interactively in PowerShell Core environments, forcing them to use alternative authentication methods like Personal Access Tokens.

Root Cause

MSAL (Microsoft Authentication Library) by default attempts to create an embedded web view for interactive authentication, which requires a proper window handle. In PowerShell Core, especially in console environments or on non-Windows platforms, no suitable window handle is available, causing the authentication to fail.

Solution

This PR implements PowerShell edition detection and configures MSAL appropriately for each environment:

  • PowerShell Core: Uses system browser authentication (.WithUseEmbeddedWebView(false))
  • Windows PowerShell: Maintains existing embedded web view behavior

Technical Changes

Core Implementation

  • Added IRuntimeUtil dependency injection to InteractiveAuthenticationImpl for consistent PowerShell edition detection
  • Implemented IsPowerShellCore() method using RuntimeUtil.Platform.Equals("Core")
  • Modified MSAL token builder to conditionally apply .WithUseEmbeddedWebView(false) for PowerShell Core

Documentation Update

  • Updated help text in CommonHelpText.psd1 to reflect that interactive authentication now supports both Windows PowerShell and PowerShell Core

Code Example

// For PowerShell Core, use system browser instead of embedded web view
// to avoid window handle issues
if (IsPowerShellCore())
{
    tokenBuilder = tokenBuilder.WithUseEmbeddedWebView(false);
}

Impact

  • Cross-platform support: Interactive authentication now works on Windows, Linux, and macOS with PowerShell Core
  • Backward compatibility: Zero impact on existing Windows PowerShell workflows
  • User experience: PowerShell Core users can now use interactive authentication instead of being forced to use PATs
  • Consistency: Uses the same PowerShell detection logic as existing NewCredential class

Testing

  • Validated PowerShell edition detection logic in PowerShell Core 7.4.10
  • Confirmed the approach aligns with Microsoft's MSAL recommendations for console applications
  • Verified minimal scope of changes (29 additions, 4 deletions in main implementation)

The fix enables MSAL to open the system browser for authentication instead of attempting to create an embedded web view that requires window handles unavailable in PowerShell Core environments.

Fixes #249.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot avatar Jun 17 '25 21:06 Copilot