add OS default broker auth to DAC (#45891)

Author: g2vinay

sdk/identity/azure-identity/TROUBLESHOOTING.md

@@ -27,6 +27,7 @@ This troubleshooting guide covers failure investigation techniques, common error
 - [Troubleshoot Web Account Manager (WAM) brokered authentication issues](#troubleshoot-web-account-manager-wam-brokered-authentication-issues)
 - [Get additional help](#get-additional-help)
 
+
 ## Handle Azure Identity exceptions
 
 ### ClientAuthenticationException
@@ -350,9 +351,16 @@ You can find more info about Fork Join Pool [here](https://docs.oracle.com/javas
 
 ## Troubleshoot Web Account Manager (WAM) brokered authentication issues
 
+Broker authentication is used by `DefaultAzureCredential` to enable secure sign-in via the Windows Web Account Manager (WAM). This mechanism requires the `azure-identity-broker` dependency and is currently only supported on Windows.
+
 | Error Message |Description| Mitigation |
 |---|---|---|
 |AADSTS50011|The application is missing the expected redirect URI.|Ensure that one of redirect URIs registered for the Microsoft Entra application matches the following URI pattern: `ms-appx-web://Microsoft.AAD.BrokerPlugin/{client_id}`|
+| `CredentialUnavailableException: azure-identity-broker dependency is not available. Ensure you have azure-identity-broker dependency added to your application.` | The required broker dependency is missing from your project. | Add the `azure-identity-broker` dependency to your application's build configuration (e.g., Maven or Gradle). |
+| `CredentialUnavailableException: InteractiveBrowserBrokerCredentialBuilder class not found. Ensure you have azure-identity-broker dependency added to your application.` | The broker credential builder class could not be found, likely due to a missing or misconfigured dependency. | Ensure the `azure-identity-broker` dependency is present and correctly configured in your project. |
+| `CredentialUnavailableException: Failed to create InteractiveBrowserBrokerCredential dynamically` | An unexpected error occurred while creating the broker credential. | Check the inner exception for more details. Ensure your environment meets all requirements for broker authentication (Windows OS, correct dependencies, and configuration). |
+
+> **Note:** Broker authentication is currently only supported on Windows. macOS and Linux are not yet supported.
 
 ### Unable to log in with Microsoft account (MSA) on Windows
 
@@ -372,6 +380,7 @@ You may also log in another MSA account by selecting "Microsoft account":
 
 ![Microsoft account](./images/MSA4.png)
 
+---
 
 ## Get additional help
 

sdk/identity/azure-identity/src/main/java/com/azure/identity/DefaultAzureCredentialBuilder.java

@@ -338,6 +338,7 @@ private void addDevCredentials(List<TokenCredential> credentials) {
         credentials.add(new AzureCliCredential(tenantId, identityClientOptions.clone()));
         credentials.add(new AzurePowerShellCredential(tenantId, identityClientOptions.clone()));
         credentials.add(new AzureDeveloperCliCredential(tenantId, identityClientOptions.clone()));
+        credentials.add(new OSBrokerCredential(tenantId));
     }
 
     private WorkloadIdentityCredential getWorkloadIdentityCredential() {

sdk/identity/azure-identity/src/main/java/com/azure/identity/OSBrokerCredential.java

@@ -0,0 +1,82 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.identity;
+
+import com.azure.core.credential.TokenCredential;
+import com.azure.core.credential.AccessToken;
+import com.azure.core.credential.TokenRequestContext;
+import com.azure.core.util.CoreUtils;
+import com.azure.core.util.logging.ClientLogger;
+import com.azure.identity.implementation.util.IdentityUtil;
+
+import reactor.core.publisher.Mono;
+import java.util.concurrent.atomic.AtomicReference;
+
+class OSBrokerCredential implements TokenCredential {
+    private static final ClientLogger LOGGER = new ClientLogger(OSBrokerCredential.class);
+    private static final String BROKER_BUILDER_CLASS
+        = "com.azure.identity.broker.InteractiveBrowserBrokerCredentialBuilder";
+    private final String tenantId;
+    private final AtomicReference<TokenCredential> cached = new AtomicReference<>();
+
+    OSBrokerCredential(String tenantId) {
+        this.tenantId = tenantId;
+    }
+
+    @Override
+    public Mono<AccessToken> getToken(TokenRequestContext request) {
+        TokenCredential credential = cached.get();
+        if (credential == null) {
+            TokenCredential newCredential;
+            try {
+                // Create the broker credential dynamically
+                newCredential = createBrokerCredential();
+            } catch (CredentialUnavailableException e) {
+                // If the broker is unavailable, throw the exception
+                return Mono.error(e);
+            } catch (Exception e) {
+                // Log and throw any other exceptions that occur during credential creation
+                return Mono.error(LOGGER.logExceptionAsError(
+                    new CredentialUnavailableException("Failed to create OS Broker credential.", e)));
+            }
+            if (cached.compareAndSet(null, newCredential)) {
+                credential = newCredential;
+            } else {
+                credential = cached.get();
+            }
+        }
+        return credential.getToken(request);
+    }
+
+    private TokenCredential createBrokerCredential() {
+        final String troubleshoot
+            = " To mitigate this issue, refer to http://aka.ms/azsdk/java/identity/dacbrokerauth/troubleshoot";
+        if (!IdentityUtil.isBrokerAvailable()) {
+            throw LOGGER.logExceptionAsError(
+                new CredentialUnavailableException("azure-identity-broker dependency is not available. "
+                    + "Ensure you have azure-identity-broker dependency added to your application." + troubleshoot));
+        }
+        try {
+            Class<?> builderClass = Class.forName(BROKER_BUILDER_CLASS);
+            Object builder = builderClass.getConstructor().newInstance();
+            builderClass.getMethod("setWindowHandle", long.class).invoke(builder, 0);
+            builderClass.getMethod("useDefaultBrokerAccount").invoke(builder);
+            com.azure.identity.InteractiveBrowserCredentialBuilder browserCredentialBuilder
+                = (com.azure.identity.InteractiveBrowserCredentialBuilder) builder;
+            if (!CoreUtils.isNullOrEmpty(tenantId)) {
+                builderClass.getMethod("tenantId", String.class).invoke(builder, tenantId);
+            }
+            return browserCredentialBuilder.build();
+        } catch (ClassNotFoundException e) {
+            throw LOGGER
+                .logExceptionAsError(new CredentialUnavailableException(
+                    "InteractiveBrowserBrokerCredentialBuilder class not found. "
+                        + "Ensure you have azure-identity-broker dependency added to your application." + troubleshoot,
+                    e));
+        } catch (Exception e) {
+            throw LOGGER.logExceptionAsError(new CredentialUnavailableException(
+                "Failed to create InteractiveBrowserBrokerCredential dynamically." + troubleshoot, e));
+        }
+    }
+}

sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/util/IdentityUtil.java

@@ -179,14 +179,16 @@ public static boolean isLinuxPlatform() {
     }
 
     public static boolean isVsCodeBrokerAuthAvailable() {
+        // Check if VS Code broker auth record file exists
+        File authRecordFile = VSCODE_AUTH_RECORD_PATH.toFile();
+        return isBrokerAvailable() && authRecordFile.exists() && authRecordFile.isFile();
+    }
+
+    public static boolean isBrokerAvailable() {
         try {
             // 1. Check if Broker dependency is available
             Class.forName("com.azure.identity.broker.InteractiveBrowserBrokerCredentialBuilder");
-
-            // 2. Check if VS Code broker auth record file exists
-            File authRecordFile = VSCODE_AUTH_RECORD_PATH.toFile();
-
-            return authRecordFile.exists() && authRecordFile.isFile();
+            return true;
         } catch (ClassNotFoundException e) {
             return false; // Broker not present
         }

sdk/identity/azure-identity/src/test/java/com/azure/identity/DacOsBrokerCredentialTest.java

@@ -0,0 +1,27 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.identity;
+
+import com.azure.core.credential.TokenRequestContext;
+import org.junit.jupiter.api.Test;
+import reactor.test.StepVerifier;
+
+public class DacOsBrokerCredentialTest {
+    @Test
+    public void testBrokerUnavailable() {
+        // setup
+        TokenRequestContext request
+            = new TokenRequestContext().addScopes("https://vault.azure.net/.default").setTenantId("newTenant");
+
+        // Simulate broker unavailable by using a test double or by ensuring the environment does not support broker
+        OSBrokerCredential credential = new OSBrokerCredential("tenant");
+        StepVerifier.create(credential.getToken(request))
+            .expectErrorMatches(e -> e instanceof CredentialUnavailableException
+                && e.getMessage().contains("azure-identity-broker dependency is not available")
+                && e.getMessage()
+                    .contains(
+                        "To mitigate this issue, refer to http://aka.ms/azsdk/java/identity/dacbrokerauth/troubleshoot"))
+            .verify();
+    }
+}

sdk/identity/azure-identity/src/test/java/com/azure/identity/DefaultAzureCredentialTest.java

@@ -321,8 +321,12 @@ public void testNoCredentialWorks() {
                 = mockConstruction(IntelliJCredential.class, (intelliJCredential, context) -> {
                     when(intelliJCredential.getToken(request)).thenReturn(
                         Mono.error(new CredentialUnavailableException("Cannot get token from IntelliJ Credential")));
+                });
+            MockedConstruction<OSBrokerCredential> osBrokerCredentialMock
+                = mockConstruction(OSBrokerCredential.class, (osBrokerCredential, context) -> {
+                    when(osBrokerCredential.getToken(request)).thenReturn(
+                        Mono.error(new CredentialUnavailableException("Cannot get token from OS Broker credential")));
                 })) {
-
             // test
             DefaultAzureCredential credential
                 = new DefaultAzureCredentialBuilder().configuration(configuration).build();
@@ -335,6 +339,7 @@ public void testNoCredentialWorks() {
             Assertions.assertNotNull(azureDeveloperCliCredentialMock);
             Assertions.assertNotNull(azurePowerShellCredentialMock);
             Assertions.assertNotNull(intelliJCredentialMock);
+            Assertions.assertNotNull(osBrokerCredentialMock);
         }
     }
 
@@ -368,7 +373,13 @@ public void testCredentialUnavailable() {
                 = mockConstruction(AzureDeveloperCliCredential.class, (AzureDeveloperCliCredential, context) -> {
                     when(AzureDeveloperCliCredential.getToken(request)).thenReturn(Mono.error(
                         new CredentialUnavailableException("Cannot get token from Azure Developer CLI credential")));
+                });
+            MockedConstruction<OSBrokerCredential> osBrokerCredentialMock
+                = mockConstruction(OSBrokerCredential.class, (osBrokerCredential, context) -> {
+                    when(osBrokerCredential.getToken(request)).thenReturn(
+                        Mono.error(new CredentialUnavailableException("Cannot get token from OS Broker credential")));
                 })) {
+
             // test
             DefaultAzureCredential credential
                 = new DefaultAzureCredentialBuilder().configuration(configuration).build();
@@ -381,8 +392,8 @@ public void testCredentialUnavailable() {
             Assertions.assertNotNull(powerShellCredentialMock);
             Assertions.assertNotNull(azureCliCredentialMock);
             Assertions.assertNotNull(azureDeveloperCliCredentialMock);
+            Assertions.assertNotNull(osBrokerCredentialMock);
         }
-
     }
 
     @Test
@@ -659,14 +670,15 @@ public void testDeveloperOnlyCredentialsChain(String devValue) {
         List<TokenCredential> credentials = extractCredentials(credential);
 
         // Only developer credentials should be present (4)
-        assertEquals(5, credentials.size());
+        assertEquals(6, credentials.size());
 
         // Verify developer credentials in order
         assertInstanceOf(IntelliJCredential.class, credentials.get(0));
         assertInstanceOf(VisualStudioCodeCredential.class, credentials.get(1));
         assertInstanceOf(AzureCliCredential.class, credentials.get(2));
         assertInstanceOf(AzurePowerShellCredential.class, credentials.get(3));
         assertInstanceOf(AzureDeveloperCliCredential.class, credentials.get(4));
+        assertInstanceOf(OSBrokerCredential.class, credentials.get(5));
     }
 
     @ParameterizedTest
@@ -772,8 +784,8 @@ public void testDefaultCredentialChainWithoutFilter() {
         // Extract credentials to check their types and order
         List<TokenCredential> credentials = extractCredentials(credential);
 
-        // Verify the complete chain with all 7 credentials
-        assertEquals(8, credentials.size());
+        // Verify the complete chain with all 9 credentials
+        assertEquals(9, credentials.size());
         assertInstanceOf(EnvironmentCredential.class, credentials.get(0));
         assertInstanceOf(WorkloadIdentityCredential.class, credentials.get(1));
         assertInstanceOf(ManagedIdentityCredential.class, credentials.get(2));
@@ -782,6 +794,7 @@ public void testDefaultCredentialChainWithoutFilter() {
         assertInstanceOf(AzureCliCredential.class, credentials.get(5));
         assertInstanceOf(AzurePowerShellCredential.class, credentials.get(6));
         assertInstanceOf(AzureDeveloperCliCredential.class, credentials.get(7));
+        assertInstanceOf(OSBrokerCredential.class, credentials.get(8));
     }
 
     /**