Add device code fallback for Graph token auth#2535
Open
aadnehovda wants to merge 3 commits intomicrosoft:mainfrom
Open
Add device code fallback for Graph token auth#2535aadnehovda wants to merge 3 commits intomicrosoft:mainfrom
aadnehovda wants to merge 3 commits intomicrosoft:mainfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a non-browser authentication path to Get-GraphAccessToken to support Server Core and non-interactive/remote PowerShell scenarios where the existing localhost callback + browser launch flow cannot work.
Changes:
- Added
-AuthFlowparameter (Auto,AuthorizationCode,DeviceCode) to control auth flow selection. - Implemented OAuth device code flow (init + polling) and automatic fallback from auth-code flow when browser/callback is unavailable.
- Refactored token handling to return a consistent
{ AccessToken, TenantId }result object.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| enables a client application to obtain authorized access to protected resources like web APIs. | ||
| The auth code flow requires a user-agent that supports redirection from the authorization server | ||
| (the Microsoft identity platform) back to your application. | ||
| This function is used to get an access token for the Azure Graph API. By default, it uses the OAuth 2.0 authorization |
| ErrorAction = "Stop" | ||
| } | ||
|
|
||
| try { |
| } | ||
|
|
||
| if ($deviceCodeResponse.StatusCode -ne 200 -or $null -eq $deviceCodeResponse.Content) { | ||
| Write-Host "Unable to initiate device code authentication." -ForegroundColor Red |
Comment on lines
436
to
437
| Write-Host "Authorization code is missing in callback" -ForegroundColor Red | ||
|
|
Author
|
@microsoft-github-policy-service agree |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue:
Get-GraphAccessTokencurrently assumes a local browser can be launched for the authorization code callback. This fails on Server Core and other non-interactive/remote PowerShell sessions where browser-based authentication is not available.Reason:
Server Core and remote administration scenarios need an authentication path that does not require a browser on the target machine.
Fix:
Adds an
-AuthFlowparameter withAuto,AuthorizationCode, andDeviceCodeoptions.Autokeeps the existing authorization code flow when available, but uses device code authentication when running in Server Core, non-interactive, or remote PowerShell contexts, and also falls back to device code if browser launch/local callback fails. The device code implementation usesInvoke-RestMethodand handles expected OAuth polling responses such asauthorization_pending,slow_down,expired_token, andauthorization_declined.Validation:
.build\CodeFormatter.ps1 -Save -Branch main.build\Build.ps1Shared\AzureFunctions\Get-GraphAccessToken.ps1Autoselected device code auth and reached the Microsoft device-code endpoint.build\SpellCheck.ps1; local host does not havenpm, so cspell could not run locally