Enable CanShowDialog for .NET core Authentication Plugins

[embetten]

NuGet Product(s) Affected

MSBuild.exe, dotnet.exe

Current Behavior

Currently, NuGet does not enable canShowDialog for .NET core authentication plugins. In these scenarios, canShowDialog is hard-coded to false in the defaultCredentialService. As a result, users with a .NET core NuGet authentication plugin backed by MSAL will be forced down device code flow instead of interactive authentication flow even if a pop up or browser auth is available and preferred.

Desired Behavior

To help users avoid device code flow where possible, this behavior should be changed to allow the canShowDialog parameter to be passed by the user to .NET Core plugins. Additionally, the relevant dotnet cli NuGet commands and other .NET core integration points should be updated to pass the canShowDialog argument. This change will give users the flexibility to choose their preferred authentication method, enhancing both usability and security.

Additional Context

Additional context to consider:

• MSAL is the standard authentication library. For users that do not have WAM/WIA broker authentication available, device code flow is the only authentication method available without a pop-up dialog.
• Device code flow is a negative user experience compared to other MSAL authentication methods and a higher-risk authentication flow. Device code flow cannot be bound to a device, which prevents Entra tenant admins from adding conditional access policies that check for specific devices. These integration points should be updated to enable our security-conscious users to easily avoid device code flow where possible.
• With mono no longer being supported, more users are being pushed to the .NET core plugins. Without this proposed behavior change, more users will be pushed to device code flow. Users migrating from the .NET framework experience to the .NET core behavior will no longer have canShowDialog option thereby degrading their experience.
• The artifacts-credprovider is considering long term plans to return Entra tokens instead of ADO PAT tokens. In doing so, the login frequency would be reduced to the lifetime of the Entra tokens. Without this proposed behavior change, users would be prompted via device code flow every 24-hour period. We would like users to have an easier way to specify device code flow alternatives to make this migration a more viable user experience.
• By popular demand, artifacts-credprovider has implemented a workaround to allow users to override this behavior by setting an environment variable NUGET_CREDENTIALPROVIDER_FORCE_CANSHOWDIALOG_TO (see here in the readme). However, we suspect this environment variable is not widely known, and setting environment variables instead of passing command line arguments is a disjointed experience for CLI users.

[nkolev92]

It's not just .NET (Core), but MSBuild.exe as well.