Adopt the MSAL broker to talk to the OS for Microsoft auth

[TylerLeonhardt]

This adopts the NativeBrokerPlugin provided by @azure/msal-node-extensions to provide the ability to use auth state from the OS, and show native auth dialogs instead of going to the browser.

This has several pieces:

• The adoption of the broker in the microsoft-authentication extension:
  • Adding NativeBrokerPlugin to our PCAs
  • Using the proposed handle API to pass the native window handle down to MSAL calls (btw, this API will change in a follow up PR)
  • Adopting an AccountAccess layer to handle:
    • giving the user control of which accounts VS Code uses
    • an eventing layer so that auth state can be updated across multiple windows
• Getting the extension to build properly and only build what it really needs. This required several package.json/webpack hacks:
  • Use a fake keytar since we don't use the feature in @azure/msal-node-extensions that uses keytar
  • Use a fake dpapi layer since we don't use the feature in @azure/msal-node-extensions that uses it
  • Ensure the msal runtime .node and .dll files are included in the bundle
• Get the VS Code build to allow a native node module in an extension: by having a list of native extensions that will be built in the "ci" part of the build - in other words when VS Code is building on the target platform

There are a couple of followups:

• Refactor the handle API to handle (heh) Auxiliary Windows Proposed API for window handle #233106
• Separate the call to acquireTokenSilent and acquireTokenInteractive and all the usage of this native node module into a separate process or maybe in Core... we'll see. Something to experiment with after we have something working. NEEDS FOLLOW UP ISSUE

Fixes #229431

Copilot reviewed 5 out of 16 changed files in this pull request and generated no suggestions.

Files not reviewed (11)

• extensions/microsoft-authentication/.vscodeignore: Language not supported
• extensions/microsoft-authentication/package-lock.json: Language not supported
• extensions/microsoft-authentication/package.json: Language not supported
• extensions/microsoft-authentication/packageMocks/keytar/package.json: Language not supported
• extensions/microsoft-authentication/tsconfig.json: Language not supported
• build/lib/extensions.js: Evaluated as low risk
• extensions/microsoft-authentication/src/node/publicClientCache.ts: Evaluated as low risk
• build/gulpfile.extensions.js: Evaluated as low risk
• build/gulpfile.vscode.js: Evaluated as low risk
• extensions/microsoft-authentication/src/node/authProvider.ts: Evaluated as low risk
• build/lib/extensions.ts: Evaluated as low risk

Comments skipped due to low confidence (7)

extensions/microsoft-authentication/src/node/cachedPublicClientApplication.ts:7

• Ensure that the NativeBrokerPlugin is correctly imported and used.

import { NativeBrokerPlugin } from '@azure/msal-node-extensions';

extensions/microsoft-authentication/src/node/cachedPublicClientApplication.ts:29

• Verify that ScopedAccountAccess is correctly instantiated and used.

private readonly _accountAccess = new ScopedAccountAccess(this._secretStorage, this._cloudName, this._clientId, this._authority);

extensions/microsoft-authentication/src/node/cachedPublicClientApplication.ts:89

• Ensure that initialize method is correctly called and handled.

await this._accountAccess.initialize();

extensions/microsoft-authentication/src/node/cachedPublicClientApplication.ts:126

• Ensure that setAllowedAccess method is correctly called and handled.

await this._accountAccess.setAllowedAccess(result.account!, true);

extensions/microsoft-authentication/src/node/cachedPublicClientApplication.ts:134

• Ensure that setAllowedAccess method is correctly called and handled.

return this._accountAccess.setAllowedAccess(account, false);

extensions/microsoft-authentication/src/node/cachedPublicClientApplication.ts:141

• Ensure that onDidAccountAccessChange method is correctly called and handled.

return this._accountAccess.onDidAccountAccessChange(() => this._update());

extensions/microsoft-authentication/src/node/cachedPublicClientApplication.ts:180

• Ensure that isAllowedAccess method is correctly called and handled.

after = after.filter(a => this._accountAccess.isAllowedAccess(a));

Tip: If you use Visual Studio Code, you can request a review from Copilot before you push from the "Source Control" tab. Learn more

[TylerLeonhardt]

This can go away when this is released: AzureAD/microsoft-authentication-library-for-js#7412

[deepak1556]

Reviewed the build part. LGTM overall, minor nits

[deepak1556]

Running a full build for sanity https://monacotools.visualstudio.com/Monaco/_build/results?buildId=304750&view=results

[TylerLeonhardt]

New sanity build after changes: https://monacotools.visualstudio.com/Monaco/_build/results?buildId=304949&view=results

[deepak1556]

Don't we want compileExtensionsBuildTask here ? I believe this task is only used for local build, so useful to build all targets ?

[TylerLeonhardt]

It does build all targets. We build the non-native ones here, and then the native ones in the serverTaskCI which is included in this local build task at the bottom

[deepak1556]

Suggested change

	compileNonNativeExtensionsBuildTask,
	compileExtensionsBuildTask,

?

[TylerLeonhardt]

With this suggestion, we will be building the native ones twice. I separated them out so that we didn't double build based on your original feedback.

The non-native ones are built here, and then the native ones are part of vscodeTaskCI which is added to the end of this local build task.

Am I misunderstanding something?

[deepak1556]

Not sure why the universal build fails on the parcel watcher, I will take a look at it today.

[TylerLeonhardt]

@deepak1556 this fixed the Create Universal App step of the build for me. Let me know if you'd like to expand the scope but until then I've scoped it as small as possible.

[TylerLeonhardt]

Sanity build here: https://monacotools.visualstudio.com/Monaco/_build/results?buildId=305103&view=results ✅

smoke tested on macOS and Windows and everything seems operational.