nuget command line ignores credentials saved by Visual studio

[tapika]

Tested with nuget 5.8.0.6930, and 5.9.0.7134.

When running "nuget.exe restore solution.sln" command - nuget does not use Visual Studio credentials, and does not prompt to enter login and password.

First provider which gets executed is MsalDeviceCodeFlowBearerTokenProvider.

Text banner looks like this:

    **********************************************************************

    To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code ABCEDFGH to authenticate.

    **********************************************************************

Brief analysis of https://github.com/microsoft/artifacts-credprovider code and couple of debug sessions revealed to me what was the problem.

There exists two different compilations of credprovider - namely .net core's without user interface, and .net framework (NETFRAMEWORK define macro enabled) with user interface.

By default if you install credential provider using command line like installcredprovider.ps1
it will download .net core credential provider, which is without user interface.

If you however use -AddNetfx parameter at the end - it will download .net framework based credential provider, which in a turn can display login and password prompt to azure and avoid that ugly device based authentication.

I guess for nuget there are two strategies which can be used.

1. nuget automatically authorizes against azure via login / password by allowing user interface prompt. (Using VstsCredentialProvider class)

(E.g. powershell script like this could be used if necessary: chocolatey/choco#1721 (comment))

nuget restore already have -NonInteractive which can be used to suppress UI prompt if necessary.

2. nuget uses %localappdata%\MicrosoftCredentialProvider\SessionTokenCache.dat file directly and authorizes against azure if personal access token is not expired.

I by myself would prefer to have 1 implemented and using -NonInteractive it would be possible to suppress login dialog.

Device code bearer token provider authorizes nuget restore for 4 hours - which is quite small amount of time for developer.

(Yesterday it was working - what? - again to log in ?)

If it continues to authorize for 4 hours, then I would prefer to remove it or obsolete it.
In link above I've managed to suppress by setting timeout limit environment variable - but this maybe not good from nuget console output perspective.

[tapika]

AzureCredentials.zip

If you decide to go with alternative 2 - then it's possible to load credential cache using code like this:

string cacheFilePath = Environment.ExpandEnvironmentVariables(@"%localappdata%\MicrosoftCredentialProvider\SessionTokenCache.dat");
if (System.IO.File.Exists(cacheFilePath))
{ 
    try
    {
        var urlPasswords = new NuGetCredentialProvider.Util.SessionTokenCache(cacheFilePath).Cache;
        foreach (var origUrl in urlPasswords.Keys)
        { 

Attached files are stripped down versions from https://github.com/microsoft/artifacts-credprovider.

And credentials can be returned like this:

return new NetworkCredential("az", urlPasswords[origUrl]);

After which authentication works out of box.

[tapika]

If you have influence on how much time PAT will be valid (E.g. set NUGET_CREDENTIALPROVIDER_VSTS_SESSIONTIMEMINUTES)- I would prefer to have larger value (e.g. year at least) rather than shorter.

[dominoFire]

Thanks a lot for you detailed analysis, @tapika

nuget.exe works with .NET Framework ; so, it will use .NET Framework Authentication plugin. The Azure Artifacts Credential plugin is maintained by a team external to NuGet.

I will close this issue and repost in microsoft/artifacts-credprovider.

Any questions, let us know.

[tapika]

Are you sure artifacts-credprovider is right repository to raise this error ?

.net core 2 theoretically goes into direction - less UI, more portable direction - would work also on linux, mac, android.

with .net 5 it's possible to get more UI and more portable.