msauth: include better warning message on Keychain errors

Sometimes the login Keychain is not accessible and the MSAL.Extensions library cannot read/write the token cache. The specific error encountered internally is `errSecAuthFailed` - neither we nor the MSAL team know why this happens sometimes. Locking and then unlocking the login Keychain manually, or simply restarting the computer appears to fix the problem. Include the lock+unlock/restart remedy in the warning message on macOS.
git-ecosystem · Mar 10, 2021 · 49ca302 · 49ca302
1 parent 3c3ae22
commit 49ca302
Showing 1 changed file with 13 additions and 3 deletions.
diff --git a/src/shared/Microsoft.Git.CredentialManager/Authentication/MicrosoftAuthentication.cs b/src/shared/Microsoft.Git.CredentialManager/Authentication/MicrosoftAuthentication.cs
@@ -236,13 +236,23 @@ private async Task RegisterTokenCacheAsync(IPublicClientApplication app)
             }
             catch (MsalCachePersistenceException ex)
             {
-                Context.Streams.Error.WriteLine("warning: cannot persist Microsoft Authentication data securely!");
+                Context.Streams.Error.WriteLine("warning: cannot persist Microsoft authentication token cache securely!");
                 Context.Trace.WriteLine("Cannot persist Microsoft Authentication data securely!");
                 Context.Trace.WriteException(ex);
 
-                // On Linux the SecretService/keyring might not be available so we must fall-back to a plaintext file.
-                if (PlatformUtils.IsLinux())
+                if (PlatformUtils.IsMacOS())
                 {
+                    // On macOS sometimes the Keychain returns the "errSecAuthFailed" error - we don't know why
+                    // but it appears to be something to do with not being able to access the keychain.
+                    // Locking and unlocking (or restarting) often fixes this.
+                    Context.Streams.Error.WriteLine(
+                        "warning: there is a problem accessing the login Keychain - either manually lock and unlock the " +
+                        "login Keychain, or restart the computer to remedy this");
+                }
+                else if (PlatformUtils.IsLinux())
+                {
+                    // On Linux the SecretService/keyring might not be available so we must fall-back to a plaintext file.
+                    Context.Streams.Error.WriteLine("warning: using plain-text fallback token cache");
                     Context.Trace.WriteLine("Using fall-back plaintext token cache on Linux.");
                     var storageProps = CreateTokenCacheProps(clientId, useLinuxFallback: true);
                     helper = await MsalCacheHelper.CreateAsync(storageProps);