Azure DevOps - warning: invalid credential line: Opening in existing browser session.

[chrisvanderpennen]

This is the same behaviour as reported in #178 except that the problem call to xdg-open comes from inside MSAL - here, I think. Let me know if you'd like me to submit a sibling issue there.

Which version of GCM Core are you using?
Git Credential Manager version 2.0.318-beta+44acfafa98 (Linux, .NET Core 3.1.10)

Which Git host provider are you trying to connect to?

• Azure DevOps
• Azure DevOps Server (TFS/on-prem)
• GitHub
• GitHub Enterprise
• Bitbucket
• Other - please describe

Can you access the remote repository directly in the browser using the remote URL?

• Yes
• No, I get a permission error
• No, for a different reason - please describe

---

[Azure DevOps only] What format is your remote URL?

• Not applicable
• https://dev.azure.com/`{org}`/...
• https://{org}@dev.azure.com/{org}/...
• https://{org}.visualstudio.com/...

[Azure DevOps only] If the account picker shows more than one identity as you authenticate, check that you selected the same one that has access on the web.

• Not applicable
• I only see one identity
• I checked each identity and none worked

---

Expected behavior

I am authenticated and my Git operation completes successfully.

Actual behavior

Chrome launches to the AAD login page. I successfully authenticate, and am returned to localhost where the "Authentication complete. You can return to the application. Feel free to close this browser tab." message is printed. However, at console a warning is logged and I am prompted for a password by git::

Cloning into 'zzz'...
warning: invalid credential line: Opening in existing browser session.
Password for 'https://xxx@dev.azure.com/xxx/yyy/_git/zzz':

I can see that a valid PAT was created in DevOps.

Logs

Set the environment variables GCM_TRACE=1 and GIT_TRACE=1 and re-run your Git command. Review and redact any private information and attach the log.

GIT_TRACE=1 GCM_TRACE=1 git clone https://xxx@dev.azure.com/xxx/yyy/_git/zzz                                                            
13:05:49.655977 git.c:444               trace: built-in: git clone https://xxx@dev.azure.com/xxx/yyy/_git/zzz
Cloning into 'zzz'...
13:05:49.661021 run-command.c:664       trace: run_command: git remote-https origin https://xxx@dev.azure.com/xxx/yyy/_git/zzz
13:05:49.664089 git.c:730               trace: exec: git-remote-https origin https://xxx@dev.azure.com/xxx/yyy/_git/zzz
13:05:49.664183 run-command.c:664       trace: run_command: git-remote-https origin https://xxx@dev.azure.com/xxx/yyy/_git/zzz
13:05:49.986898 run-command.c:664       trace: run_command: '/usr/bin/git-credential-manager-core get'
13:05:50.299377 ...er/Application.cs:69 trace: [RunInternalAsync] Git Credential Manager version 2.0.318-beta+44acfafa98 (Linux, .NET Core 3.1.10) 'get'
13:05:50.312583 ...mmands/Command.cs:63 trace: [ExecuteAsync] Start 'get' command...
13:05:50.318765 ...mmands/Command.cs:74 trace: [ExecuteAsync] Detecting host provider for input:
13:05:50.319590 ...mmands/Command.cs:75 trace: [ExecuteAsync] 	protocol=https
13:05:50.319605 ...mmands/Command.cs:75 trace: [ExecuteAsync] 	host=dev.azure.com
13:05:50.319614 ...mmands/Command.cs:75 trace: [ExecuteAsync] 	path=xxx/yyy/_git/zzz
13:05:50.319620 ...mmands/Command.cs:75 trace: [ExecuteAsync] 	username=xxx
13:05:50.381363 ...viderRegistry.cs:129 trace: [GetProvider] Performing auto-detection of host provider.
13:05:50.384730 ...mmands/Command.cs:77 trace: [ExecuteAsync] Host provider 'Azure Repos' was selected.
13:05:50.391404 ...osHostProvider.cs:66 trace: [GetCredentialAsync] Looking for existing credential in store with service=https://dev.azure.com/xxx account=...
13:05:50.448282 ...osHostProvider.cs:71 trace: [GetCredentialAsync] No existing credentials found.
13:05:50.448330 ...osHostProvider.cs:74 trace: [GetCredentialAsync] Creating new credential...
13:05:50.449944 ...sHostProvider.cs:141 trace: [GenerateCredentialAsync] Determining Microsoft Authentication Authority...
13:05:50.454956 ...eDevOpsRestApi.cs:46 trace: [GetAuthorityAsync] HTTP: HEAD https://dev.azure.com/xxx
13:05:50.456002 ...pClientFactory.cs:53 trace: [CreateClient] Creating new HTTP client instance...
13:05:50.664243 ...eDevOpsRestApi.cs:49 trace: [GetAuthorityAsync] HTTP: Response code ignored.
13:05:50.664270 ...eDevOpsRestApi.cs:50 trace: [GetAuthorityAsync] Inspecting headers...
13:05:50.671835 ...eDevOpsRestApi.cs:57 trace: [GetAuthorityAsync] Found WWW-Authenticate header with Bearer authority 'https://login.microsoftonline.com/uuid'.
13:05:50.672248 ...sHostProvider.cs:143 trace: [GenerateCredentialAsync] Authority is 'https://login.microsoftonline.com/uuid'.
13:05:50.672261 ...sHostProvider.cs:146 trace: [GenerateCredentialAsync] Getting Azure AD access token...
13:05:50.688556 ...uthentication.cs:267 trace: [RegisterVisualStudioTokenCacheAsync] Configuring Visual Studio token cache...
13:05:50.688586 ...uthentication.cs:289 trace: [RegisterVisualStudioTokenCacheAsync] Visual Studio token cache integration is not supported on Linux.
13:05:50.693945 ...uthentication.cs:153 trace: [GetAccessTokenInProcAsync] Performing interactive auth with system web view...
13:05:50.718549 ...pClientFactory.cs:53 trace: [CreateClient] Creating new HTTP client instance...
warning: invalid credential line: Opening in existing browser session.
13:06:02.909165 ...sHostProvider.cs:155 trace: [GenerateCredentialAsync] Acquired Azure access token. User='me@xxx.com' Token='********'
13:06:02.909239 ...sHostProvider.cs:163 trace: [GenerateCredentialAsync] Creating Azure DevOps PAT with scopes 'vso.code_write, vso.packaging'...
13:06:02.910246 ...DevOpsRestApi.cs:105 trace: [CreatePersonalAccessTokenAsync] Getting Azure DevOps Identity Service endpoint...
13:06:02.911981 ...DevOpsRestApi.cs:155 trace: [GetIdentityServiceUriAsync] HTTP: GET https://dev.azure.com/xxx/_apis/ServiceDefinitions/LocationService2/uuid?api-version=1.0
13:06:02.946694 ...DevOpsRestApi.cs:159 trace: [GetIdentityServiceUriAsync] HTTP: Response 200 [OK]
13:06:02.951799 ...DevOpsRestApi.cs:107 trace: [CreatePersonalAccessTokenAsync] Identity Service endpoint is 'https://spsprodeau1.vssps.visualstudio.com/uuid/'.
13:06:02.951857 ...DevOpsRestApi.cs:111 trace: [CreatePersonalAccessTokenAsync] HTTP: POST https://spsprodeau1.vssps.visualstudio.com/uuid/_apis/token/sessiontokens?api-version=1.0&tokentype=compact
13:06:03.378571 ...DevOpsRestApi.cs:116 trace: [CreatePersonalAccessTokenAsync] HTTP: Response 200 [OK]
13:06:03.401071 ...sHostProvider.cs:168 trace: [GenerateCredentialAsync] PAT created. PAT='********'
13:06:03.402526 ...osHostProvider.cs:76 trace: [GetCredentialAsync] Credential created.
13:06:03.404757 ...mmands/Command.cs:81 trace: [ExecuteAsync] End 'get' command...
Password for 'https://xxx@dev.azure.com/xxx/yyy/_git/zzz': 
13:06:07.858142 run-command.c:664       trace: run_command: '/usr/bin/git-credential-manager-core erase'
13:06:07.971319 ...er/Application.cs:69 trace: [RunInternalAsync] Git Credential Manager version 2.0.318-beta+44acfafa98 (Linux, .NET Core 3.1.10) 'erase'
13:06:07.986907 ...mmands/Command.cs:63 trace: [ExecuteAsync] Start 'erase' command...
13:06:07.993382 ...mmands/Command.cs:74 trace: [ExecuteAsync] Detecting host provider for input:
13:06:07.994225 ...mmands/Command.cs:75 trace: [ExecuteAsync] 	protocol=https
13:06:07.994238 ...mmands/Command.cs:75 trace: [ExecuteAsync] 	host=dev.azure.com
13:06:07.994243 ...mmands/Command.cs:75 trace: [ExecuteAsync] 	path=xxx/yyy/_git/zzz
13:06:07.994248 ...mmands/Command.cs:75 trace: [ExecuteAsync] 	username=xxx
13:06:07.994256 ...mmands/Command.cs:75 trace: [ExecuteAsync] 	password=********
13:06:08.055043 ...viderRegistry.cs:129 trace: [GetProvider] Performing auto-detection of host provider.
13:06:08.055873 ...mmands/Command.cs:77 trace: [ExecuteAsync] Host provider 'Azure Repos' was selected.
13:06:08.056459 ...sHostProvider.cs:108 trace: [EraseCredentialAsync] Erasing stored credential in store with service=https://dev.azure.com/xxx account=...
13:06:08.099463 ...sHostProvider.cs:115 trace: [EraseCredentialAsync] No credential was erased.
13:06:08.099545 ...mmands/Command.cs:81 trace: [ExecuteAsync] End 'erase' command...
fatal: Authentication failed for 'https://dev.azure.com/xxx/yyy/_git/zzz/'

[mjcheetham]

Hi @chrisvanderpennen,

Thanks for raising this, and investigating the problem. I believe you are correct here, in that it's MSAL launching xdg-open without redirecting and swallowing the standard output and error streams.

I can open the issue over on the MSAL team.

[mjcheetham]

AzureAD/microsoft-authentication-library-for-dotnet#2427

[glima]

That has been released, can we have a bump on this project too?

[glima]

Friendly bump