Port relevant commits from 2.9.0 and 2.9.1 releases#2382
Merged
Conversation
The authorization code flow only handled the default 'query' response mode, where the loopback browser reads the response from the request query string and returns a URI for the client to parse. The 'fragment' and 'form_post' modes deliver the response over channels a URI cannot represent - the fragment is never transmitted to the server, and form_post arrives as a urlencoded POST body - so hosts that mandate those modes could not be used. Have the browser return the parsed response parameters regardless of transport and tell it which mode to expect. The system browser reads the POST body for form_post, and for fragment serves a small page that re-submits the parameters as a form POST to the loopback redirect - keeping the authorization code out of the URL, browser history, and server logs. The client sends 'response_mode' only when it is not the default, so existing query-mode requests are unchanged. Assisted-by: Claude Opus 4.8 Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
Now that the OAuth client can request non-query response modes, expose the choice to generic host configurations through a new optional setting (credential.<host>.oauthResponseMode, or the GCM_OAUTH_RESPONSE_MODE environment variable). The built-in providers target known hosts that use 'query', so the generic provider is the only place an arbitrary host's response mode needs to be configurable. The setting is optional and defaults to 'query', so existing configurations are unaffected. An unrecognised value is traced and falls back to the default rather than failing configuration outright. Assisted-by: Claude Opus 4.8 Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
GCM launches the system browser for interactive OAuth by handing the authorization URL to the OS "shell execute" handler. On macOS that is /usr/bin/open, which validates the URL and, on finding any character that is not legal in a fully percent-encoded URL, re-encodes the whole query string. That step double-escapes parameters we had already encoded -- redirect_uri=http%3A%2F%2F... becomes redirect_uri=http%253A%252F%252F... -- and the authorization server rejects the redirect. Windows ShellExecuteEx forwards the string verbatim, so only macOS is affected. The trigger was a raw space in the query. Uri.ToString() is a display form that unescapes %20 back to a literal space (while leaving %2F alone), so building the launch string that way reintroduced spaces, most easily via the space-delimited scope parameter. This surfaced after MSAL began encoding spaces[1] as %20 rather than +; a literal + is left untouched by ToString(), which had masked the problem. Uri.AbsoluteUri keeps the query fully percent-encoded, so %20 stays %20 and macOS open accepts the URL unchanged. [1]: AzureAD/microsoft-authentication-library-for-dotnet#5128 Assisted-by: Claude Opus 4.8 Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
e68d8a8 to
329da7f
Compare
derrickstolee
approved these changes
Jul 14, 2026
dscho
approved these changes
Jul 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a port of commits from the 2.9.0 and 2.9.1 embargoed releases into the vnext branch.
Note that not all of the commits were required since
vnextalready had some of the bug fixes (the CFS release change), or have been superseded by refactoring (MicrosoftAuthentication -> EntraAuthenticationalready changed how we use redirect URIs and resolved auth flows) and updates to even newer MSAL versions.