acquire_token_interactive cannot open web browser on WSL2 + Ubuntu 22.04

[bgavrilMS]

Discussed in #627

^{Originally posted by jiasli November 16, 2023}
Describe the bug
acquire_token_interactive cannot open web browser on WSL2 + Ubuntu 22.04. The upstream issue is microsoft/WSL#8892.

To Reproduce

$ az login
A web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`.
/usr/bin/xdg-open: 882: x-www-browser: not found
/usr/bin/xdg-open: 882: firefox: not found
/usr/bin/xdg-open: 882: iceweasel: not found
/usr/bin/xdg-open: 882: seamonkey: not found
/usr/bin/xdg-open: 882: mozilla: not found
/usr/bin/xdg-open: 882: epiphany: not found
/usr/bin/xdg-open: 882: konqueror: not found
/usr/bin/xdg-open: 882: chromium: not found
/usr/bin/xdg-open: 882: chromium-browser: not found
/usr/bin/xdg-open: 882: google-chrome: not found
/usr/bin/xdg-open: 882: www-browser: not found
/usr/bin/xdg-open: 882: links2: not found
/usr/bin/xdg-open: 882: elinks: not found
/usr/bin/xdg-open: 882: links: not found
/usr/bin/xdg-open: 882: lynx: not found
/usr/bin/xdg-open: 882: w3m: not found
xdg-open: no method available for opening 'https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?...'

Additional context
Windows Terminal supports Ctrl+Click to open hyperlinks, so the user can Ctrl+Click the URL after xdg-open: no method available for opening to open the web browser and the rest steps work as usual.

[bgavrilMS]

I'm reopening this as it is a bug in MSAL. MSAL is expected to get this to work with WSL. Let's keep the bug open with the tag "External" if we expect the WSL team to fix this.

Root cause: microsoft/WSL#8892

[rayluo]

Since the lack of browser support is on WSL, and the lack of browser detection is on Python language, there is perhaps only one thing left that MSAL Python can do.

Proposal: If acquire_token_interactive() has been waiting for an auth code for more than 10 seconds, MSAL Python can print a message like this on the console: "Hint: If there was no browser popped up, you may try paste this link into your browser https://login.microsoftonline.com/...?state=1234&nonce=5678...".

Two differences between the existing-but-undocumented API (which I mentioned to @jiasli the other day) and this new not-yet-implemented proposal:

• This new behavior is only time-based, so, it will not be affected by Python's lack of browser detection.
• MSAL Python can automatically and always enable such a new behavior, without needing to provide a new api to opt in. This means (1) easy adoption; (2) flexible because we can easily revert this change if necessary, without concern of a breaking change.

[jiasli]

If acquire_token_interactive() has been waiting for an auth code for more than 10 seconds

The login process in the browser can easily exceeds 10s, especially when MFA is involved.

[rayluo]

If acquire_token_interactive() has been waiting for an auth code for more than 10 seconds

The login process in the browser can easily exceeds 10s, especially when MFA is involved.

Good point. We may use a longer value, such as 30 seconds, if not longer. By that time, even if the user was still busy doing MFA, seeing such a hint message shall still be considered understandable and acceptable.

[jiasli]

Copied from microsoft/WSL#8892 (comment)

Without xdg-utils installed, webbrowser from Python 3.11 now reports a different error:

$ sudo apt remove xdg-utils
$ sudo apt install python3.11
$ python3.11 -c "import webbrowser; print(webbrowser.open('https://login.microsoftonline.com/'))"
True
gio: https://login.microsoftonline.com/: Operation not supported

[rayluo]

For what it's worth, I chatted with a Python core developer who confirms that we shouldn't rely on the undocumented return value of webbrowser.open(...). So, I doubt whether these is much MSAL can do, except adding a hint message after some 30 (or even longer) second delay.

If, for example, Azure CLI would like to explore detecting browser on WSL, that effort and its outcome shall go to upstream Python standard library.

[jiasli]

adding a hint message after some 30 (or even longer) second delay.

I personally don't think this is a good user experience. Imagine you have to wait 30 seconds before you know what to do next. As Azure CLI developer, I would rather show the hint message unconditionally if WSL is detected:

Hint: If there was no browser popped up, you may try paste this link into your browser.

Azure CLI has a function is_wsl for detecting if it is run in WSL: https://github.com/Azure/azure-cli/blob/a5198b578b17de934e15b1c92e369e45323e9658/src/azure-cli-core/azure/cli/core/util.py#L743-L749

MSAL copied the logic from Azure CLI (8d86917):

microsoft-authentication-library-for-python/msal/oauth2cli/authcode.py

Lines 56 to 65 in 3702816

	def is_wsl():
	# "Official" way of detecting WSL: https://github.com/Microsoft/WSL/issues/423#issuecomment-221627364
	# Run `uname -a` to get 'release' without python
	# - WSL 1: '4.4.0-19041-Microsoft'
	# - WSL 2: '4.19.128-microsoft-standard'
	import platform
	uname = platform.uname()
	platform_name = getattr(uname, 'system', uname[0]).lower()
	release = getattr(uname, 'release', uname[2]).lower()
	return platform_name == 'linux' and 'microsoft' in release