Skip to content

Check for xdg-open availability on Linux for browser auth #2254

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kyle-rader-msft wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Check for xdg-open availability on Linux for browser auth #2254

kyle-rader-msft wants to merge 3 commits into from

Conversation

@kyle-rader-msft
Copy link

@kyle-rader-msft kyle-rader-msft commented Jan 29, 2026
edited
Loading

Summary

Check for browser launcher availability (xdg-open, gnome-open, etc.) in addition to checking for desktop session presence to gate web auth flow.

Problem

GCM currently only checks for DISPLAY or WAYLAND_DISPLAY environment variables to determine if browser-based authentication is available on Linux. However, MSAL checks for xdg-open availability in addition to display environment variables. This creates a mismatch where GCM reports "browser not available" even though MSAL can successfully launch a browser using xdg-open.

Real-World BLocker: WaveSpace VMs

This fix isimportant for WaveSpace VMs and similar environments where:

  • Users connect via SSH without X11 forwarding (no DISPLAY environment variable)
  • xdg-open is available and can launch the host system's browser (this is setup by VSCode remote tunnels)
  • Browser-based authentication needs to work for conditional access policies, satisifed by the host's browser (Microsoft Edge in this case).

Solution

Modified LinuxSessionManager.GetWebBrowserAvailable() to return true if:

  • An interactive desktop session is detected (existing behavior via DISPLAY/WAYLAND_DISPLAY), OR
  • A shell execute handler like xdg-open is available (new behavior)

This matches MSAL's browser detection logic and ensures GCM, AzureAuth and MSAL behave consistently.

Behavior Changes

Scenario Before After
Linux with DISPLAY set ✅ Browser available ✅ Browser available
Linux with WAYLAND_DISPLAY set ✅ Browser available ✅ Browser available
Linux with xdg-open but no DISPLAY ❌ Browser NOT available ✅ Browser available (FIXED)
Linux without display vars or browser launchers ❌ Browser NOT available ❌ Browser NOT available

Testing

  • ✅ Solution builds successfully with no warnings
  • Manual testing recommended on Linux system without DISPLAY but with xdg-open available
  • Verify OAuth authentication works in SSH sessions with xdg-open present

🤖 Generated with Claude Code

@claude
Check for xdg-open availability on Linux for browser auth
69a1f88 
Enhanced LinuxSessionManager.GetWebBrowserAvailable() to check for
browser launcher availability (xdg-open, gnome-open, etc.) in addition
to checking for desktop session. This matches MSAL's behavior and fixes
the scenario where GCM reports "browser not available" even though MSAL
can successfully launch a browser using xdg-open (e.g., in SSH sessions
without X11 forwarding but with xdg-open available).

The IsDesktopSession property remains unchanged and focused on detecting
X11/Wayland desktop environments. Only the IsWebBrowserAvailable check
has been enhanced.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@kyle-rader-msft kyle-rader-msft requested a review from a team as a code owner January 29, 2026 08:06
mjcheetham
mjcheetham requested changes Jan 29, 2026
View reviewed changes
Kyle Rader added 2 commits January 29, 2026 10:46
Refactor: invert handler check for clearer logic
cc81292 
Move shell execute handler check to top with early return if handler
exists (with WSL session 0 exception). This makes the logic flow more
clearly and avoids redundant checks between WSL and non-WSL paths.

Logic now:
- If handler exists (xdg-open, wslview, etc.): return true (early exit)
  * Exception: WSL session 0 returns false
- If no handler and WSL: return false
- If no handler and non-WSL: fall back to IsDesktopSession check
Simplify logic with explicit boolean vars and single return
0b7e96a 
Refactored GetWebBrowserAvailable() to be much more readable:
- Define all boolean properties upfront (hasHandler, isWsl, etc.)
- Single return statement expressing the complete logic clearly
- No nested conditionals or multiple return paths

Logic: (hasHandler && !isWslSession0) || (isDesktopSession && !isWsl && !hasHandler)
@becm
Copy link
Contributor

becm commented Jan 29, 2026
edited
Loading

@mjcheetham return of GetWebBrowserAvailable() may not block on missing Linux utilities.
Current WSL detection redirects requests to the host system just fine without them.
Or maybe not yet, BrowserUtils.OpenDefaultBrowser() seems to not handle WSL in a special way…

The presence of wslview is an esoteric corner case and likely breaks similar to our existing logic
(e.g.: WSL interop is disabled → #1813).

The problem here is HOW to detect if any open tool is properly set up to redirect to a UI-capable system?

@becm
Copy link
Contributor

becm commented Jan 29, 2026

Next debatable design; none of the listed open tools in BrowserUtils.cs guarantee there IS a usable browser installed (same issue in the linked MSAL proxy lookup).

So in a proper desktop session, valid programs would rather be
["x-www-browser", "www-browser", <other known UI HTTPS applications>].

If possible, detection of WSL-interop or other redirect condition is independent from availability of local browsers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mjcheetham mjcheetham mjcheetham requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kyle-rader-msft @becm @mjcheetham