`a365 publish` fails on macOS with `PlatformNotSupportedException` during MOS token acquisition

[sellakumaran]

a365 publish aborts on macOS with a fatal authentication error when acquiring the MOS token. The manifest is packaged correctly but the publish never completes because the token step throws System.PlatformNotSupportedException and the error is treated as fatal.

Repro steps

1. Run a365 publish on macOS 15.x
2. Observe manifest updated and zip created successfully
3. At the MOS token acquisition step, the CLI exits with an error

Error output

Acquiring MOS token for environment: prod
A browser window will open for authentication...
ERROR: Failed to acquire MOS token: macOS 15.3.1
System.PlatformNotSupportedException: macOS 15.3.1
  at Microsoft.Identity.Client.Platforms.netstandard.NetCorePlatformProxy.StartDefaultOsBrowserAsync(String url, Boolean isBrokerConfigured)
  at Microsoft.Identity.Client.Platforms.Shared.Desktop.OsBrowser.DefaultOsBrowserWebUi.<>c__DisplayClass10_0.<InterceptAuthorizationUriAsync>b__0(Uri u)
  ...
  at Microsoft.Agents.A365.DevTools.Cli.Services.MosTokenService.AcquireTokenAsync
ERROR: Unable to acquire MOS token. Aborting publish.

Expected behavior

When a browser is not available, the CLI should fall back to device code authentication (same as a365 setup commands do on macOS/Linux) and allow the user to complete sign-in manually.

Actual behavior

The CLI exits with a fatal error. The manifest zip is already generated and could be uploaded manually, but the user has no way to complete the publish through the CLI.

Environment

• macOS 15.3.1 (Apple Silicon and Intel both affected)
• Also reproducible on Linux/WSL headless environments
• Not reproducible on Windows

Additional context

PR #309 added device code fallback for PlatformNotSupportedException in MsalBrowserCredential, which fixed the same issue for a365 setup commands. However, MosTokenService (used by a365 publish) had its own separate MSAL flow that was not updated and still calls AcquireTokenInteractive directly without any fallback.

[github-actions]

[AUTO-TRIAGE] Team Assistant Triage

This issue has been automatically analyzed and triaged.

AI Decision Reasoning: Type: Classified as 'bug' because the issue describes a failure in expected functionality (a365 publish aborting due to a PlatformNotSupportedException) that prevents the command from completing on macOS and Linux environments.
Priority: Assigned P1 because the issue critically impacts the ability to use the a365 publish command on non-Windows platforms, effectively blocking a key workflow for affected users without a viable workaround. [Security issue detected: The issue describes a failure in authentication due to a lack of fallback for unsupported platforms, which could lead to improper handling of authentication flows or potential exposure of sensitive information if not addressed properly. This is a security-related concern because it involves authentication mechanisms and their robustness.]
Copilot: Security issues require human review and should not be auto-fixed
Assignment: Security issue assigned to security lead. The issue describes a failure in authentication due to a lack of fallback for unsupported platforms, which could lead to improper handling of authentication flows or potential exposure of sensitive information if not addressed properly. This is a security-related concern because it involves authentication mechanisms and their robustness.
Labels: Applied labels bug, P1, security based on issue type and priority

Labels and assignee have been applied based on this analysis.

[github-actions]

[AUTO-TRIAGE] Results

Classification: bug
Priority: P1
Confidence: 100.0%

Recommended Assignee: @sellakumaran

Analysis:
type rationale: Classified as 'bug' because the issue describes a failure in expected functionality (a365 publish aborting due to a PlatformNotSupportedException) that prevents the command from completing on macOS and Linux environments.

priority rationale: Assigned P1 because the issue critically impacts the ability to use the a365 publish command on non-Windows platforms, effectively blocking a key workflow for affected users without a viable workaround. [Security issue detected: The issue describes a failure in authentication due to a lack of fallback for unsupported platforms, which could lead to improper handling of authentication flows or potential exposure of sensitive information if not addressed properly. This is a security-related concern because it involves authentication mechanisms and their robustness.]

copilot rationale: Security issues require human review and should not be auto-fixed

assignment rationale: Security issue assigned to security lead. The issue describes a failure in authentication due to a lack of fallback for unsupported platforms, which could lead to improper handling of authentication flows or potential exposure of sensitive information if not addressed properly. This is a security-related concern because it involves authentication mechanisms and their robustness.

labels rationale: Applied labels bug, P1, security based on issue type and priority

[SUGGESTION] Suggested Approach

1. Update the MosTokenService class in src/Services/MosTokenService.cs to implement the same device code fallback logic introduced in PR fix: device code fallback for macOS browser auth and cross-platform URL opening #309 for MsalBrowserCredential. Specifically, catch the PlatformNotSupportedException and invoke AcquireTokenWithDeviceCodeAsync as a fallback when AcquireTokenInteractive fails.
2. Refactor the token acquisition logic into a shared utility method or service, as both a365 setup and a365 publish require similar fallback behavior. Place this utility in a shared location like src/Services/AuthenticationUtils.cs to reduce code duplication and ensure consistent behavior across commands.
3. Add unit tests for the updated MosTokenService in src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/MosTokenServiceTests.cs to verify that the fallback to device code authentication works correctly on macOS and Linux environments. Mock the MSAL library to simulate PlatformNotSupportedException and ensure the fallback is triggered.
4. Update the documentation in docs/commands/a365_publish.md (or the equivalent file) to explicitly mention that device code authentication will be used as a fallback on macOS/Linux if the browser-based flow is not supported. This will help users understand the behavior change.
5. Test the updated a365 publish command on macOS, Linux, and WSL environments to ensure the fallback logic works as expected and does not introduce regressions. Use the existing CI pipeline in .github/workflows/ci.yml to automate testing across platforms if not already configured.

---

Generated by TeamAssistant Auto-Triage powered by GitHub Models