a365 config init always enables "Allow public client flows" (even on Windows) & adds undocumented https://localhost/ redirect URI

[laura-damian]

Description

When running a365 config init, the Agent 365 CLI:

• Always enables the Entra app’s “Allow public client flows” (isFallbackPublicClient) — even on Windows, where it’s not required.
• Silently adds a https://localhost/ redirect URI to the app registration if it’s missing.

Neither behavior is documented in the official setup guide, which can lead to confusion.

Expected behavior

The CLI should not silently modify app registration settings.
Documentation should clearly state:
That https://localhost/ is a required redirect URI.
That the CLI will enable “Allow public client flows” and why.
On Windows, the CLI should not enable public client flows unless device code fallback is actually needed.

SDK Version

1.1.115-preview+fd1f775761

Language/Runtime

Python 3.12

OS

Windows 11

How to Reproduce

1. Create a new Entra ID app registration for Agent 365 CLI.
   Ensure:

• “Allow public client flows” is disabled.
• https://localhost/ is not listed as a redirect URI.

2. Run a365 config init on Windows and complete the wizard.
   Observe:
   CLI logs:
   Enabling 'Allow public client flows' on app registration (required for device code authentication fallback on macOS/Linux).

App registration now has:

isFallbackPublicClient = true
https://localhost/ added as a redirect URI

Output

No response

Screenshots

No response

Code of Conduct

• I agree to follow the Microsoft Open Source Code of Conduct.

[github-actions]

[AUTO-TRIAGE] Team Assistant Triage

This issue has been automatically analyzed and triaged.

AI Decision Reasoning: Type: Classified as 'bug' because the issue describes unintended behavior where the CLI modifies app registration settings without user consent or proper documentation.
Priority: Elevated to P1 due to security concern: The issue describes a security concern related to the silent modification of app registration settings, including enabling 'Allow public client flows' and adding an undocumented redirect URI (https://localhost/). These changes could potentially weaken security by enabling public client flows unnecessarily and introducing an undocumented redirect URI, which might be exploited if not properly secured.
Copilot: Security issues require human review and should not be auto-fixed
Assignment: Security issue assigned to security lead. The issue describes a security concern related to the silent modification of app registration settings, including enabling 'Allow public client flows' and adding an undocumented redirect URI (https://localhost/). These changes could potentially weaken security by enabling public client flows unnecessarily and introducing an undocumented redirect URI, which might be exploited if not properly secured.
Labels: Applied labels bug, P1, security based on issue type and priority

Labels and assignee have been applied based on this analysis.

[github-actions]

[AUTO-TRIAGE] Results

Classification: bug
Priority: P1
Confidence: 95.0%

Recommended Assignee: @sellakumaran

Analysis:
type rationale: Classified as 'bug' because the issue describes unintended behavior where the CLI modifies app registration settings without user consent or proper documentation.

priority rationale: Elevated to P1 due to security concern: The issue describes a security concern related to the silent modification of app registration settings, including enabling 'Allow public client flows' and adding an undocumented redirect URI (https://localhost/). These changes could potentially weaken security by enabling public client flows unnecessarily and introducing an undocumented redirect URI, which might be exploited if not properly secured.

copilot rationale: Security issues require human review and should not be auto-fixed

assignment rationale: Security issue assigned to security lead. The issue describes a security concern related to the silent modification of app registration settings, including enabling 'Allow public client flows' and adding an undocumented redirect URI (https://localhost/). These changes could potentially weaken security by enabling public client flows unnecessarily and introducing an undocumented redirect URI, which might be exploited if not properly secured.

labels rationale: Applied labels bug, P1, security based on issue type and priority

[SUGGESTION] Suggested Approach

1. 1. Fix Conditional Logic for 'Allow Public Client Flows': Update the logic in the a365 config init command to only enable 'Allow public client flows' on non-Windows platforms or when device code fallback is explicitly required. Look for the relevant logic in the src directory, likely within src/Microsoft.Agents.A365.DevTools.Cli/Commands/ConfigInitCommand.cs or similar files.
2. 2. Add Validation for Redirect URIs: Modify the a365 config init implementation to check if https://localhost/ is already present in the redirect URIs before adding it. If it must be added, log a clear warning or prompt the user for confirmation. This logic may reside in the same file as above or in a helper class for app registration management.
3. 3. Update Documentation: Clearly document the behavior of 'Allow public client flows' and the addition of https://localhost/ as a redirect URI in the setup guide. Update the relevant Markdown files in the docs directory, such as docs/setup.md, to explain why these changes are made and under what conditions.
4. 4. Add Unit Tests for Config Init Behavior: Write unit tests to validate that 'Allow public client flows' is only enabled when necessary and that https://localhost/ is only added when missing. Add these tests to src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/ConfigInitCommandTests.cs or a similar test file.
5. 5. Improve Logging for App Registration Changes: Enhance the logging in a365 config init to explicitly inform users about changes being made to the app registration, such as enabling 'Allow public client flows' or adding https://localhost/. This can be implemented using the existing logging framework in the CLI, likely in src/Microsoft.Agents.A365.DevTools.Cli/Utilities/Logger.cs or similar.

---

Generated by TeamAssistant Auto-Triage powered by GitHub Models

[github-actions]

SLA Escalation Alert

This P1 issue has exceeded its SLA threshold.

Metric	Value
Priority	P1
SLA Threshold	48 hours
Time Since Update	68.5 hours
Current Assignees	@sellakumaran

Action: This issue is already assigned to a Tech Lead but remains unresolved.

Escalating to Engineering Manager @ajmfehr for visibility.

Tech Leads: @sellakumaran

---

Generated by AutoTriage SLA Escalation