Bug: WAM IncorrectConfiguration error prevents authentication on Windows (IsBrokerEnabled=true incompatible with http://localhost redirect URI)

[LanceMcCarthy]

Bug Report: WAM IncorrectConfiguration Error Prevents Authentication on Windows

Summary

Authentication always fails on Windows due to a MSAL WAM broker misconfiguration. The app has IsBrokerEnabled: true but uses RedirectUri: http://localhost, which is incompatible with WAM broker flows. This causes an infinite loop of auth popups that never succeed, and tokens are never cached.

Environment

• OS: Windows (win32-x64)
• Package: @microsoft/workiq@latest (via npx)
• Tool: GitHub Copilot CLI with WorkIQ MCP plugin v1.0.0
• Node: via npx

Steps to Reproduce

1. Install the WorkIQ plugin in GitHub Copilot CLI
2. Run any WorkIQ command, e.g.:

   npx @microsoft/workiq@latest --log-level Debug ask -q "test"
   

3. Observe repeated auth popups that never complete, followed by an error

Debug Output

info: Microsoft.WorkIQ.Auth.ClientAppFactory[0]
      Configuring authentication for Windows with broker support
dbug: Microsoft.WorkIQ.Auth.ClientAppFactory[0]
      Windows AppConfig: {
        "ClientId": "ba081686-5d24-4bc6-a0d6-d034ecffed87",
        "RedirectUri": "http://localhost",
        "TenantId": "",
        "IsBrokerEnabled": true,
        "IsDefaultPlatformLoggingEnabled": false,
        "LogLevel": "Info",
        "ClientName": "",
        "ClientVersion": ""
      }
dbug: Microsoft.WorkIQ.Auth.InteractiveAuthProvider[0]
      Starting authentication flow
dbug: Microsoft.WorkIQ.Auth.InteractiveAuthProvider[0]
      Scopes requested: https://graph.microsoft.com/.default
dbug: Microsoft.WorkIQ.Auth.AccountManager[0]
      Found 0 cached account(s)
dbug: Microsoft.WorkIQ.Auth.AccountManager[0]
      Broker enabled on Windows, using OperatingSystemAccount sentinel
dbug: Microsoft.WorkIQ.Auth.InteractiveAuthProvider[0]
      Silent authentication failed with MsalUiRequiredException: WAM Error
      Error Code: 3399614476
      Internal Error Code: 557973645
dbug: Microsoft.WorkIQ.Auth.InteractiveAuthProvider[0]
      Launching interactive authentication flow

Error: WAM Error
 Error Code: 3399614468
 Error Message: IncorrectConfiguration
 WAM Error Message: (pii)
 Internal Error Code: 508634081
 See troubleshooting: https://aka.ms/msal-net-wam

Root Cause

WAM broker requires a redirect URI in the format:

ms-appx-web://microsoft.aad.brokerplugin/{clientId}

The app is configured with http://localhost as the redirect URI, which is not valid for WAM broker flows. As a result:

1. Silent token acquisition fails (0 cached accounts)
2. Interactive auth popup is launched
3. WAM rejects the flow with IncorrectConfiguration
4. No token is ever cached
5. Every subsequent call repeats the cycle — causing repeated auth popups for the user

Specifying --account explicitly does not resolve the issue.

Expected Behavior

Authentication should complete successfully on first launch, cache the token, and subsequent calls should use the cached token silently.

Suggested Fix

Either:

• Option A: Update the WAM redirect URI to ms-appx-web://microsoft.aad.brokerplugin/ba081686-5d24-4bc6-a0d6-d034ecffed87 (and register it in the Azure AD app registration)
• Option B: Disable WAM broker (IsBrokerEnabled: false) and fall back to a browser-based interactive auth flow, which works correctly with http://localhost

References

• MSAL.NET WAM troubleshooting: https://aka.ms/msal-net-wam
• WAM redirect URI requirements: https://learn.microsoft.com/en-us/entra/msal/dotnet/acquiring-tokens/desktop-mobile/wam