-
Notifications
You must be signed in to change notification settings - Fork 331
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sample for ms-identity-aspnet-webapp-openidconnect-master throws exception on AcquireTokenSilent #2324
Comments
I think I need to provide additional information on how I am using MSAL. I have found two issues I cannot get around. The second issue depends upon the AAD member type of the user logging in.
Their are extension methods in Microsoft.Identity.Web
that could return these values but they always return null because they are looking for claim values that are not returned by AAD and I see no way to add them. |
@bmukes :
To answer some of your questions:
|
Thinking more, Microsoft.Identity.Web request the ClientInfo: https://github.com/AzureAD/microsoft-identity-web/blob/c5681fa91e444efca09621e1a5a2fadf9cc5dd0a/src/Microsoft.Identity.Web/WebAppExtensions/MicrosoftIdentityWebAppAuthenticationBuilderExtensions.cs#L326, which is the way the disambiguation works for guest accounts. @bmukes : proposing to move this issue to the sample or Microsoft.Identity.Web if you don't mind. |
I am using AAD configured for the OIDC Authorization Code Flow. as far as the claims being returned in my application they are below Ultimately what I am trying to accomplish is outlined below
This seems simple but my debugging shows
|
Also if you want to move this to Microsoft.Identity.Web I do not mind. I just need some way to get the cached access token in a controller or a sample that shows how this can be accomplished. |
I am beginning to wonder if the problem is that I am not using the OIDC Hybrid flow and maybe MSAL will not work properly with the OIDC Authorization Code flow. I am basing this on the Microsoft sample
|
Also keep in mind that I am STUCK using .NET Framework 4.7.2 and not .NET Core |
OK if a picture is worth a 1,000 words then code is worth 10,000
At this point you should be able to do OIDC Authorization grant with the sample code. What you will observe in your output window.
|
Last thing to help in testing the application is that I test using Chrome in incognito mode this helps ensure that the session cookie does not get in the way by automatically logging you in and bypassing authentication. |
I'm experiencing a related issue. I don't think this has anything to do with guest accounts, I think there are just some use-cases where GetAccount is returning null. GetAccounts will return a collection with a single account, but GetAccount will return null. Using MSAL 4.40. I think the bug below has possibly been reintroduced. It should throw an exception rather than inexplicably return null, if this is as-designed behavior. Possible related to the now closed #2141 issue there. |
I ran your sample app and replaced the values for ida:ClientId, ida:ClientSecret and the Authority with values from my Azure Active Directory Tenant.
I registered an application within my tenant and set API permissions as shown in the image below
Authentication for the application is setup as shown in the image below
I get logged in successfully but when I press the Send Email link I notice that the call to app.AcquireTokenSilent always throws and exception. The exception is thrown because the call to await app.GetAccountAsync(ClaimsPrincipal.Current.GetAccountId()); always returns null.
See the partial code on the HomeController.cs below
My assumption was that this sample would show that MSAL would have cached any of the tokens necessary for the call and that the call to GetAccountAsync would not return null. The Active Directory Tenant is not verified so the user login ends with onmicrosoft.com
I am seeing the same behavior in my ASP.NET MVC application using your code so I wondered if I am missing something?
The text was updated successfully, but these errors were encountered: