[Bug] AcquireTokenSilent for OperatingSystemAccount can prompt.

[crmann1]

MSAL 4.41 with WAM enabled

We started to see WAM prompts when acquiring the operating system account silently.
In all the cases so far the user was signed into windows with an MSA.

We call

await pca.AcquireTokenSilent(new string[] { defaultConfiguration.GraphEndpoint.AbsoluteUri + ".default" },PublicClientApplication.OperatingSystemAccount)

This ends up calling
WebAuthenticationCoreManagerInterop.RequestTokenForWindowAsync

One interesting thing is the documentation for this API indicates it MAY prompt.
WebAuthenticationCoreManager.RequestTokenAsync Method (Windows.Security.Authentication.Web.Core) - Windows UWP applications | Microsoft Docs
Asynchronously requests a token from a web account provider. If necessary, the user is prompted to enter their credentials.

Microsoft.Identity.Client.Desktop.dll!Microsoft.Identity.Client.Platforms.WebAuthenticationCoreManagerInterop.RequestTokenForWindowAsync(System.IntPtr hWnd, Windows.Security.Authentication.Web.Core.WebTokenRequest request) Line 19
Microsoft.Identity.Client.Desktop.dll!Microsoft.Identity.Client.Platforms.Features.WamBroker.WamProxy.RequestTokenForWindowAsync(System.IntPtr _parentHandle, Windows.Security.Authentication.Web.Core.WebTokenRequest webTokenRequest) Line 73 C#
Microsoft.Identity.Client.Desktop.dll!Microsoft.Identity.Client.Platforms.Features.WamBroker.WamBroker.AcquireTokenSilentDefaultUserPassthroughAsync(Microsoft.Identity.Client.Internal.Requests.AuthenticationRequestParameters authenticationRequestParameters, Windows.Security.Credentials.WebAccountProvider defaultAccountProvider) Line 730 C#
Microsoft.Identity.Client.Desktop.dll!Microsoft.Identity.Client.Platforms.Features.WamBroker.WamBroker.AcquireTokenSilentDefaultUserAsync(Microsoft.Identity.Client.Internal.Requests.AuthenticationRequestParameters authenticationRequestParameters, Microsoft.Identity.Client.ApiConfig.Parameters.AcquireTokenSilentParameters acquireTokenSilentParameters) Line 673 C#
[Completed] Microsoft.Identity.Client.Desktop.dll!Microsoft.Identity.Client.Platforms.Features.WamBroker.WebAccountProviderFactory.GetDefaultProviderAsync() Line 29 C#
[Async] Microsoft.Identity.Client.dll!Microsoft.Identity.Client.Internal.Requests.BrokerSilentStrategy.SendTokenRequestToBrokerAsync() Line 78 C#
[Async] Microsoft.Identity.Client.dll!Microsoft.Identity.Client.Internal.Requests.BrokerSilentStrategy.ExecuteAsync(System.Threading.CancellationToken cancellationToken) Line 49 C#
[Async] Microsoft.Identity.Client.dll!Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.ExecuteAsync(System.Threading.CancellationToken cancellationToken) Line 75 C#
[Async] Microsoft.Identity.Client.dll!Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(System.Threading.CancellationToken cancellationToken) Line 88 C#
[Async] Microsoft.Identity.Client.dll!Microsoft.Identity.Client.ApiConfig.Executors.ClientApplicationBaseExecutor.ExecuteAsync(Microsoft.Identity.Client.ApiConfig.Parameters.AcquireTokenCommonParameters commonParameters, Microsoft.Identity.Client.ApiConfig.Parameters.AcquireTokenSilentParameters silentParameters, System.Threading.CancellationToken cancellationToken) Line 41 C#
[Async] Microsoft.Developer.IdentityService.exe!Microsoft.Developer.IdentityService.StorageService.OsTelemetryLogger.PostAccountsSingleSignOnTelemetryAsync.__GetSignedWindowsAccountId|0_2(Microsoft.Identity.Client.IPublicClientApplication pca, System.Diagnostics.TraceSource tracelogger) Line 56 C#

Expectation is that a silent call should be silent and not prompt.

[bgavrilMS]

For MSA-PT apps, we need to use a transfer token between MSA and AAD. As such, the WAM API RequestTokenForWindowAsync is correctly used, because WAM's AcquireTokenSilently needs a web account, but this web account cannot be obtained in MSA-PT scenarios. The transfer token guarantees that RequestTokenForWindowAsync is silent, but 2 things can go wrong:

1. We don't actually get a transfer token. In this case, MSAL should throw an UiRequiredException and not continue with RequestTokenForWindowAsync
2. There is something wrong at the protocol level

I will provide a fix for the first issue, but for the second one we'd need a repro, e.g. an account affected by this, or at least a correlation id + timestamp (but ideally an account).