How to populate getAccount silently

[arsnyder16]

Please follow the issue template below. Failure to do so will result in a delay in answering your question.

Library

• msal@1.x.x or @azure/msal@1.x.x
• @azure/msal-browser@2.x.x
• @azure/msal-angular@0.x.x
• @azure/msal-angular@1.x.x
• @azure/msal-angularjs@1.x.x

Description

I am trying to silently populate UserAgentApplication account object silently without requiring a login (loginPopup, loginRedirect). MSAL is a secondary feature so i do not want to require a login.

If i call acquireTokenSilent without a loginHint it will error.
If i hard code the loginHint everything works as expected. Is it possible to allow the library to traverse all logged in accounts? Similar how to the login/logout interfaces support multiple accounts.

My use case is sort of specific in that all i want to know is if there is any active account so i can show a signout button, but it would be a nice feature of the Library to be able to get all those accounts.

Examples:

"How do I use MSAL with Vue.js"
"How do I SSO between tabs?"
"How do I use MSAL to protect my custom Web API?"
"How can my app support multiple AAD tenants?"
"When will my scenario be supported?"
"When will this framework be supported"

[jasonnutter]

@arsnyder16 You can silently SSO to an existing AAD/MSA session by calling acquireTokenSilent with a loginHint and your clientId as the only scope. If there is an existing session, an ID token for that session will be acquired and getAccount will be populated. If not, it will through an error (e.g. login_required) that your app will need to handle.

We are working to add this as a new top-level API, ssoSilent, in #1166.

[arsnyder16]

@jasonnutter

Yea I am trying to avoid tracking a loginHint, my best guess is to store something in local storage from the last known session and try to use that. That won't be super reliable.

If i am understanding correctly ssoSilent will lift this requirement of having a loginHint?

[arsnyder16]

now that i look at the details of the PR, All it is doing is passing the clientId for you but you already had to initialzie the UserAgentApplication with the correct clientId anyway.

I guess its just to avoid confusion with calling acquireTokenSilent when you really just want to login?

[arsnyder16]

Just to elaborate on my use case since the PR does have a discussion around requiring loginHint.

My use case is really to just try and identify any open session so i can show the sign out button, but i can see down the road the need to show an identity chooser directly in my UI. For example if i am showing a list of files from the users one drive. They might be using their personal and business identities. It would be a better experience for me to have a drop down control so they can easily switch between accounts. Currently i would need to show a popup window and have the user choose through the Microsoft interface.

[jasonnutter]

@arsnyder16 Correct, ssoSilent is convenience method for the use case when your application is confident that the user already has an active AAD session (i.e. you already sent them through the login flow using something other than MSAL.js). The loginHint is required to disambiguate if there are multiple active sessions.

[arsnyder16]

@jasonnutter What if there is only 1 active session? It seems logical to that it could be retrieved without a login hint

I think it would be a good feature to allow the client to the library to retrieve all the active sessions. So they can build interfaces and constructs based on them. As I mention above

[arsnyder16]

@jasonnutter For more context.

We have a commercial application that has both web and desktop(mac/win) interfaces, similar to Office. We are integrating with different cloud repositories, onedrive/google drive/dropbox etc. So a user may choose to open one of our files from onedrive or they may choose google drive. They may also do a combination of both. For our desktop components we are using embedded CEF to handle some of these integration pieces so that we can share as much logic as possible with the web versions. When opening the desktop application you may already have a valid cookie (choosing yes on the do you want to stay signed in page) and be able to create implicitly authorize with MSAL/OneDrive/Microsoft Graph.

We would like to supply our users with an interface to show them what account are currently active, it may be a list that is combination of different providers maybe a google identity, a onedrive for business identity and a onedrive personal identity. Within that list we want to allow them to log out or see more details of the individual identities. In order to build all this it would be very helpful if msal would supply a way to get all active sessions and furthermore switch and log out of individual ones. I am sort of piecing it all together currently, but with some enhancements to MSAL.JS it could be a little more straight forward.

[jasonnutter]

@arsnyder16

What if there is only 1 active session? It seems logical to that it could be retrieved without a login hint

The problem is that your application cannot know for sure that there is only one currently active session before calling MSAL.

We are planning on adding multiple account support to MSAL (ETA next quarter, I believe), which I believe will solve this use case.

[arsnyder16]

@jasonnutter Great! Yea that will be beneficial. Is there a work item that i can follow?

[jasonnutter]

@arsnyder16 You can follow #1082

[DarylThayil]

Closing issue