microsoft-authentication-library-for-dotnet
microsoft-authentication-library-for-dotnet copied to clipboard
AzureAD
Microsoft Graph returning null account even after passing a valid account ID
Core Library
MSAL Node (@azure/msal-node)
Core Library Version
4.46.1
Wrapper Library
Not Applicable
Wrapper Library Version
NA
Public or Confidential Client?
Confidential
Description
I am encountering a weird issue with Microsoft Graph on an integration that was built a few years back.
This issue started happening a few months back. After I sync a Microsoft Account and provide email and calendar read/write access, everything works fine for some time. I am able to retrieve emails and calendar events. However, after some time, I notice that when a call is made to GetAccountAsync with a valid AccountID, null is returned. This is causing AcquireTokenSilent to fail with the following error:
Error Code: user_null Error Message: No account or login hint was passed to the AcquireTokenSilent call. I have also noticed that this happens under the following scenarios:
- When the WebJob (console app) is run every 15 minutes, I encounter this issue
- To narrow down the root cause, I have deleted the WebJob to see if the issue occurs on the web app. It looks like the issue starts to occur after an hour or so even without the web job running.
I have upgraded to the latest version of MSAL and implemented 4.46.1.0 version of Microsoft.Identity.Client. I am using .NET Framework 4.8 and this is a .NET MVC 5 app.
Error Message
Error Code: user_null Error Message: No account or login hint was passed to the AcquireTokenSilent call. I have also noticed that this happens under the following scenarios:
Msal Logs
No response
MSAL Configuration
NA
Relevant Code Snippets
public async Task<string> GetAccessTokenAsync()
{
string accessToken;
UserExternalApp.Scope = string.IsNullOrWhiteSpace(UserExternalApp.Scope) ? "" : UserExternalApp.Scope;
// Load the app config from web.config
var microsoftScopes = UserExternalApp.Scope.Replace(' ', ',').SplitAndTrim(new char[] { ',' }).ToList();
var accountID = UserExternalApp.ExternalUserAccountID;
var app = ConfidentialClientApplicationBuilder.Create(ClientID)
.WithRedirectUri(DefaultRedirectUrl) // https:\//mywebsite.com
.WithClientSecret(Secret)
.Build();
app.AddDistributedTokenCache(services =>
{
services.AddDistributedSqlServerCache(options =>
{
options.ConnectionString = System.Configuration.ConfigurationManager.ConnectionStrings["Connection"].ConnectionString;
options.SchemaName = "dbo";
options.TableName = "TokenCache";
options.DefaultSlidingExpiration = TimeSpan.FromMinutes(90);
});
});
try
{
var account = await app.GetAccountAsync(accountID);
var query = app.AcquireTokenSilent(microsoftScopes, account); // This is where the error is thrown
var acquireTokenSilent = await query.ExecuteAsync();
accessToken = acquireTokenSilent.AccessToken;
}
catch
{
// This is the error thrown:
// Exception Type: MsalUiRequiredException
// Error code: user_null
// Exception Details: No account or login hint was passed to the AcquireTokenSilent call.
throw;
}
return accessToken;
}
Reproduction Steps
- Log in to Web app and sync Microsoft account
- Authentication is performed and tokens are saved in the database
- Check Outlook email from the web app. This step is successful
- Come back after an hour or so and try to check Outlook email through the web app
- Error is encountered.
Expected Behavior
Email should be retrieved successfully after a few hours
Identity Provider
Azure AD / MSA
Browsers Affected (Select all that apply)
None (Server)
Regression
No response
Source
External (Customer)
It's just too complex to get an ASP.NET or ASP.NET Core going with alone with MSAL alone. Please use our higher level API https://github.com/AzureAD/microsoft-identity-web/
