AzureAD
[Bug] Account picker pops up although account + NoPrompt is specified during interactive login
Library version used
4.56.0
.NET version
.Net Framework 4.8.0
Scenario
PublicClient - desktop app
Is this a new or an existing app?
The app is in production, and I have upgraded to a new version of MSAL
Issue description and reproduction steps
We have an app that can automatically sign the users in with their default Windows account. With MSAL .Net version 4.45.0 which we are currently using, the app is able to sign the users in without any account picker window popped up.
Since we have another issue with 4.45.0 which is it occasionally returns an expired token, we have been trying to upgrade it to the latest versions (4.56.0/4.57.0) for a fix.
However, in 4.56.0/4.57.0, we found that it pops up an account picker when the app attempts to sign in with user's default OS account.
Repro steps:
- Download the MSAL demo app from here: https://github.com/gladjohn/NetCoreWinFormsWAM_Maha
- Upgrade the MSAL .Net version to 4.56.0 or 4.57.0 (both reproducible)
- Run the app
- Use the following input, and click "ATI"
- Account picker pops up, as shown in the following screenshot
Relevant code snippets
PublicClientApplication creation:
PublicClientApplicationBuilder.Create(AppConfiguration.AzureActiveDirectoryClientId)
.WithAuthority(AppConfiguration.AzureActiveDirectoryAuthority)
.WithBroker(new BrokerOptions(BrokerOptions.OperatingSystems.Windows) { ListOperatingSystemAccounts=true })
.WithExperimentalFeatures()
.Build();
ATI:
var account = PublicClientApplication.OperatingSystemAccount;
AcquireTokenInteractiveParameterBuilder tokenBuilder = Client.AcquireTokenInteractive(scopesToRequest)
.WithParentActivityOrWindow(Window.Handle)
.WithAccount(account)
.WithPrompt(Prompt.NoPrompt);
return tokenBuilder.ExecuteAsync();
### Expected behavior
When account and NoPrompt is specified, interactive login should not show the account picker pop up asking users to choose an account.
### Identity provider
Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)
### Regression
4.45.0
### Solution and workarounds
_No response_
Hi @trwalke , saw you moved this issue into MSAL.NET Customer Trust. Does this mean it is currently in the dev pipeline? is there an ETA if so?
Hi @aries-zhang , adding @ashok672 for perspective. I am not aware of this being worked on. Will remove from the GH project for now.
Hi @ashok672 is there any updates on this issue? We are keen to update to the latest broker lib now due to multiple issues but this is our largest concern at the moment. The additional pop up window could be a big friction point for user acquisition from our past experience. It would be great if users can be signed in the app seamlessly when their system account is already signed in.
hi @aries-zhang - I was able to repro the issue of prompting for default OS account. For some reason, when you use the VisualStudio client ID in the MSAL.NET sample app, the account is getting signed out. I think some VS component in the machine is doing something in the background. I will continue investigating this issue with VisualStudio team. If you request token interactively for a signed out account, the expectation is we will show the UI. That said, can you please test this using your own client id in your code base? I assume you had this issue when you were evaluating the newer version of MSAL.Net using the sample app instead of your own app. Let me know if you still run into the same issue in your app.
I can reproduce this behavior on a clean VM. We sat down with @exchange321 to look at the issue and we confirmed that with old versions of MSAL.NET the behavior does not reproduce (when using WithWindowsBroker). The new versions of MSAL seem to have a regression that causes the /common authority to trigger the prompt, even though a default account is specified.
We're investigating with the engineering team on the best path forward.
