microsoft-authentication-library-for-dotnet icon indicating copy to clipboard operation
microsoft-authentication-library-for-dotnet copied to clipboard
verified publisher icon AzureAD

[Bug] Requesting access token with different resource ids showing multiple login screens.

Open v-npadhy opened this issue 1 year ago • 9 comments

Library version used

4.61.3

.NET version

MAUI with .NET8

Scenario

PublicClient - mobile app

Is this a new or an existing app?

This is a new app or experiment

Issue description and reproduction steps

The app is developed in MAUI and used Microsoft.Identity.Client (4.61.3) nuget package. First time during login I am passing a resource id for ex. resource_Id1. App is launching the MSAL authentication, MSAL prompting system Browser to enter login and password (Interactive Mode)

After login, to get the access to a resource we are passing a different resource id for ex. resource_Id2 to MSAL authentication. This time also I am getting system Browser to enter login and password again (Interactive Mode).

Is this an expected behaviour, and any issue with code?

I want the first authentication with resource_Id1 should be in interactive mode, then the 2nd authentication with resource_id2 should be in silent mode.

Relevant code snippets

No response

Expected behavior

I want the first authentication with resource_Id1 should be in interactive mode, then the 2nd authentication with resource_id2 should be in silent mode.

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

v-npadhy avatar Aug 13 '24 17:08 v-npadhy

@v-npadhy , can you pls share your code a screenshot of the prompt you are seeing when accessing resource_id2.

iulico-1 avatar Sep 03 '24 16:09 iulico-1

Have a look at WithExtraScopesToConsentTo for combined consent for multiple resources. However, note that it might not work with WAM.

https://learn.microsoft.com/en-us/entra/msal/dotnet/acquiring-tokens/desktop-mobile/acquiring-tokens-interactively#withextrascopestoconsent

The flow is:

  1. Try AcquireTokenSilent(R1) - it will fail because the cache is empty first time.
  2. AcquireTokenInteractive(R1).WithExtraScopesToConsentTo(R2) -> displays combined consent for R1+R2 and gives you token for R1 (and refresh token which MSAL manages)
  3. AcquireTokenSilent(R2) should now give you token for R2 without prompt (internally MSAL uses the refresh token for this)
  4. Any subsequent logins will also be silent, because of the refresh token in the cache.

@iulico-1 - I believe WAM supports combined consent, but I don't think we ever wired it up.

bgavrilMS avatar Sep 03 '24 17:09 bgavrilMS

var authResult = await _pca.AcquireTokenInteractive(new string[] { "https://aadrm.com/.default" })                   .WithExtraScopesToConsent(new string[] { "https://msmamservice.api.application/.default" })                   .WithUseEmbeddedWebView(false)                   .WithParentActivityOrWindow(activity)                   .ExecuteAsync().ConfigureAwait(false);                         tcs.TrySetResult(authResult); Getting below error

image (5)

v-npadhy avatar Sep 04 '24 07:09 v-npadhy

@bgavrilMS Could you please check this?

v-npadhy avatar Sep 09 '24 11:09 v-npadhy

Please reach out to the service, I don't know what this error means.

bgavrilMS avatar Sep 09 '24 11:09 bgavrilMS

@iulico-1 Could you please check this issue?

v-npadhy avatar Sep 09 '24 12:09 v-npadhy

MSAL.runtime currently doesn't support combined consent. This would be a feature ask. For now, please request tokens interactively for each necessary scope.

iulico-1 avatar Sep 09 '24 21:09 iulico-1

Hi @iulico-1 , Is there any roadmap to include this feature?

v-npadhy avatar Sep 11 '24 15:09 v-npadhy

This feature is currently not scheduled for execution, but we can add it to our backlog and prioritize it based on all other asks we get.

iulico-1 avatar Sep 11 '24 17:09 iulico-1