microsoft-authentication-library-for-dotnet icon indicating copy to clipboard operation
microsoft-authentication-library-for-dotnet copied to clipboard
verified publisher icon AzureAD

[Bug] AcquireTokenInteractive with WAM broker immediately returns UserCanceled when running as Administrator

Open bojordan opened this issue 1 year ago • 4 comments

Library version used

4.63.0

.NET version

net8.0

Scenario

PublicClient - desktop app

Is this a new or an existing app?

The app is in production, and I have upgraded to a new version of MSAL

Issue description and reproduction steps

When using MSAL's PublicClientApplicationBuilder with WAM via .WithBroker() and running as Administrator, AcquireTokenInteractive() immediately fails with an error saying the user closed the interactive session. The WAM account selection dialog often pops up, but often the console running the application will lose focus and is no longer responsive to the user's mouse or keyboard input.

When a token is already present for the user, AcquireTokenSilent() is successful, even when running as Administrator.

Relevant code snippets

// Happy to provide a sample project that reproduces the issue with internal Microsoft identities

IPublicClientApplication publicApp = PublicClientApplicationBuilder
    .Create(settings.ApplicationId)
    .WithAuthority(settings.AuthorityUri)
    .WithParentActivityOrWindow(GetConsoleOrTerminalWindow)
    .WithBroker(new BrokerOptions(BrokerOptions.OperatingSystems.Windows)
    {
        ListOperatingSystemAccounts = true,
    })
    .WithDefaultRedirectUri()
    .WithLogging(
        (level, message, containsPii) =>
        {
            // logging
        },
        Microsoft.Identity.Client.LogLevel.Verbose,
        enablePiiLogging: true)
    .Build();

var accounts = await publicApp.GetAccountsAsync();

AuthenticationResult result = null;
foreach (var acct in accounts)
{
    try
    {
        result = await publicApp.AcquireTokenSilent(scopes, acct).ExecuteAsync();
    }
    catch (MsalUiRequiredException)
    {
        // don't interact here
    }

    if (result != null) break;
}

try
{
    if (result == null)
    {
        result = await publicApp.AcquireTokenInteractive(scopes).ExecuteAsync();
    }
}
catch (MsalClientException ex)
{
    // logging
}

Expected behavior

When a valid account+token is not availabe in the accounts list, I expect AcquireTokenSilent() to fail for all enumerated accounts. When running as Administrator, I expect AcquireTokenInteractive() to engage with the WAM broker to pop up an account selection dialog while the code blocks on the user interact. Instead, the dialog is sometimes shown, but the interop with WAM immediately returns:

[RuntimeBroker] Could not sign in interactively. Status: UserCanceled Context: User cancelled the Accounts Control Operation. Tag: 0x1f7d734a

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

Current work-around is to not use WAM broker when running as Administrator.

bojordan avatar Aug 14 '24 12:08 bojordan

@bojordan - This issue has been fixed already. Make sure Microsoft.Identity.Client.NativeInterop version is 0.16.2

ashok672 avatar Aug 18 '24 01:08 ashok672

@ashok672 Microsoft.Identity.Client.Broker should be updated with new dependency? That is how we are pulling in Microsoft.Identity.Client.NativeInterop. Currently that is depending on 0.16.1

suprak avatar Aug 18 '24 03:08 suprak

We have the same issue. If we manually import Microsoft.Identity.Client.NativeInterop 0.16.2, it starts working again.

gustavoaca1997 avatar Aug 19 '24 21:08 gustavoaca1997

Thanks @ashok672 and @gustavoaca1997 : Verified this fixes the issue.

bojordan avatar Aug 20 '24 13:08 bojordan