Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Bug] Broker-based flows fail for MSA accounts with latest MSAL #4696

New issue
New issue
Closed
#4778
Closed
[Bug] Broker-based flows fail for MSA accounts with latest MSAL#4696
#4778
Assignees
localdenashok672
Labels
P1brokerbugpublic-clientregressionBehavior that worked in a previous release that no longer works in a newer releaseruntimescenario:Desktop
@localden

Description

@localden
localden
opened on Apr 2, 2024

Library version used

4.60.1

.NET version

6.0

Scenario

PublicClient - desktop app

Is this a new or an existing app?

This is a new app or experiment

Issue description and reproduction steps

Here is the sample code that I use:

var scopes = new[] { "User.Read" };

BrokerOptions options = new(BrokerOptions.OperatingSystems.Windows)
{
    Title = "My Awesome Application"
};

StorageCreationProperties storageProperties = new StorageCreationPropertiesBuilder("cache.bin", AppDomain.CurrentDomain.BaseDirectory).Build();

IPublicClientApplication app =
    PublicClientApplicationBuilder.Create("49e23d21-c709-47b5-b947-ad8e68455b14")
    .WithAuthority("https://login.microsoftonline.com/common")
    .WithDefaultRedirectUri()
    .WithParentActivityOrWindow(GetConsoleOrTerminalWindow)
    .WithBroker(options)
    .Build();

// This hooks up the cross-platform cache into MSAL
var cacheHelper = await MsalCacheHelper.CreateAsync(storageProperties);
cacheHelper.RegisterCache(app.UserTokenCache);

AuthenticationResult result = null;

// Try to use the previously signed-in account from the cache
IEnumerable<IAccount> accounts = await app.GetAccountsAsync();
IAccount existingAccount = accounts.FirstOrDefault();

try
{
    if (existingAccount != null)
    {
        result = await app.AcquireTokenSilent(scopes, existingAccount).ExecuteAsync();
    }
    // Next, try to sign in silently with the account that the user is signed into Windows
    else
    {
        result = await app.AcquireTokenSilent(scopes, PublicClientApplication.OperatingSystemAccount)
                            .ExecuteAsync();
    }
}
// Can't get a token silently, go interactive
catch (MsalUiRequiredException ex)
{
    result = await app.AcquireTokenInteractive(scopes).ExecuteAsync();
}

Console.WriteLine(result.AccessToken);

This worked in MSAL.NET 4.59.0, but upon upgrading to 4.60.1 I am now getting this error:

Screenshot of the error produced in Visual Studio for the broker-based flow

Keep in mind that the account was already selected (MSA account which is secondary on the OS) and then the error pops up. The code worked OK in MSAL 4.59.0.

Relevant code snippets

No response

Expected behavior

Broker-based flow goes through.

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

4.59.0

Solution and workarounds

None. Downgrade MSAL to 4.59.0.

Metadata

Metadata

Assignees

Labels

P1brokerbugpublic-clientregressionBehavior that worked in a previous release that no longer works in a newer releaseruntimescenario:Desktop

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions