-
Notifications
You must be signed in to change notification settings - Fork 340
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] Improve devex for AcquireTokenSilent + MSA-PT #3077
Comments
|
Also came across this while trying to test a new app registration. Was surprised to see the error on using the consumers tenant when we were explicitly passing the organizations tenant. |
This is a service issue - https://identitydivision.visualstudio.com/Engineering/_workitems/edit/1800497/?workitem=1848357 |
Also hitting this (but with slightly different options and getting additional errors than in the linked bug)
Calling AcquireTokenInteractive I can select my MSA and get a token, and when using AcquireTokenInteractive passing the account I get a token without a prompt:
However, when using AcquireTokenSilent passing the same account object I get an error:
Using the workaround of swapping the MSA tenant with the first party tenant allows AcquireTokenSilent to succeed. |
@JohnSchmeichel - yes, this is the status quo for MSA-PT for now, you have to add that pretty horrible workaround. We will look at fixing this next quarter, there aren't any easy fixes though. |
When we have a Microsoft Account (MSA) in the cache and attempt to do a silent authentication, if we're an MSA-PT app we need to specify the special MSA transfer tenant ID to make sure we get the a token silently, correctly. See the issue [1] in the MSAL repo for more information. [1] AzureAD/microsoft-authentication-library-for-dotnet#3077
When using Microsoft Account Passthrough (MSA-PT) we need to use the special "transfer" or "Microsoft services" tenant ID rather than the actual MSA tenant ID when doing silent authentication. This is a shortcoming in the MSAL library that we will need to workaround until this issue [1] can be fixed in MSAL itself. Modify the silent auth method such that if we are using MSA-PT, and the `IAccount` object has the MSA tenant ID, we need explicitly set the tenant ID to the transfer tenant ID. Whilst we are in here, also add an extra `catch` block around the silent auth code to capture any unexpected exceptions and log them. [1] AzureAD/microsoft-authentication-library-for-dotnet#3077
When we have a Microsoft Account (MSA) in the cache and attempt to do a silent authentication, if we're an MSA-PT app we need to specify the special MSA transfer tenant ID to make sure we get the a token silently, correctly. See the [issue](AzureAD/microsoft-authentication-library-for-dotnet#3077) in the MSAL repo for more information. Fixes: #1297
Which version of MSAL.NET are you using?
MSAL.NET 4.37.0
Platform
.NET 5.0 macOS x64
What authentication flow has the issue?
Is this a new or existing app?
a. The app is in production, and I have upgraded to a new version of MSAL.
Repro
Expected behavior
The ATS call succeeds.
Actual behavior
An
MsalServiceException
is thrown:Possible solution
We have worked around this by using the "MSFT Services tenant" to 'exchange' these MSA tokens for use with the MSA-PT resource (Azure DevOps).
Additional context / logs / screenshots / links to code
We are using MSA-PT (as a first party application) because the resource (Azure DevOps) only accepts AAD & MSA-PT tokens (not MSA native).
Also the workaround we have here only works for the public Azure cloud.
cc: @bgavrilMS
The text was updated successfully, but these errors were encountered: