AcquireTokenSilentAsync always fails in UWP
Druffl3 opened this issue ยท 28 comments
Which Version of ADAL are you using ?
4.5.1
Which platform has the issue?
UWP
What authentication flow has the issue?
- Desktop / Mobile
- Interactive
- Integrated Windows Auth
- [x ] Username Password
- Device code flow (browserless)
- Web App
- Authorization code
- OBO
- Web API
- OBO
Other? - please describe;
I am actually building the application with Xamarin.Forms, which is going to run on Android, iOS and UWP. The problem is faced in UWP.
Is this a new or existing app?
This is a new app, but its counterparts for Android and iOS are already in production and it works just fine.
Repro
if (authContext.TokenCache.ReadItems().Any())
{
authContext = new AuthenticationContext(authContext.TokenCache.ReadItems().First().Authority);
authResult = await authContext.AcquireTokenSilentAsync(graphResourceUri, clientId, user);
}
Expected behavior
I expect the AcquireTokenSilentAsync method to return a new accessToken if TokenCache is already available.
Actual behavior
AcquireTokenSilentAsync always fails with this exception:
Failed to acquire token silently as no token was found in the cache.
Even though the tokenCache is actually not empty.
Additional context/ Logs / Screenshots
Since it is a Xamarin.Forms project, the business logic to acquire a token is done in a core project.
AcquireTokenSilentAsync works just fine with my iOS and Android applications. It is failing in UWP.
@Druffl3 : did you look at the following sample?
https://github.com/azure-samples/active-directory-dotnet-native-multitarget
Note that it's archived because we recommend our customers to move to MSAL.NET, instead of ADAL.NET, but you can still look at the master branch
Right now, in my UWP applications, the AcquireTokenSilentAsync() fetches a valid token only if the already acquired token from AcquireTokenAsync() hasn't expired. If the acquired token expires then AcquireTokenSilentAsync() always fails. Is this an expected behaviour?
This is what I am trying:
try{
if (authContext.TokenCache.ReadItems().Count() > 0)
{
authContext = new AuthenticationContext(authContext.TokenCache.ReadItems().First().Authority);
}
authResult = await authContext.AcquireTokenSilentAsync(graphResourceUri, clientId);
}
catch(AdalSilentTokenAcquisitionException ex)
{
authResult = await authContext.AcquireTokenAsync(graphResourceUri, clientId, returnUri, parent);
}
Do note that the TokenCache is never empty after initial authentication.
@bgavrilMS , @jmprieur , please help me in resolving this issue. AquireTokenSilentAsync, returns the already available token in cache and once it has expired, it simply fails and does not return a new valid token.
@Druffl3
It is expected that if the access token has expired and it cannot be refreshed, then you'll get an AdalUiRequiredException, which you need to process by calling AcquireTokenAsync.
See https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/AcquireTokenSilentAsync-using-a-cached-token#recommended-pattern-to-acquire-a-token
Finally, we would recommend you to move away from ADAL, but use MSAL, as ADAL is on the deprecation path. A UWP example with MSAL is available here: https://github.com/azure-samples/active-directory-xamarin-native-v2 and a quickstart is available from https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-uwp
Understood @jmprieur , we will move to MSAL soon. AquireTokenSIlentAsync does fetch a valid token after the previously acquired token has expired in Android and iOS. It is just not working in UWP. What could be the reason for refresh token to fail? Will any platform specific configuration be required?
cc: @bgavrilMS
I just tried this and it is working fine, so there must be a more complex repro that is happening.
If this is a new app, I strongly recommend that you switch to using MSAL. The team is prioritizing MSAL issues higher, and we will be slow to react to any ADAL issues.
Does the sample not work for you?
@bgavrilMS , I actually tried this in a sample project with a different directory configured and It worked fine for me as well. Could this issue be related to any Azure configuration mismatch for the current directory?
You can try the sample project but use your own app coordinates (client ID, scopes etc.). I am not aware of how you can block silent auth if interactive auth is working. Maybe you are
@bgavrilMS as suggested I replaced the co-ordinates with my own in the sample project and tested it out. AquireSilentTokenAsync failed with the same exception :( . Will there be any particular limitation of using a Federated Active Directory with an application that does not follow IWA?
@bgavrilMS @jmprieur , I apologise for not trying the ADAL loggers earlier. I added them now and it looks like the process to refresh token is failing, just as @biozal is facing here #1631
My log:
Information 2020-07-16T11:07:55.6860155Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: ADAL PCL.UAP with assembly version '5.2.7.0', file version '5.2.7.0' and informational version '5.2.7' is running...
Information 2020-07-16T11:07:55.6860155Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: === Token Acquisition started:
CacheType: Microsoft.IdentityModel.Clients.ActiveDirectory.TokenCache (1 items)
Authentication Target: User
Verbose 2020-07-16T11:07:55.6860155Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Loading from cache.
Information 2020-07-16T11:07:55.6899983Z: 00000000-0000-0000-0000-000000000000 - AdalLoggerBase.cs: Deserialized 1 items to token cache.
Verbose 2020-07-16T11:07:55.6940028Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Looking up cache for a token...
Information 2020-07-16T11:07:55.6940028Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: An item matching the requested resource was found in the cache
Verbose 2020-07-16T11:07:55.6940028Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: A matching entry was found in the cache
Information 2020-07-16T11:07:55.6940028Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: An expired or near expiry token was found in the cache
Information 2020-07-16T11:07:55.6940028Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: A matching item (access token or refresh token or both) was found in the cache
Verbose 2020-07-16T11:07:55.6940028Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Refreshing the AT based on the RT.
Verbose 2020-07-16T11:07:55.6940028Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Refreshing access token...
Information 2020-07-16T11:07:56.2176777Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Response status code does not indicate success: 401 (Unauthorized).
Warning 2020-07-16T11:07:56.2176777Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: A service exception occurred
Information 2020-07-16T11:07:56.2176777Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: IsDeviceCode? True
Verbose 2020-07-16T11:07:56.2176777Z: 00000000-0000-0000-0000-000000000000 - AdalLoggerBase.cs: Looking up certificate matching authorities:OU=xxxxxxxxxxxx,CN=MS-Organization-Access,DC=windows,DC=net
Information 2020-07-16T11:07:56.8701239Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Response status code does not indicate success: 401 (Unauthorized).
Warning 2020-07-16T11:07:56.8701239Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: A service exception occurred
Information 2020-07-16T11:07:56.8701239Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: IsDeviceCode? False
Information 2020-07-16T11:07:56.8741255Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: TokenResponse ? True
Information 2020-07-16T11:07:56.8741255Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Error Code(s): 7000218
Information 2020-07-16T11:07:56.8741255Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Re-throwing a service exception with token response details
Verbose 2020-07-16T11:07:56.8741255Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Either a token was not found or an exception was thrown.
Verbose 2020-07-16T11:07:56.8741255Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Cannot invoke the broker directly, may require install ...
Verbose 2020-07-16T11:08:07.1364120Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Check and AcquireToken using broker
Verbose 2020-07-16T11:08:07.1364120Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Broker invocation is NOT required
Information 2020-07-16T11:08:07.8928939Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Response status code does not indicate success: 401 (Unauthorized).
Warning 2020-07-16T11:08:07.8928939Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: A service exception occurred
Information 2020-07-16T11:08:07.8928939Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: IsDeviceCode? True
Verbose 2020-07-16T11:08:07.8928939Z: 00000000-0000-0000-0000-000000000000 - AdalLoggerBase.cs: Looking up certificate matching authorities:OU=xxxxxxxxxxxxx,CN=MS-Organization-Access,DC=windows,DC=net
Verbose 2020-07-16T11:08:08.4825619Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Storing token in the cache...
Information 2020-07-16T11:08:08.4860527Z: 00000000-0000-0000-0000-000000000000 - AdalLoggerBase.cs: Deserialized 1 items to token cache.
Verbose 2020-07-16T11:08:08.4860527Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: An item was stored in the cache
Information 2020-07-16T11:08:08.4925578Z: 00000000-0000-0000-0000-000000000000 - AdalLoggerBase.cs: Serializing token cache with 1 items.
Information 2020-07-16T11:08:08.4980696Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 7/16/2020 12:08:07 PM +00:00Access Token Hash: xxxxxxxxxxxxxx
Please try to move to MSAL as ADAL is end of life
@bgavrilMS , I migrated to MSAL and I get an Invalid_grant error upon AquireTokenInteractively in UWP.
7/28/2020 6:34:51 PM
Verbose (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:12 - c4090f63-9bf1-498b-be67-ba7481c30ca6] GetAccounts found 0 RTs and 0 accounts in MSAL cache.
Verbose (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:13 - c4090f63-9bf1-498b-be67-ba7481c30ca6] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? False
Verbose (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:13 - c4090f63-9bf1-498b-be67-ba7481c30ca6] [Instance Discovery] Tried to use known metadata provider for login.microsoftonline.com. Success? True
Verbose (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:13 - c4090f63-9bf1-498b-be67-ba7481c30ca6] GetAccounts found 0 RTs and 0 accounts in MSAL cache after environment filtering.
Info (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:13 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] MSAL MSAL.UAP with assembly version '4.16.1.0'.
Info (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:13 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False
Info (True) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:13]
=== Request Data ===
Authority Provided? - True
Client Id - xxxxx
Scopes - xxxxxx
Redirect Uri - xxxxx
Extra Query Params Keys (space separated) -
ClaimsAndClientCapabilities -
Authority - xxxx
ApiId - AcquireTokenInteractive
IsConfidentialClient - False
SendX5C - False
LoginHint -
IsBrokerConfigured - False
HomeAccountId -
Info (True) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:13] === Token Acquisition (InteractiveRequest) started:
Verbose (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:13 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? False
Info (True) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:13 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] Fetching instance discovery from the network from host login.microsoftonline.com. Endpoint https://login.microsoftonline.com/common/discovery/instance
Verbose (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:14 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? True
Verbose (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:14 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] [Instance Discovery] After hitting the discovery endpoint, the network provider found an entry for login.microsoftonline.com ? True
Info (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:14 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] Resolving authority endpoints... Already resolved? - FALSE
Info (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:36 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] An authorization code was retrieved from the /authorize endpoint.
Info (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:36 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] Exchanging the auth code for tokens
Info (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:36 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False
Info (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:36 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] Response status code does not indicate success: 401 (Unauthorized).
Warning (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:36 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] Request retry failed.
Info (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:37 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] HttpStatusCode: 401: Unauthorized
Error (True) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:37 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] MSAL.UAP.4.16.1.0.MsalUiRequiredException:
ErrorCode: invalid_grant
Microsoft.Identity.Client.MsalUiRequiredException: AADSTS50097: Device authentication is required.
Trace ID: 3aca27d3-5f6e-4587-a1b8-3f1fe06c9f00
Correlation ID: 61f40c50-8756-4a39-bf9f-46499d6b1f82
Timestamp: 2020-07-28 13:05:36Z
StatusCode: 401
ResponseBody: {"error":"invalid_grant","error_description":"AADSTS50097: Device authentication is required.\r\nTrace ID: 3aca27d3-5f6e-4587-a1b8-3f1fe06c9f00\r\nCorrelation ID: 61f40c50-8756-4a39-bf9f-46499d6b1f82\r\nTimestamp: 2020-07-28 13:05:36Z","error_codes":[50097],"timestamp":"2020-07-28 13:05:36Z","trace_id":"3aca27d3-5f6e-4587-a1b8-3f1fe06c9f00","correlation_id":"61f40c50-8756-4a39-bf9f-46499d6b1f82","error_uri":"https://login.microsoftonline.com/error?code=50097"}
Headers: client-request-id: 61f40c50-8756-4a39-bf9f-46499d6b1f82
Strict-Transport-Security: max-age=31536000; includeSubDomains
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Cache-Control: no-store, no-cache
Set-Cookie: fpc=xxxxx; expires=Thu, 27-Aug-2020 13:05:36 GMT; path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=prod; path=/; secure; HttpOnly, stsservicecookie=ests; path=/; secure; HttpOnly; SameSite=None
Date: Tue, 28 Jul 2020 13:05:36 GMT
WWW-Authenticate: PKeyAuth CertAuthorities=xxxxxx
x-ms-ests-server: 2.1.10877.10 - SAN ProdSlices
x-ms-request-id: xxx
X-Content-Type-Options: nosniff
Pragma: no-cache
x-ms-clitelem: 1,50097,0,,
Error (True) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:37 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] MSAL.UAP.4.16.1.0.MsalUiRequiredException:
ErrorCode: invalid_grant
Microsoft.Identity.Client.MsalUiRequiredException: AADSTS50097: Device authentication is required.
Trace ID: 3aca27d3-5f6e-4587-a1b8-3f1fe06c9f00
Correlation ID: 61f40c50-8756-4a39-bf9f-46499d6b1f82
Timestamp: 2020-07-28 13:05:36Z
at Microsoft.Identity.Client.OAuth2.OAuth2Client.ThrowServerException(Identity.Client.Http.HttpResponse response, Identity.Client.Internal.RequestContext requestContext)
at T Microsoft.Identity.Client.OAuth2.OAuth2Client.CreateResponse[T](HttpResponse, RequestContext) + 0x24
at Void Microsoft.Identity.Client.OAuth2.OAuth2Client+<ExecuteRequestAsync>d__11`1.MoveNext() + 0xf36
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Void System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task) + 0x5c
at Void System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task) + 0x33
at Void System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task) + 0x1c
at Microsoft.Identity.Client.OAuth2.OAuth2Client.<GetTokenAsync>d__10.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Void System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task) + 0x5c
at Void System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task) + 0x33
at Void System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task) + 0x1c
at Microsoft.Identity.Client.OAuth2.TokenClient.<SendHttpAndClearTelemetryAsync>d__8.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.Identity.Client.OAuth2.TokenClient.<SendHttpAndClearTelemetryAsync>d__8.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Void System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task) + 0x5c
at Void System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task) + 0x33
at Void System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task) + 0x1c
at Microsoft.Identity.Client.OAuth2.TokenClient.<SendTokenRequestAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Void System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task) + 0x5c
at Void System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task) + 0x33
at Void System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task) + 0x1c
at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.<GetTokenResponseAsync>d__11.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Void System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task) + 0x5c
at Void System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task) + 0x33
at Void System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task) + 0x1c
at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.<ExecuteAsync>d__8.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Void System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task) + 0x5c
at Void System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task) + 0x33
at Void System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task) + 0x1c
at Microsoft.Identity.Client.Internal.Requests.RequestBase.<RunAsync>d__14.MoveNext()
StatusCode: 401
ResponseBody: {"error":"invalid_grant","error_description":"AADSTS50097: Device authentication is required.\r\nTrace ID: 3aca27d3-5f6e-4587-a1b8-3f1fe06c9f00\r\nCorrelation ID: 61f40c50-8756-4a39-bf9f-46499d6b1f82\r\nTimestamp: 2020-07-28 13:05:36Z","error_codes":[50097],"timestamp":"2020-07-28 13:05:36Z","trace_id":"3aca27d3-5f6e-4587-a1b8-3f1fe06c9f00","correlation_id":"61f40c50-8756-4a39-bf9f-46499d6b1f82","error_uri":"https://login.microsoftonline.com/error?code=50097"}
Headers: client-request-id: 61f40c50-8756-4a39-bf9f-46499d6b1f82
Strict-Transport-Security: max-age=31536000; includeSubDomains
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Cache-Control: no-store, no-cache
Set-Cookie: xxxxxx; expires=Thu, 27-Aug-2020 13:05:36 GMT; path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=prod; path=/; secure; HttpOnly, stsservicecookie=ests; path=/; secure; HttpOnly; SameSite=None
Date: Tue, 28 Jul 2020 13:05:36 GMT
WWW-Authenticate: PKeyAuth CertAuthorities="xxxxx"
x-ms-ests-server: 2.1.10877.10 - SAN ProdSlices
x-ms-request-id: xxxxxxx
X-Content-Type-Options: nosniff
Pragma: no-cache
x-ms-clitelem: 1,50097,0,,
Ok, at least here we can see the error.
Your tenant has a device policy enabled. Currently MSAL is not able to satisfy device policies on UWP (you can do it on .net fwk because you can use a system browser, but UWP does not allow system browsers).
To satisfy device policies, you need to use WAM (Web Authentication Manager). We are currently working on integrating WAM into MSAL, tracking issue here. This is pretty complex and it will take a while.
So you have a few options:
- wait for us to complete the work
- use WAM on your own (sample code here)
- disable the CA policy until WAM integration is complete
@bgavrilMS , I tried WAM, and RequestTokenAsync failed with a 'ProviderError' response. Does WAM come with an inbuilt logger like ADAL/MSAL ? If yes, could you please direct me towards a reference?
Sorry @Druffl3 WAM is a Windows component, my team doesn't own it. I have a PR opened with some integration on .net 45, but it will take some time for me to integrate it.
You can check the error message wamResponse.ResponseError.ErrorMessage;
for more details.
Hi @bgavrilMS , I managed to get the cause of the error:
ProviderError
3399614473
AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
That's an error returned by the AAD service, here's how I build my token request: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/f7fec85283fd8c0f11bc377bd3b3bd3b25eb425c/src/client/Microsoft.Identity.Client/Platforms/netdesktop/Broker/AadPlugin.cs#L101
This is a configuration issue, @Druffl3
you need to set the Default client type for public client apps to Yes. See https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris
@jmprieur , from the reference link you have shared, setting Default client type to Yes, would mean that my application doesn't require a redirect URI. Now, I have a single app registered with my tenant, which I use with Android, iOS and UWP. Both iOS and Android require redirect URIs, so wouldn't setting Default client type to Yes, hamper the login flow for these two platforms? It is also noted here https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-uwp-considerations that
On the UWP platform, the underlying WAB implementation doesn't work correctly in enterprise scenarios where conditional access is enabled. Users see symptoms of this problem when they try to sign in by using Windows Hello. When the user is asked to choose a certificate:
The certificate for the PIN isn't found.
After the user chooses a certificate, they aren't prompted for the PIN.
You can try to avoid this issue by using an alternative method such as username-password and phone authentication, but the experience isn't good.
Now with the ADAL non IWA flow as well, Token is acquired after username-password flow. And when attempted to fetch token silently using AquireSilentTokenAsync after token expiry, it failed with the same exception:
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException: {"error":"invalid_client","error_description":"AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.\r\nTrace ID: xxx\r\nCorrelation ID: xxxx\r\nTimestamp: 2020-05-06 17:23:15Z","error_codes":[7000218],"timestamp":"2020-05-06 17:23:15Z","trace_id":"xxxx","correlation_id":"xxxx","error_uri":"https://login.microsoftonline.com/error?code=7000218"}: Unknown error
Does this mean that I will have to register a separate app with my tenant just for UWP usage? So that I can set Default client type to Yes.
@Druffl3, you don't need to register another app if you have only public client applications (desktop/mobile), which iOS, Android, UWP. You can just set Default client type to true.
Also, @Druffl3 : we recommend you move to MSAL.NET (ADAL.NET is on the deprecation path)
The corresponding sample is there: https://github.com/azure-samples/active-directory-xamarin-native-v2
@jmprieur , I did move to MSAL.NET, and as conveyed by @bgavrilMS , it has a challenge when conditional access policies are enabled. And at his suggestion I moved to WAM, where the above mentioned error was thrown. Therefore back to square one in fixing the issue with the Tenant. Hopefully Default Client Type to Yes, solves it.
That's an error returned by the AAD service, here's how I build my token request: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/f7fec85283fd8c0f11bc377bd3b3bd3b25eb425c/src/client/Microsoft.Identity.Client/Platforms/netdesktop/Broker/AadPlugin.cs#L101
@bgavrilMS , After setting Default Client Type to Yes, the client_secret issue got resolved but it threw another error:
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'xxxxx'.
Nowhere in the code did I pass the returnURI and I don't see it being passed in your implementation as well. Am I missing something?
This is a configuration issue, @Druffl3
you need to set the Default client type for public client apps to Yes. See https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris
Thank you @jmprieur and @bgavrilMS , this resolved the issue with my ADAL UWP application. I will pay heed to your words and migrate to MSAL as soon as WAM works fine.