Skip to content

[Bug] Improve devex for AcquireTokenSilent + MSA-PT #3077

New issue
New issue
Closed as not planned
Closed as not planned
[Bug] Improve devex for AcquireTokenSilent + MSA-PT#3077
Labels
Feature Requestepicworkaround exists
@mjcheetham

Description

@mjcheetham
mjcheetham
opened on Dec 16, 2021

Which version of MSAL.NET are you using?
MSAL.NET 4.37.0

Platform
.NET 5.0 macOS x64

What authentication flow has the issue?

  • Desktop / Mobile
    • Silent

Is this a new or existing app?

a. The app is in production, and I have upgraded to a new version of MSAL.

Repro

const string azDev = "499b84ac-1321-427f-aa17-267ca6975798"; const string clientId = "d735b71b-9eee-4a4f-ad23-421660877ba6"; const string authority = "https://login.microsoftonline.com/organizations"; const string redirectUri = "http://localhost"; string scopes = new[]{ $"{azDev}/vso.code_full" }; var pca = PublicClientApplicationBuilder.Create(clientId) .WithAuthority(authority) .WithRedirectUri(redirectUri) .Build(); RegisterTokenCache(pca.UserTokenCache); var result1 = await pca.AcquireTokenInteractive(scopes).ExecuteAsync(); string userName = result1.Account.Username; var result2 = await pca.AcquireTokenSilent(scopes, loginHint: userName).ExecuteAsync();

Expected behavior
The ATS call succeeds.

Actual behavior
An MsalServiceException is thrown:

"Application '499b84ac-1321-427f-aa17-267ca6975798'(Azure DevOps) is configured for use by Azure Active Directory users only. Please do not use the /consumers endpoint to serve this request.

Possible solution

We have worked around this by using the "MSFT Services tenant" to 'exchange' these MSA tokens for use with the MSA-PT resource (Azure DevOps).

IAccount account = result1.Account; var atsBuilder = app.AcquireTokenSilent(scopes, account); // If the account is an MSA we must target the special "MSA-PT transfer tenant" var msaTenantId = new Guid("9188040d-6c67-4c5b-b112-36a304b66dad"); var transferTenantId = new Guid("f8cdef31-a31e-4b4a-93e4-5f571e91255a"); if (Guid.TryParse(account.HomeAccountId.TenantId, out Guid homeTenantId) && homeTenantId == msaTenantId) { atsBuilder = atsBuilder.WithTenantId(transferTenantId.ToString("D")); } var result2 = await atsBuilder.ExecuteAsync();

Additional context / logs / screenshots / links to code

We are using MSA-PT (as a first party application) because the resource (Azure DevOps) only accepts AAD & MSA-PT tokens (not MSA native).

Also the workaround we have here only works for the public Azure cloud.

cc: @bgavrilMS

Metadata

Metadata

Assignees

No one assigned

    Labels

    Feature Requestepicworkaround exists

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions