Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MsalUIRequiredException in 2.7.1 library on iOS 12.1.4 using Safari when calling AcquireTokenForClientAsync #1073

Closed
6 tasks
RayGHeld opened this issue Apr 12, 2019 · 4 comments
Closed
6 tasks

MsalUIRequiredException in 2.7.1 library on iOS 12.1.4 using Safari when calling AcquireTokenForClientAsync #1073

RayGHeld opened this issue Apr 12, 2019 · 4 comments

Comments

@RayGHeld
Copy link

Which Version of MSAL are you using ?
Note that to get help, you need to run the latest version. Preview version are also ok.
For ADAL, please log issues to https://github.com/AzureAD/azure-activedirectory-library-for-dotnet

MSAL 2.7.1

Platform

iOS versions <= 12.1.4

What authentication flow has the issue?

  • Desktop / Mobile
    • Interactive
    • Integrated Windows Auth
    • Username Password
    • Device code flow (browserless)
  • Web App
    • Authorization code
    • OBO
  • Web API
    • [ x] OBO

Other? - please describe;
Users logging into a web site are stopped from using the site because the code is unable to obtain the bearer token to call the webapi when being accessed from Chrome or Safari browsers on the iOS devices with version 12.1.4 or less. The issue does occasionally occur on version 12.2.1. Everything works fine on PC or Android.

This issue began on or around March 25th, 2019.

The customer has tried the steps in this stack overflow but it does not resolve the issue: https://stackoverflow.com/questions/52544576/azure-active-directory-safari-redirection-issue

Is this a new or existing app?

a.

Repro

private async Task<AuthenticationResult> GetBearerTokenAsync()
        {
            // Retrieve the token with the specified scopes
            var scope = AzureOptions.ApiScopes.Split(' ');
            string signedInUserID = _currentContext.User.FindFirst(ClaimTypes.NameIdentifier).Value;
            TokenCache userTokenCache = new MSALSessionCache(signedInUserID, _currentContext).GetMsalCacheInstance();
            ConfidentialClientApplication cca = new ConfidentialClientApplication(AzureOptions.ClientId, AzureOptions.Authority, AzureOptions.RedirectUri, new ClientCredential(AzureOptions.ClientSecret), userTokenCache, null);
            IAccount account = (await cca.GetAccountsAsync()).FirstOrDefault();
            AuthenticationResult result = null;
            try
            {
                result = await cca.AcquireTokenSilentAsync(scope, account, AzureOptions.Authority, false);
            }
            catch (MsalUiRequiredException)
            {
                result = await cca.AcquireTokenForClientAsync(scope);
            }
            return result;
        }

Expected behavior
The bearer token should be retrieved.

Actual behavior
Exception is thrown (error in app insights): Null account was passed in AcquiretokenSilent API. Pass in an account object or call acquireToken to authenticate.

Possible Solution

Additional context/ Logs / Screenshots
Add any other context about the problem here, such as logs and screebshots. Logging is described at https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/logging
@jennyf19
Copy link
Collaborator

The issue seems similar to the Security Advisory mentioned by ASP.NET, have you tried the workout around listed in this GitHub issue?

In addition to the above, I would suggest updating to the latest version of MSAL (3.0.4-preview).
Here’s an overview on how to update from v2 to v3.

Specifically on using confidential clients.

Also, when looking at the code shared, it’s a little confusing as to what you're trying to do. In the flow you’re using, you try to use a user token cache, but you should be using the app cache.

Spend some time going through these tutorials, which are really good and have examples of best practices:

If you want to call AcquireToken for a client, this is a daemon scenario. In that case, you don’t need a cache, as the daemon does the caching itself. You can use an application cache, but not a user cache.
https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2

https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2#scope-of-this-tutorial

Since you're B2C, they might be interested in this tutorial which is an ASP.NET Core web app.

https://github.com/Azure-Samples/active-directory-b2c-dotnetcore-webapp

Also, by updating to 3.0.4-preview, you’ll get some of the latest fixes for b2c (handling custom domains) and iOS (MSAL now initializes an HttpClient with NsUrlSessionHandler() for iOS 7+).

Once you’ve updated and fixed any issues in the code, please send us the logs using the latest MSAL build.
Let us know if you need help with any of this.
cc: @jmprieur

@jennyf19
Copy link
Collaborator

@RayGHeld this was resolved correct?

@RayGHeld
Copy link
Author

RayGHeld commented Apr 15, 2019 via email

@jennyf19
Copy link
Collaborator

Thanks @RayGHeld Closing.

Resolution:

  • Update to MSAL v3.0.4-preview and fix a few B2C issues (they worked w/B2C support on this, so not sure exactly what happened).

cc: @jmprieur

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jennyf19 @RayGHeld