[Feature Request] Add an option to bypass User Discovery when using UsernamePasswordParameters with acquireToken #834
Labels
Enhancement
A request or suggestion to improve some aspect of the library
public-client
For questions/issues related to public client apps
Comments
fume
added
needs attention
Avery-Dunn
added
Enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
MSAL client type
Public
Problem Statement
When executing the acquireToken on the PublicClientApplication with a UsernamePasswordParameters object, a user discovery is made to understand if the user is a federated one or not. In case the user is federated, then a WSTrust request is made to obtain a SAML1.1 token which is then exchanged with a JWT via Entra ID.
Since a while, Entra ID supports (but discourages) the ROPC flow for Federated user directly against Entra ID:
If you have everything setup on Entra ID, MSAL will still not do ROPC against Entra ID since it makes decision based on the user discovery, so based on the username in the UsernamePasswordParameters object.
Proposed solution
Add a parameter to tell MSAL to bypass the User Discovery and directly make the ROPC request against the configured authority regardless of the fact the user is federated or not.
Alternatives
As of now the only alternative is to use a cloud-only (non-federated) user.
cc: @Avery-Dunn
The text was updated successfully, but these errors were encountered: