Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[Bug] AcquireTokenSilent not respecting WithExtraQueryParameters
See original GitHub issueWhich Version of MSAL are you using ? 4.19.0
Platform net45
What authentication flow has the issue?
- Desktop / Mobile
- Interactive
- Integrated Windows Auth
- Username Password
- Device code flow (browserless)
- Web App
- Authorization code
- OBO
- Web API
- OBO
Other? - please describe;
Is this a new or existing app? b. The app is in production,Migrating from ADAL
Repro
string resource1 = "";
string resource2 = "";
PublicClientApplicationBuilder
.Create(ClientId)
.WithAdfsAuthority(adfs)
.WithRedirectUri(RedirectUri)
.WithLogging(Log, LogLevel.Verbose, true, false)
.Build();
application.AcquireTokenInteractive(scopes)
.WithUseEmbeddedWebView(true)
.WithExtraQueryParameters($"resource={WebUtility.UrlEncode(resource1)}");
application.AcquireTokenSilent(scopes, accounts.FirstOrDefault())
.WithForceRefresh(true)
.WithExtraQueryParameters($"resource={WebUtility.UrlEncode(resource2)}");
Expected behavior I have 2 apis with different claims from an ADFS. Different resource uris too. Using the resource parameter I can only get the claims for the first api.
I expect that the first and second results have access token with different claims due to Adfs Api Configuration.
Actual behavior It receives the first resource claims always, even using refresh token. Tested using postman and I receive the different claims correctly passing the resource querystring when calling the token endpoint with grant_type=refresh_token&resource=resource2.
It should respect always the WithExtraQueryParameters for the queries.
Possible Solution I think that the issue is near this line where I don’t see the ExtraQueryParameters be passed for the new token.
Issue Analytics
- State:
- Created 3 years ago
- Comments:7 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
So to try to unblock you, you can take over the http communication and change any params you want, see https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-provide-httpclient
Sending a “resource” param is an ADFS concept I am not familiar with, probably because it is not OAuth spec compliant. OAuth allows client apps to request claims, which can be achieved via configuration and by sending a claims json in MSAL’s
.WithClaims. See https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims for details.Thank you for posting your solution @smartcodinghub!
@jmprieur - do you know who to follow up with for ADFS?