Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[Bug] AcquireTokenSilent should not make calls to the network unless required
See original GitHub issueWhich Version of MSAL are you using ? MSAL 4.7.1
Platform Xamarin.Android
What authentication flow has the issue?
- Desktop / Mobile
- Interactive
- Integrated Windows Auth
- Username Password
- Device code flow (browserless)
- Web App
- Authorization code
- OBO
- Web API
- OBO
Is this a new or existing app? This is a new app
Repro
IEnumerable<IAccount> accounts = await PCA.GetAccountsAsync();
IAccount account = GetAccountByPolicy(accounts, B2CConstants.PolicySignUpSignIn);
AuthenticationResult ar = await PCA.AcquireTokenSilent(B2CConstants.Scopes, account)
.WithB2CAuthority(B2CConstants.Authority)
.ExecuteAsync();
Expected behavior If there is a valid token in the TokenCache, return Authentication Result without network call; fallback refresh token by network call only if required.
Actual behavior If there is a valid token in the TokenCache, and no network connectivity (android emulator, flight mode), a network call is attempted which leads to an exception:
Java.Net.UnknownHostException: ‘Unable to resolve host “xxx.b2clogin.com”: No address associated with hostname’
Additional context/ Logs / Screenshots Have confirmed that the returned account is correct. Can test by turning flight mode on and off; the above always fails with the UnknownHostException when in flight mode; even moments after successful silent login with connectivity enabled.
Possible Solution I saw in https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/1174 :
GetAccountsAsync and AcquireTokenSilent (when a valid AT is in the cache) no longer make network calls unless an atypical authority host is used (i.e. something other than https://login.microsoft.com etc.). For a full list of these authorities, see https://aka.ms/aad-instance-discovery
b2clogin.com is now offered as a typical authority host, this similarly should not lead to a network call?
Issue Analytics
- State:
- Created 4 years ago
- Comments:9 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Now working as expected when passing a valid scope ✔
Thanks for having a look @TiagoBrenck . I compared the sample code with my code, and couldn’t find any functional differences, except the sample has an API scope when acquiring tokens… as @bgavrilMS had discussed above.
I found a different way in the B2C tenant portal to add a scope to the application, and have got MSAL working as expected. Glad that https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/715 is on the roadmap for this login-only use case.
For others attempting to configure B2C to get this working, it works with the User.Read test scope as follows:
The B2C Tenant application does not need to include web app / web api for this to work.
I have described the steps in this way because it was not initially clear to me what the correct URL would be for my User.Read scope; the B2C “Application Registrations” view which is in preview makes this more obvious.
Closing as dupe of #715