[Bug] IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user
See original GitHub issueWhich version of Microsoft Identity Web are you using? Microsoft Identity Web 1.1.0, but I saw the same issue with version 1.0.0
Where is the issue?
- Web app
- Sign-in users
- Sign-in users and call web APIs
- Web API
- Protected web APIs (validating tokens)
- Protected web APIs (validating scopes)
- [x ] Protected web APIs call downstream web APIs
- Token cache serialization
- In-memory caches
- Session caches
- Distributed caches
- Other (please describe)
Is this a new or an existing app? This is a new app or an experiment.
Repro
startup.cs
:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(Configuration)
.EnableTokenAcquisitionToCallDownstreamApi()
.AddMicrosoftGraph(Configuration.GetSection("GraphApi"))
.AddInMemoryTokenCaches();
appsettings.json
...
"AzureAD": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "{domain}",
"ClientId": "{client id}",
"TenantId": "{tenant id}",
"Audience": "api://{application id}",
"ClientSecret": "{secret key}",
},
"GraphApi": {
"BaseUrl": "https://graph.microsoft.com/v1.0",
"Scopes": "Application.Read.All Application.ReadWrite.All Directory.Read.All Directory.ReadWrite.All"
},
...
controller:
[HttpPost]
public async Task<string> Post()
{
var applications = await _graphServiceClient.Applications
.Request()
.GetAsync();
return applications.Count.ToString();
}
Expected behavior Access to list of applications in Microsoft Graph.
I can generate an application token manually using Postman, which looks like the following, confirming that the configuration of the Application is correct in Azure AD.:
[...more json]
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/{tenant id}/",
"iat": 1602055659,
"nbf": 1602055659,
"exp": 1602059559,
"aio": "[...]",
"app_displayname": "My app",
"appid": "{App id guid}",
"appidacr": "1",
"idp": "https://sts.windows.net/{tenant id}/",
"idtyp": "app",
"oid": "{guid}",
"rh": "[...]",
"roles": [
"Application.ReadWrite.All",
"Directory.ReadWrite.All",
"Directory.Read.All",
"Application.Read.All"
],
"sub": "{guid}",
"tenant_region_scope": "EU",
"tid": "{tenant id}",
"uti": "[...]",
"ver": "1.0",
"xms_tcdt": 1597308440
}.[Signature]
Actual behavior I get this exception exception when running the Post controller.
Status Code: 0 Microsoft.Graph.ServiceException: Code: generalException Message: An error occurred sending the request. —> Microsoft.Identity.Web.MicrosoftIdentityWebChallengeUserException: IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user. See https://aka.ms/ms-id-web/ca_incremental-consent. —> MSAL.NetCore.4.19.0.0.MsalUiRequiredException: ErrorCode: user_null Microsoft.Identity.Client.MsalUiRequiredException: No account or login hint was passed to the AcquireTokenSilent call. at Microsoft.Identity.Client.AcquireTokenSilentParameterBuilder.Validate() at Microsoft.Identity.Client.AbstractAcquireTokenParameterBuilder
1.ValidateAndCalculateApiId() at Microsoft.Identity.Client.AbstractClientAppBaseAcquireTokenParameterBuilder
1.ExecuteAsync(CancellationToken cancellationToken) at Microsoft.Identity.Client.AbstractAcquireTokenParameterBuilder`1.ExecuteAsync() at [… etc. …]
Issue Analytics
- State:
- Created 3 years ago
- Reactions:2
- Comments:7
Top GitHub Comments
@1iveowl: Oh I see, you need app permissions, not user permissions:
This is possible, but not fully automatic today. We have a feature request to make that happen in a nicer way: https://github.com/AzureAD/microsoft-identity-web/issues/654
To have it work in you case, you could get inspired by the ASP.NET Core Graph web hooks sample where the GraphServiceClient can only be used for delegated scopes:
@1iveowl
Otherwise if you think that can happen in prod, you should have the Web API emit a www-authenticate header, and the client needs to process it. See https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/2. Web API now calls Microsoft Graph#handling-required-interactions-with-the-user-dynamic-consent-mfa-etc for details.
I know that this is a lot of things to read, but this scenario is a bit complicated …