Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Bug] IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user

See original GitHub issue

Which version of Microsoft Identity Web are you using? Microsoft Identity Web 1.1.0, but I saw the same issue with version 1.0.0

Where is the issue?

Web app
- Sign-in users
- Sign-in users and call web APIs
Web API
- Protected web APIs (validating tokens)
- Protected web APIs (validating scopes)
- [x ] Protected web APIs call downstream web APIs
Token cache serialization
- In-memory caches
- Session caches
- Distributed caches
Other (please describe)

Is this a new or an existing app? This is a new app or an experiment.

Repro

startup.cs:

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApi(Configuration)
    .EnableTokenAcquisitionToCallDownstreamApi()
    .AddMicrosoftGraph(Configuration.GetSection("GraphApi"))
    .AddInMemoryTokenCaches();

appsettings.json

...
  "AzureAD": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "{domain}",
    "ClientId": "{client id}",
    "TenantId": "{tenant id}",
    "Audience": "api://{application id}",
    "ClientSecret": "{secret key}",
  },
  "GraphApi": {
    "BaseUrl": "https://graph.microsoft.com/v1.0",
    "Scopes": "Application.Read.All Application.ReadWrite.All Directory.Read.All Directory.ReadWrite.All"
  }, 
...

controller:

[HttpPost]
public async Task<string> Post()
{
    var applications = await _graphServiceClient.Applications
        .Request()
        .GetAsync();

    return applications.Count.ToString();
}

Expected behavior Access to list of applications in Microsoft Graph.

I can generate an application token manually using Postman, which looks like the following, confirming that the configuration of the Application is correct in Azure AD.:

[...more json]
{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/{tenant id}/",
  "iat": 1602055659,
  "nbf": 1602055659,
  "exp": 1602059559,
  "aio": "[...]",
  "app_displayname": "My app",
  "appid": "{App id guid}",
  "appidacr": "1",
  "idp": "https://sts.windows.net/{tenant id}/",
  "idtyp": "app",
  "oid": "{guid}",
  "rh": "[...]",
  "roles": [
    "Application.ReadWrite.All",
    "Directory.ReadWrite.All",
    "Directory.Read.All",
    "Application.Read.All"
  ],
  "sub": "{guid}",
  "tenant_region_scope": "EU",
  "tid": "{tenant id}",
  "uti": "[...]",
  "ver": "1.0",
  "xms_tcdt": 1597308440
}.[Signature]

Actual behavior I get this exception exception when running the Post controller.

Status Code: 0 Microsoft.Graph.ServiceException: Code: generalException Message: An error occurred sending the request. —> Microsoft.Identity.Web.MicrosoftIdentityWebChallengeUserException: IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user. See https://aka.ms/ms-id-web/ca_incremental-consent. —> MSAL.NetCore.4.19.0.0.MsalUiRequiredException: ErrorCode: user_null Microsoft.Identity.Client.MsalUiRequiredException: No account or login hint was passed to the AcquireTokenSilent call. at Microsoft.Identity.Client.AcquireTokenSilentParameterBuilder.Validate() at Microsoft.Identity.Client.AbstractAcquireTokenParameterBuilder1.ValidateAndCalculateApiId() at Microsoft.Identity.Client.AbstractClientAppBaseAcquireTokenParameterBuilder1.ExecuteAsync(CancellationToken cancellationToken) at Microsoft.Identity.Client.AbstractAcquireTokenParameterBuilder`1.ExecuteAsync() at [… etc. …]

Issue Analytics

State:
Created 3 years ago
Reactions:2
Comments:7

Top GitHub Comments

1reaction

jmprieurcommented, Oct 9, 2020

@1iveowl: Oh I see, you need app permissions, not user permissions:

your web API is anonymous
and you want to call the Graph on behalf of the application itself, not on behalf of the user.

This is possible, but not fully automatic today. We have a feature request to make that happen in a nicer way: https://github.com/AzureAD/microsoft-identity-web/issues/654

To have it work in you case, you could get inspired by the ASP.NET Core Graph web hooks sample where the GraphServiceClient can only be used for delegated scopes:

1reaction

jmprieurcommented, Oct 8, 2020

@1iveowl

did you do things incrementally in a dev project? (adding scopes after you had tested).if so, you might want to delete your token cache in the client application (or signout and re-sign in).
did you configure the KnownClientApplication property: https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/2. Web API now calls Microsoft Graph#configure-known-client-applications-for-service-todolistservicems-identity-dotnet-native-aspnetcore-v2 ?
are you using a user from the same tenant as the one you created the app? (is it a multi-tenant app)

Otherwise if you think that can happen in prod, you should have the Web API emit a www-authenticate header, and the client needs to process it. See https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/2. Web API now calls Microsoft Graph#handling-required-interactions-with-the-user-dynamic-consent-mfa-etc for details.

I know that this is a lot of things to read, but this scenario is a bit complicated …

Top Results From Across the Web

IDW10502: An MsalUiRequiredException was thrown due ...

Message: IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user. Inner exception: No account or login hint was passed ...

Handle errors and exceptions in MSAL.NET

If MsalUIRequiredException is thrown, it's an indication that an interactive flow needs to happen for the user to resolve the issue.

Add a Comment

SOLUTION: MicrosoftIdentityWebChallengeUserException: IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user.

MsalUiRequiredException Class (Microsoft.Identity.Client)

When this property is not null or empty, this means that the service requires the user to provide additional claims, such as doing...

`dotnet watch` with Microsoft.Identity.Web or custom ...

MicrosoftIdentityWebChallengeUserException: IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user.

Troubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.

Start Free

Top Related Reddit Thread

No results found

Top Related Tweet

No results found

Top Related Dev.to Post

No results found

[Bug] IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user

Issue Analytics

Top GitHub Comments

Top Results From Across the Web

Top Related Medium Post

Top Related StackOverflow Question

Troubleshoot Live Code

Top Related Reddit Thread

Top Related Hackernoon Post

Top Related Tweet

Top Related Dev.to Post

Top Related Hashnode Post

[Bug] DistributedSqlServerCache GetAccounts returns null despite having Accounts in TokenCache

[Feature Request] It should be possible to use GraphServiceClient to call graph APIs requiring app only permissions