[Bug] IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user
See original GitHub issueWhich version of Microsoft Identity Web are you using? Microsoft Identity Web 1.1.0, but I saw the same issue with version 1.0.0
Where is the issue?
- Web app
- Sign-in users
- Sign-in users and call web APIs
- Web API
- Protected web APIs (validating tokens)
- Protected web APIs (validating scopes)
- [x ] Protected web APIs call downstream web APIs
- Token cache serialization
- In-memory caches
- Session caches
- Distributed caches
- Other (please describe)
Is this a new or an existing app? This is a new app or an experiment.
Repro
startup.cs:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(Configuration)
.EnableTokenAcquisitionToCallDownstreamApi()
.AddMicrosoftGraph(Configuration.GetSection("GraphApi"))
.AddInMemoryTokenCaches();
appsettings.json
...
"AzureAD": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "{domain}",
"ClientId": "{client id}",
"TenantId": "{tenant id}",
"Audience": "api://{application id}",
"ClientSecret": "{secret key}",
},
"GraphApi": {
"BaseUrl": "https://graph.microsoft.com/v1.0",
"Scopes": "Application.Read.All Application.ReadWrite.All Directory.Read.All Directory.ReadWrite.All"
},
...
controller:
[HttpPost]
public async Task<string> Post()
{
var applications = await _graphServiceClient.Applications
.Request()
.GetAsync();
return applications.Count.ToString();
}
Expected behavior Access to list of applications in Microsoft Graph.
I can generate an application token manually using Postman, which looks like the following, confirming that the configuration of the Application is correct in Azure AD.:
[...more json]
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/{tenant id}/",
"iat": 1602055659,
"nbf": 1602055659,
"exp": 1602059559,
"aio": "[...]",
"app_displayname": "My app",
"appid": "{App id guid}",
"appidacr": "1",
"idp": "https://sts.windows.net/{tenant id}/",
"idtyp": "app",
"oid": "{guid}",
"rh": "[...]",
"roles": [
"Application.ReadWrite.All",
"Directory.ReadWrite.All",
"Directory.Read.All",
"Application.Read.All"
],
"sub": "{guid}",
"tenant_region_scope": "EU",
"tid": "{tenant id}",
"uti": "[...]",
"ver": "1.0",
"xms_tcdt": 1597308440
}.[Signature]
Actual behavior I get this exception exception when running the Post controller.
Status Code: 0 Microsoft.Graph.ServiceException: Code: generalException Message: An error occurred sending the request. —> Microsoft.Identity.Web.MicrosoftIdentityWebChallengeUserException: IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user. See https://aka.ms/ms-id-web/ca_incremental-consent. —> MSAL.NetCore.4.19.0.0.MsalUiRequiredException: ErrorCode: user_null Microsoft.Identity.Client.MsalUiRequiredException: No account or login hint was passed to the AcquireTokenSilent call. at Microsoft.Identity.Client.AcquireTokenSilentParameterBuilder.Validate() at Microsoft.Identity.Client.AbstractAcquireTokenParameterBuilder
1.ValidateAndCalculateApiId() at Microsoft.Identity.Client.AbstractClientAppBaseAcquireTokenParameterBuilder1.ExecuteAsync(CancellationToken cancellationToken) at Microsoft.Identity.Client.AbstractAcquireTokenParameterBuilder`1.ExecuteAsync() at [… etc. …]
Issue Analytics
- State:
- Created 3 years ago
- Reactions:2
- Comments:7
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@1iveowl: Oh I see, you need app permissions, not user permissions:
This is possible, but not fully automatic today. We have a feature request to make that happen in a nicer way: https://github.com/AzureAD/microsoft-identity-web/issues/654
To have it work in you case, you could get inspired by the ASP.NET Core Graph web hooks sample where the GraphServiceClient can only be used for delegated scopes:
@1iveowl
Otherwise if you think that can happen in prod, you should have the Web API emit a www-authenticate header, and the client needs to process it. See https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/2. Web API now calls Microsoft Graph#handling-required-interactions-with-the-user-dynamic-consent-mfa-etc for details.
I know that this is a lot of things to read, but this scenario is a bit complicated …