Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Request] WAM support for no scopes #3675

Closed
gladjohn opened this issue Sep 15, 2022 · 5 comments · Fixed by #3696 or #3918
Closed

[Request] WAM support for no scopes #3675

gladjohn opened this issue Sep 15, 2022 · 5 comments · Fixed by #3696 or #3918
Assignees
@gladjohn
Labels
Feature Request WAM
Milestone
4.50.0

Comments

@gladjohn
Copy link
Contributor

gladjohn commented Sep 15, 2022
edited by bgavrilMS
Loading

Logs and network traces
none

Which version of MSAL.NET are you using?
latest

Platform
any

Repro

var authResult = await pca.AcquireTokenInteractive(new[] { "" })
                                          .ExecuteAsync();

Expected behavior
Friendly exception

Actual behavior
Flow proceeds and results in unfriednly exceptions

Fix: authenticationRequestParameters.HasScopes returns true if empty string is passed as scopes
@gladjohn gladjohn added this to the 4.48.0 milestone Sep 16, 2022
@pmaytak pmaytak moved this from Triage to Estimated/Committed in MSAL Customer Trust / QM Sep 17, 2022
@bgavrilMS bgavrilMS changed the title [Bug] authenticationRequestParameters.HasScopes returns true if empty string is passed as scopes [Bug] WAM and B2C scenarios when scopes = new[] { "" } proceed and lead to errors Sep 22, 2022
@bgavrilMS bgavrilMS mentioned this issue Sep 22, 2022
Merged
1 task
Repository owner moved this from Estimated/Committed to Fixed in MSAL Customer Trust / QM Sep 26, 2022
@pmaytak pmaytak modified the milestones: 4.48.0, 4.47.2 Sep 29, 2022
@pmaytak
Copy link
Contributor

pmaytak commented Dec 1, 2022

@gladjohn @bgavrilMS Will C++ layer be updated to accept empty (or msal only) scopes? Couldn't find a related issue in DevOps.

cc: @azchohfi

@gladjohn
Copy link
Contributor Author

gladjohn commented Dec 1, 2022

here is the internal bug tracking this, but I do not think Interop/MSALRuntime (C++) will accept empty/null scopes. For the broker we did check to see if scopes are being passed. (by fixing authenticationRequestParameters.HasScopes logic)

This is what I see with the dev app for the new broker :

ATI without login_hint or account. It should display the account picker
Exception: MSAL.NetCore.4.46.0.0.MsalClientException: 
	ErrorCode: scopes_required_wam
Microsoft.Identity.Client.MsalClientException: At least one scope needs to be requested for this authentication flow.

@bgavrilMS
Copy link
Member

If you just want to login the user, please ask for "User.Read" Graph scope @azchohfi

Note that MSAL library isn't really meant for authentication, but for calling downstream APIs. As such, we don't offer a good developer experience for just logging in the user. In pure OIDC terms, you can rely strictly on id token for authentication, but MSAL's API are all targeted at access tokens. Concepts like expiration and silent refresh only look at access tokens.

ASP.NET Core handles the authentication part on its own, it does id token management etc. However, public client apps developers have to do this manually. Most applications, including big 1p apps, rely on access token / refresh token semantics, i.e. as long as GetAccounts() returns an Account, you can assume that the user is logged in. It may be the id token / access token expired, in which case most apps will fetch new ones (silently) when they need to call a new downstream API.

Hope this helps.

@gladjohn
Copy link
Contributor Author

gladjohn commented Dec 1, 2022

@azchohfi can you please start an email thread with our team for the requirement you have on no scopes, so we can better understand the situation

@bgavrilMS bgavrilMS reopened this Dec 8, 2022
Repository owner moved this from Fixed to Estimated/Committed in MSAL Customer Trust / QM Dec 8, 2022
@bgavrilMS
Copy link
Member

Let's revisit this when MSAL C++ supports the scenario - https://github.com/AzureAD/microsoft-authentication-library-for-cpp/pull/3299

@bgavrilMS bgavrilMS added P2 and removed P3 labels Dec 8, 2022
@bgavrilMS bgavrilMS modified the milestones: 4.47.2, 4.50.0 Dec 14, 2022
@bgavrilMS bgavrilMS removed their assignment Dec 14, 2022
@bgavrilMS bgavrilMS changed the title [Bug] WAM and B2C scenarios when scopes = new[] { "" } proceed and lead to errors [Bug] WAM + scopes = new[] { "" } proceed and lead to errors Dec 22, 2022
@bgavrilMS bgavrilMS changed the title [Bug] WAM + scopes = new[] { "" } proceed and lead to errors [Request] WAM support for no scopes Dec 22, 2022
@gladjohn gladjohn self-assigned this Jan 23, 2023
@gladjohn gladjohn mentioned this issue Jan 26, 2023
Merged
1 task
@pmaytak pmaytak moved this from Estimated/Committed to In Progress in MSAL Customer Trust / QM Jan 27, 2023
@pmaytak pmaytak moved this from In Progress to Estimated/Committed in MSAL Customer Trust / QM Jan 27, 2023
@github-project-automation github-project-automation bot moved this from Estimated/Committed to Fixed in MSAL Customer Trust / QM Feb 3, 2023
@gladjohn gladjohn mentioned this issue Feb 10, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gladjohn gladjohn

Labels
Feature Request WAM
Projects
MSAL Customer Trust / QM
Archived in project
Milestone
4.50.0
3 participants
@bgavrilMS @pmaytak @gladjohn