-
Notifications
You must be signed in to change notification settings - Fork 345
Exceptions
Exceptions in MSAL.NET are intended for app developers to troubleshoot and not for displaying to end-users. Exception messages are not localized.
MSAL throws MsalClientException
for things that go wrong inside the library (e.g. bad configuration) and MsalServiceException
for things that go wrong service side or in the broker (e.g. a secret expired).
Client exceptions have an error code which you can use to handle the exception. The error codes are explained in the MsalError class.
- User cancelled authentication (public client only)
When calling AcquireTokenInteractive
, a browser or the broker is invoked to handle user interaction. If the user closes this process or if they hit the browser back button, MSAL generates an MsalClientException
with the error code authentication_canceled
(MsalError.AuthenticationCanceledError
).
On Android, this exception can also occur if a browser with tabs is not available.
- HTTP errors
MSAL uses HttpClient
to make web calls. HttpClient
can fail with exception when the network is unavailable. Otherwise, HttpClient
calls do not fail. Public Client apps are encouraged check if an internet connection is available before calling AcquireToken*
methods.
In cases where an response other than 200 OK is received, MSAL will throw an MsalServiceException
and you can check the HttpStatuScode for details.
When processing exceptions, you can use the exception type itself and the ErrorCode
member to distinguish between exceptions. The values of ErrorCode
are constants of MsalError
You can also have a look at the fields of MsalClientException, MsalServiceException, MsalUIRequiredException
In the case of MsalServiceException
, the error code might contain a code which you can find in Authentication and authorization error codes
The "Ui Required" is proposed as a specialization of MsalServiceException
named MsalUiRequiredException
. This means you have attempted to use a non-interactive method of acquiring a token (e.g. AcquireTokenSilent), but MSAL could not do it silently. this can be because:
- you need to sign-in
- you need to consent
- you need to go through a multi-factor authentication experience.
The remediation is to call AcquireTokenInteractive
try
{
app.AcquireTokenXXX(scopes, account)
.WithYYYY(...)
.ExecuteAsync()
}
catch(MsalUiRequiredException ex)
{
app.AcquireTokenInteractive(scopes)
.WithAccount(account)
.WithClaims(ex.Claims)
.ExcecuteAsync();
}
Developers are expected to implement their own retry policies when calling MSAL. MSAL makes HTTP calls to the AAD service, and occasional failures can occur, for example the network can go down or the server is overloaded. HTTP 5xx status code responses are retried once.
MSAL does not rethrow HTTP exceptions as MsalException.
See also Simple retry for errors with HTTP error codes 500-600 and Http 429 (Retry After)
In some cases, when the Azure AD tenant admin has enabled conditional access policies, your application will need to handle claim challenge exceptions. This will appear as an MsalServiceException
which Claims
property won't be empty. For instance if the conditional access policy is to have a managed device (Intune) the error will be something like AADSTS53000: Your device is required to be managed to access this resource
or something similar.
To handle the claim challenge, you will need to use the .WithClaim() method of PublicClientApplicationBuilder class as shown above.
- Home
- Why use MSAL.NET
- Is MSAL.NET right for me
- Scenarios
- Register your app with AAD
- Client applications
- Acquiring tokens
- MSAL samples
- Known Issues
- AcquireTokenInteractive
- WAM - the Windows broker
- .NET Core
- Maui Docs
- Custom Browser
- Applying an AAD B2C policy
- Integrated Windows Authentication for domain or AAD joined machines
- Username / Password
- Device Code Flow for devices without a Web browser
- ADFS support
- Acquiring a token for the app
- Acquiring a token on behalf of a user in Web APIs
- Acquiring a token by authorization code in Web Apps
- High Availability
- Token cache serialization
- Logging
- Exceptions in MSAL
- Provide your own Httpclient and proxy
- Extensibility Points
- Clearing the cache
- Client Credentials Multi-Tenant guidance
- Performance perspectives
- Differences between ADAL.NET and MSAL.NET Apps
- PowerShell support
- Testing apps that use MSAL
- Experimental Features
- Proof of Possession (PoP) tokens
- Using in Azure functions
- Extract info from WWW-Authenticate headers
- SPA Authorization Code