Search code examples
azureoauth-2.0jwtazure-active-directorybearer-token

Azure authentification for multiple audience using WithExtraScopesToConsent and AcquireTokenSilent

I am building an app that let user manipulate Azure resource and Azure storage therefore I need to access multiple audiences, however, it's not possible to have one toke with multiple audience in azure. So I am using this tutorial

https://learn.microsoft.com/bs-latn-ba/azure/active-directory/develop/msal-net-user-gets-consent-for-multiple-resources

and my code look like :

         IPublicClientApplication client = PublicClientApplicationBuilder.Create(clientId)
                    .WithAuthority(AadAuthorityAudience.AzureAdMultipleOrgs)
                    .WithDefaultRedirectUri()
                //  .WithRedirectUri($"msal{clientId}://auth")
                .Build();

        var accounts = client.GetAccountsAsync().Result;
            string[] scopes = { "https://management.azure.com/user_impersonation" };
            string[] scopestorage = { "https://storage.azure.com/user_impersonation" };

            var result = client.AcquireTokenInteractive(scopes)
                                  .WithAccount(accounts.FirstOrDefault())
                                  .WithExtraScopesToConsent(scopestorage)
                                  .ExecuteAsync().Result;
          var result2=  client.AcquireTokenSilent(scopestorage, accounts.FirstOrDefault()).ExecuteAsync();

but I am getting an exception while executing the AcquireTokenInteractive method

Microsoft.Identity.Client.MsalUiRequiredException: 'No account or login hint was passed to the AcquireTokenSilent call.'

Also when I look in the locals my variable "accounts" i can see Count=0 and nothing in there.

Any pointer for a solutions would be greatly appreciated.

Regards

Vincent

Solution

  • Your need to make some changes to your code. Here is the working sample for your reference:

    string[] scopes = { "https://management.azure.com/user_impersonation" };
            string[] scopestorage = { "https://storage.azure.com/user_impersonation" };
            IPublicClientApplication client = PublicClientApplicationBuilder
                .Create("cbc32712-ac27-4532-802d-303998a6e712")
                .WithRedirectUri("https://login.microsoftonline.com/common/oauth2/nativeclient")
                .Build();

            var result = client.AcquireTokenInteractive(scopes)
                                  .ExecuteAsync().Result;
            var accounts = client.GetAccountsAsync().Result;
            var result2 = client.AcquireTokenSilent(scopestorage, accounts.FirstOrDefault()).ExecuteAsync().Result;

    Note:

    1.As you will get access token for storage resource by using AcquireTokenSilent method, make sure you have granted user/admin consent for your application to access this resource.

    2.You can not use WithExtraScopesToConsent method for different resource endpoints.