2

I have been trying to use Azure AD MSAL and ADAL and have NEVER been able to retrieve a token. I have tried the ALL of the samples and keep getting to the same issue, token is created, added to the EF cache DB but when the tokenAcquisition object tries to retrieve it, no account is found and fails to get token.

I have read through most (if not ALL) of the issues on GitHub and SO. this seems to be working for others but looks like numerous people have the same issue and I have yet to see an answer other then pointing me to the samples I have tried.

Simple question for the moment - how do I get accounts from the IConfidentialClientApplication?

I have NEVER been able to get a single account or a list of accounts.

Create app object:

var app = ConfidentialClientApplicationBuilder.CreateWithApplicationOptions(_applicationOptions)
               .WithRedirectUri(currentUri)
               .WithAuthority(authority)
               .Build();

In GetAccessTokenOnBehalfOfUser:

IAccount account = await application.GetAccountAsync(accountIdentifier);

returns NULL

and

var accounts = await application.GetAccountsAsync();

returns an empty lists/IEnumerable.

I would expect to retrieve an account from

application.GetAccountAsync(accountIdentifier)

and a list from

await application.GetAccountsAsync();
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Jim Baltzell
  • 33
  • 5
  • Could you send the link of the sample that you are mainly relying on? – Tiago B Aug 12 '19 at 17:08
  • Azure AD Samples - active-directory-aspnetcore-webapp-openidconnect-v2 - 2.2 token cache - Setting up an EF based token cache https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/2-WebApp-graph-user/2-2-TokenCache – Jim Baltzell Aug 12 '19 at 17:41
  • I have tried many different implementations to try and get the token cache working so I can get and use an ID Token. – Jim Baltzell Aug 12 '19 at 17:44
  • Im sorry about your frustration. I ran this sample and it worked for me. The DB was created and I have a row with my token there. I have noticed that this sample is actually a tutorial, so the configuration for the service is located on the previous chapter. Also, there are some lines to be uncommented to have the DB created for you. Make sure you read the instructions carefully. – Tiago B Aug 12 '19 at 18:21
  • I do not understand how you were able to get the token form cache - I have made some modifications but have yet to get the tokencache to retrieve a token - memory, session or EF6. I see the token created fine with the AuthCode - but when I try to retrieve the token - I am unable to get the account from the application????? If I could just get a sample working to get the accounts, without building my own tokenprovider. – Jim Baltzell Aug 12 '19 at 18:28
  • Again, I am able to create the token and put it in the DB Cache - I am unable to retreive the token due to not getting an account from the confidentialclient application object. I am always getting null or empty list. This prevents the token from being retrieved from cache!! – Jim Baltzell Aug 12 '19 at 18:32
  • Check my profile and send me an email. I will assist you. – Tiago B Aug 12 '19 at 18:34
  • Here is a similar [issue](https://stackoverflow.com/questions/56444669/how-do-i-get-accounts-from-azure-ad) you could refer to. – Joey Cai Aug 13 '19 at 09:50

1 Answers1

0

OK, Finally found my issue.

The issue comes in using ASPNet identity logging into AzureAD as an external authority but using the identity to signin and create the claims principle.

I was mssing the AzureAD ObjectIdentifier from my claims. so the solution seems to be adding the ObjectIdentifier to the identity. I did this by using a ClaimsTransofrmation and looking for the auth type. If it was NOT Identity.Application it is from AzureAD and check to see if the User has the UserClaim and add it if not. This claim is then picked up and put in the principle's claims and under the covers, now the account is found....

        if (principal.HasClaim(c => c.Type == SecurityConstants.ClaimTypes.ObjectId))
        {
            string oId = principal.FindFirstValue(SecurityConstants.ScpcClaimTypes.ObjectId);

            var user = _usrMgr.FindByNameAsync(usrNm).Result;

            List<Claim> claims = new List<Claim>(_usrMgr.GetClaimsAsync(user).Result);
            if (!claims.Exists(c => c.Type == SecurityConstants.ScpcClaimTypes.ObjectId))
            {
                _usrMgr.AddClaimAsync(user, new Claim(SecurityConstants.ScpcClaimTypes.ObjectId, oId));
            }
Jim Baltzell
  • 33
  • 5