Using MSAL directly, you end up adding the following to support CAE, so when an API call that used a _clientApp-obtained bearer token on it fails with 401 and has certain header info sent back which identifies that there is a claims challenge to re-process the getting of the auth token with, you then do so with something like this:
Created the auth client indicating you support CAE (in getting the initial auth token)
_clientApp = ConfidentialClientApplicationBuilder.Create(App.ClientId)
.WithDefaultRedirectUri()
.WithAuthority(authority)
.WithClientCapabilities(new [] {"cp1"}) // CAE-enabled
.Build();
Re-request an auth token in light of the claims challenge info
authResult = await _clientApp.AcquireTokenSilent(scopes, firstAccount)
.WithClaims(claimChallenge) // CAE-enabled
.ExecuteAsync()
.ConfigureAwait(false);
So ... how do you do the above two things when using a TokenCredential world, and not MSAL directly? Even though TokenCredential impls (at least those shipped by MS) internally do use CCAs and MSAL to do the job, they don't appear to expose a way to do this.
Hence my question:
How do you use a TokenCredential to re-request a claims-challenged auth token?
