-
Notifications
You must be signed in to change notification settings - Fork 338
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] AcquireTokenSilent silently discards MFA claim? #4908
Comments
Does this code work if you don't use WAM? I am not familiar with adding a claims challenge for forcing MFA. Is this documented anywhere? Afaik, the STS is responsible for enforcing MFA through Conditional Access policies. |
Hi @bgavrilMS, Thanks for the reply.
As for without the WAM broker, good point. Same behaviour though, the token is granted through the interactive flow, without being challenged with MFA, then the application and token is cached and the interactive flow (with the MFA claim added in the ExtraQueryParameters) acquires the token without asking for anything, but ignores that MFA claim. Hopefully this helps. Please let me know if there's anything I can help you with. Best regards, |
Well MSAL does have a "WithClaims" API, which is probably better used here as it will affect the communication with both /authorization and /token endpoint. But it'll also bypass the cache, so it should not be used after the first login. |
Thank you @bgavrilMS. Thanks again!! |
Hi @S-dn-Y , have you configured the account with MFA? Here is the doc https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-azure-mfa?toc=%2Fentra%2Fidentity%2Fconditional-access%2Ftoc.json&bc=%2Fentra%2Fidentity%2Fconditional-access%2Fbreadcrumb%2Ftoc.json, could you help confirm and which resource you added the MFA policy?
so previously the interactive call is challenged with claims
but later the interactive flow doesn't challenge you MFA? Did you change anything? I am trying to understand what you want to achieve, please correct me if I am wrong. Do you want both interactive and silent flow challenged with MFA with the specific resource? Could you provide the correlation id and timestamp so that we can check what's the issue? Thanks. |
Hi @xinyuxu1026, Thank you chipping in. I'm trying to activate Eligible Microsoft Entra Privileged Identity Management (PIM) roles through code, PowerShell. I've created a Service Principal in Azure with delegated permissions needed to query and activate the roles. So when I want to enable a Entra role the flow would look like this:
Note that if I modify the flow and feed the ExtraQueryParameters to AcquireTokenInteractive (and thus skip the first AcquireTokenSilent) it prompts for credentials and challenges the user for MFA and the claim is added. The functions will then work without problems as the MFA claim is present. I've just completed the flow as described. Error triggered: Hope this helps and thanks again! |
@S-dn-Y , for account not configured with MFA, the silent request discard MFA is by design. |
Library version used
4.61.3.0
.NET version
4.8.04161
Scenario
PublicClient - desktop app
Is this a new or an existing app?
This is a new app or experiment
Issue description and reproduction steps
Hi everyone,
I'm integrating the MSAL library into our PowerShell code and I've observed that AcquireTokenSilent seems to silently discard MFA claims.
I'm adding the extra query parameters to the request, which are applied as shown in the logs. The application is new, also as shown in the logs.
The token is provided without issues, but if I check the actual token using https://jwt.ms/, the amr claim is not in there, only the pwd and rsa values for amr.
Using the token results in MFA issues of course.
The doesn't seem to comply with what the docs are saying:
Since the recommended pattern is to first try to achieve a token silently from cache before starting an interactive flow, shouldn't AcquireTokenSilent throw an exception of type Microsoft.Identity.Client.MsalUiRequiredException allowing the user to complete the interactive flow?
Relevant log entries:
###> New application nothing found in cache yet
###> Query parameters are added to the request
Is this expected behaviour?
I've added some of the code I'm using the reproduce it.
Note that the same code is used in the interactive flow and the user is challenged for MFA and the claim is given.
Now I don't expect that the silent flow is able to complete the MFA challenge, but if MSAL silently discards the claim, how would I know that a cached token has the claim? Especially since decoding the tokens on the client isn't best practice (if I recall reading it correctly).
Hoping someone can help! Any effort is appreciated.
Best regards,
Sidney
Relevant code snippets
Expected behavior
I would expect that AcquireTokenSilent throws an MsalUiRequiredException, instead of requesting the token without the MFA claim in the result.
Identity provider
Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)
Regression
No response
Solution and workarounds
I'm now removing the application from the cache if any error happens while requesting a token, so I know that every application in cache that has the MFA claim will have the MFA claim after silently acquiring it from the cache.
The text was updated successfully, but these errors were encountered: