data/authors/Paul Logan.json

MsalUiRequiredException

Software 336 words 2 minutes
Contents

My Quality Management System sends emails to the user when a NonConformance has been assigned to them.

The email contains a deep link to the NonConformance details screen in the application.

This screen queries the Microsoft Graph to get user details.

When accessing the app through the wonderful https://myapps.microsoft.com/, user is taken to the home page and they then borwse their way to the Details screen and all is well.

However, for a user that is not currently logged into the app and clicks the email link, the following error is received:

MsalUiRequiredException: No account or login hint was passed to the AcquireTokenSilent call “An MsalUiRequiredException was thrown due to a challenge for the user.”

Exception has occurred: CLR/Microsoft.Identity.Web.MicrosoftIdentityWebChallengeUserException An exception of type ‘Microsoft.Identity.Web.MicrosoftIdentityWebChallengeUserException’ occurred in System.Private.CoreLib.dll but was not handled in user code: ‘IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user. See https://aka.ms/ms-id-web/ca_incremental-consent. ' Inner exceptions found, see $exception in variables window for more details. Innermost exception Microsoft.Identity.Client.MsalUiRequiredException : No account or login hint was passed to the AcquireTokenSilent call.

The user clicks the link to the home page in the navigation section.

You can see the URL briefly change to the microsoftonline authentication address.

The user gets logged in and clicking the link in the email now works successfully.

Sometimes, in web apps, the user can be signed-in, but the token cache does not contain the token to access the web APIs.

This is expected and happens, in particular if:

  1. you are using an in-memory token cache, and have restarted your application
  2. you have setup cache eviction times, which remove tokens from the cache earlier than the session cookie (which says the user is signed-in)

In that case, you’ll get an MsalUiRequiredException, which is expected.

Microsoft identity web can automatically challenge the user, which most of the times, will be silent, and have the token cache repopulated.

Adding [AuthorizeForScopes(ScopeKeySection = “DownstreamApi:Scopes”)] to the Razor pages code-behind file.

https://github.com/AzureAD/microsoft-identity-web/wiki/Managing-incremental-consent-and-conditional-access#in-razor-pages https://github.com/wmgdev/BlazorGraphApi/issues/10

Authentication