OAuth 2.0: app.GetAccountsAsync returns null

+1 vote

Following the steps from:
https://www.limilabs.com/blog/oauth2-office365-exchange-imap-pop3-smtp

When I executed this code: 

var account = (await app.GetAccountsAsync()).FirstOrDefault();

The account is always null what is the main problem?

In addition, this is the code that initiates the "app" variable:

var app = PublicClientApplicationBuilder
    .Create(clientId)
    .WithTenantId(tenantId)
    .WithDefaultRedirectUri()
    .Build();

// This allows saving access/refresh tokens to some storage
TokenCacheHelper.EnableSerialization(app.UserTokenCache);
by (780 points)

1 Answer

0 votes

GetAccountsAsync returns all the available accounts in the user token cache for the application. It's obvious it will return empty collection on first run.

In the sample mentioned there is a very simplistic cache implementation provided: TokenCacheHelper. It stores the cache on disk in the "msalcache.bin3" file.
You can view contents of this file to check what is saved in it.

There is a chance that you delete this file when compiling the app.

Please note that most likely you should store this cache in an encrypted form in some kind of a database. Consider using MSAL token serialization implementations available here:

https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-token-cache-serialization

by (301k points)
Hello,
Good day.
Thanks for the response. I now manage to connect however do you have any solution to connect without the use of client id and tenant id from azure? We cannot just tell our clients to set up their azure just to run our application or did I misunderstand something else?
by (780 points)
You need to use:

    .WithAuthority(AadAuthorityAudience.AzureAdAndPersonalMicrosoftAccount)

instead of:

    .WithTenantId(tenantId)

This allows using personal and business AD accounts.

when creating the app you need to specify:

Supported account types:
"[x] Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts"
by (301k points)
How about the client id? do you mean that I will just register the app on our azure portal and then use the .withauthority.. method then It should connect to all of our clients?
by (780 points)
Correct. User will see a Microsoft login screen, with option to log-in, using a known account and finally a screen for granting access for your app.
by (301k points)
Hello, I've tried the WithAuthority(AadAuthorityAudience.AzureAdAndPersonalMicrosoftAccount) method and modified the supported account types to:
Supported account types:
"[x] Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts"

I've got an error: MsalServiceException: AADSTS9001023: The grant type is not supported over the /common or /consumers endpoints. Please use the /organizations or tenant-specific endpoint.

I'm using the AcquireTokenByUsernamePassword. what did I miss?
by (780 points)
You can not use password grant flow (AcquireTokenByUsernamePassword) in such way.
by (301k points)
Then what flow should I use in this scenario? we expect to use our client's credentials.
by (780 points)
There is no OAuth flow that allows you to do that (password grant works only in your AD) and
basic authentication is being removed.

In other words: you no longer need or are allowed to know user's password.

You need to switch to proper OAuth 2.0 flow, as shown in the article in your question:
Users log-in once, you store access and refresh tokens, and use those on subsequent request. There is no need to save and store user's password.
by (301k points)
edited by

Hello Good day.
Now I'm trying the: https://www.limilabs.com/blog/oauth2-office365-exchange-imap-pop3-smtp

I re-created the app registration and set :
"[x] Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts"

Then on this line:

 var result = await app.AcquireTokenInteractive(scopes)
    .ExecuteAsync();

It took so much time and does not respond anymore I dont know what happen. until I end up stopping the application.

What did I miss? In addition how can I login a spefic email account?

by (780 points)
what flow should I use to make this support work?

"[x] Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts"
by (780 points)
We are not MSAL .NET support. Have in mind that AcquireTokenInteractive creates a new browser window or displays a login dialog (depending on the configuration) - your application must not be a web app for example.
 
I think there is a WithLoginHint method, that lets you specify which account to use. Member will see a choose account dialog otherwise.

As far as I know Multitenant + Personal works for all flows (desktop, web, device).
by (301k points)
Hello, good day.
do you have a sample using the "[x] Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts" with an acquired method to get token?
by (780 points)

The code is exactly the same. The only difference is 

.WithAuthority( 
    AadAuthorityAudience.AzureAdAndPersonalMicrosoftAccount
)

instead of:

.WithTenantId(tenantId)
by (301k points)
edited by
if so why does the desktop flow use the AcquireTokenInteractive
what settings do I need to make it work?
AcquireTokenInteractive is not working on my end.

I have tried the login hint as well but still not working.
by (780 points)
Desktop flow uses AcquireTokenInteractive - that is correct.
I don't really understand your problem.
Are you developing a desktop app? What technology are you using?

I believe you should ask a new question to be honest.
Please note that AcquireTokenInteractive is part of MSAL .NET - Microsoft library.
by (301k points)
...