Fix MSA silent authentication with MSA-PT apps #1358
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When using Microsoft Account Passthrough (MSA-PT) we need to use the special "transfer" or "Microsoft services" tenant ID rather than the actual MSA tenant ID when doing silent authentication. This is a shortcoming in the MSAL library that we will need to workaround until this issue [1] can be fixed in MSAL itself. Modify the silent auth method such that if we are using MSA-PT, and the `IAccount` object has the MSA tenant ID, we need explicitly set the tenant ID to the transfer tenant ID. Whilst we are in here, also add an extra `catch` block around the silent auth code to capture any unexpected exceptions and log them. [1] AzureAD/microsoft-authentication-library-for-dotnet#3077
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When using Microsoft Account Passthrough (MSA-PT) we need to use the special "transfer" or "Microsoft services" tenant ID rather than the actual MSA tenant ID when doing silent authentication.
This is a shortcoming in the MSAL library that we will need to workaround until this issue can be fixed in MSAL itself.
Modify the silent auth method such that if we are using MSA-PT, and the
IAccountobject has the MSA tenant ID, we need explicitly set the tenant ID to the transfer tenant ID.Whilst we are in here, also add an extra
catchblock around the silent auth code to capture any unexpected exceptions and log them.Fixes #1297