-
Notifications
You must be signed in to change notification settings - Fork 343
WAM
MSAL is able to call Web Account Manager, a Windows 10 component that ships with the OS. This component acts as an authentication broker and users of your app benefit from integration with accounts known from Windows, such as the account you signed-in with in your Windows session.
The New MSAL WAM Preview is an abstraction layer based on MSAL C++ which fixes a number of issues with the existing WAM implementation. New applications should use this implementation.
- assembly size issues
- run-as-admin issues
- adds support for POP tokens
- add a reference to Microsoft.Identity.Client.Broker (and you can remove any reference to Microsoft.Identity.Client.Desktop)
- instead of
.WithBroker()
, call.WithBrokerPreview()
.
Note: The old WAM experience is documented at: https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-acquire-token-wam and showcases details about redirect URI, fallback experience on older Windows, Mac and Linux etc. which remain valid.
var pca = PublicClientApplicationBuilder
.Create("1234...")
.WithAuthority("https://login.microsoftonline.com/common")
.WithBrokerPreview(true) // this method exists in Microsoft.Identity.Client.Broker package
.Build();
It is now mandatory to tell MSAL the window the interactive experience should be parented to, using WithParentActivityOrWindow
APIs. Trying to infer a window is not feasible and in the past, this has led to bad user experience where the auth window is hidden behind the application.
// In a WinForms app, in a Form
IntPtr windowHandle = this.Handle;
// In a WPF app
IntPtr windowHandle = new System.Windows.Interop.WindowInteropHelper(this).Handle;
For console applications it is a bit more involved, because of the terminal window and its tabs.
enum GetAncestorFlags
{
GetParent = 1,
GetRoot = 2,
/// <summary>
/// Retrieves the owned root window by walking the chain of parent and owner windows returned by GetParent.
/// </summary>
GetRootOwner = 3
}
/// <summary>
/// Retrieves the handle to the ancestor of the specified window.
/// </summary>
/// <param name="hwnd">A handle to the window whose ancestor is to be retrieved.
/// If this parameter is the desktop window, the function returns NULL. </param>
/// <param name="flags">The ancestor to be retrieved.</param>
/// <returns>The return value is the handle to the ancestor window.</returns>
[DllImport("user32.dll", ExactSpelling = true)]
static extern IntPtr GetAncestor(IntPtr hwnd, GetAncestorFlags flags);
[DllImport("kernel32.dll")]
static extern IntPtr GetConsoleWindow();
public IntPtr GetConsoleOrTerminalWindow()
{
IntPtr consoleHandle = GetConsoleWindow();
IntPtr handle = GetAncestor(consoleHandle, GetAncestorFlags.GetRootOwner );
return handle;
}
The logic below will eventually be added as a helper in MSAL, tracking work item 3590. For now, copy this into your app.
MSAL already supports PoP tokens in confidential client flows starting MSAL 4.8+, With the new MSAL WAM Broker you can acquire PoP tokens for public client flows as well.
Bearer tokens are the norm in modern identity flows, however they are vulnerable to being stolen and used to access a protected resource.
Proof of Possession (PoP) tokens mitigate this threat via 2 mechanisms:
- they are bound to the user / machine that wants to access a protected resource, via a public / private key pair
- they are bound to the protected resource itself, i.e. a token that is used to access
GET https://contoso.com/transactions
cannot be used to accessGET https://contoso.com/tranfer/100
In order to utilize the new broker to perform POP, see the code snippet here.
For more details, see RFC 7800
WAM redirect URIs do not need to be configured in MSAL, but they must be configured in the app registration.
ms-appx-web://microsoft.aad.brokerplugin/{client_id}
This flow is not recommended except in test scenarios or in scenarios where service principal access to a resource gives it too much access and you can only scope it down with user flows. When using WAM, AcquireTokenByUsernamePassword
will let WAM handle the protocol and fetch tokens.
- B2C and ADFS authorities aren't supported. MSAL will fall back to a browser.
- Available on Win10+ and Win Server 2019+. On Mac, Linux, and earlier versions of Windows, MSAL will fall back to a browser.
- Not available on Xbox.
"Unable to load DLL 'msalruntime' or one of its dependencies: The specified module could not be found." error message
This message indicates that either the Microsoft.Identity.Client.NativeInterop package was not properly installed or the WAM runtimes DLL was not restored in the appropriate folders. To resolve this issue:
- Ensure that Microsoft.Identity.Client.NativeInterop package has been restored properly, and
- the runtimes folders are also restored and placed under the package path
The DLL search order is,
- same directory as the app (executing assembly directory)
- other directories like system and windows
-
runtimes
folder under the NuGet global-packages folder where Microsoft.Identity.Client.NativeInterop is installed.
"MsalClientException (ErrCode 5376): At least one scope needs to be requested for this authentication flow." error message
This message indicates that you need to request at least one application scope (e.g. user.read) along with other OIDC scopes (profile, email or offline_access).
var authResult = await pca.AcquireTokenInteractive(new[] { "user.read" })
.ExecuteAsync();
The application user sees an error message similar to "Please check your connection and try again". If this issue occurs regularly, see the troubleshooting guide for Office, which also uses WAM.
- Home
- Why use MSAL.NET
- Is MSAL.NET right for me
- Scenarios
- Register your app with AAD
- Client applications
- Acquiring tokens
- MSAL samples
- Known Issues
- AcquireTokenInteractive
- WAM - the Windows broker
- .NET Core
- Maui Docs
- Custom Browser
- Applying an AAD B2C policy
- Integrated Windows Authentication for domain or AAD joined machines
- Username / Password
- Device Code Flow for devices without a Web browser
- ADFS support
- Acquiring a token for the app
- Acquiring a token on behalf of a user in Web APIs
- Acquiring a token by authorization code in Web Apps
- High Availability
- Token cache serialization
- Logging
- Exceptions in MSAL
- Provide your own Httpclient and proxy
- Extensibility Points
- Clearing the cache
- Client Credentials Multi-Tenant guidance
- Performance perspectives
- Differences between ADAL.NET and MSAL.NET Apps
- PowerShell support
- Testing apps that use MSAL
- Experimental Features
- Proof of Possession (PoP) tokens
- Using in Azure functions
- Extract info from WWW-Authenticate headers
- SPA Authorization Code