[BUG] GetAuthenticationResultForUserAsync throws an exception when user is authenticated

[DOMZE]

Microsoft.Identity.Web version and scenario

3.0.1
Web app calls web api.

Problem description (updated by @bgavrilMS for clarity)

In a typical web app calls web api scenario, Identity.Web always throws MicrosoftIdentityWebChallengeUserException with error code user_null when calling TokenAcqusition API. For some application registrations, but not for all.

The issue only occurs when the ID Token is customized to have an additional claim named uid, via the app portal. For example:

Root cause: Microsoft.Identity.Web tries to inject its own uid claim into the id token / ClaimsPrincipal (which it gets from client_info). This conflicts with the user's uid claim and the user's claim wins. This breaks Microsoft.Identity.Web's ability to reference a user from MSAL's cache, causing the user_null error.

Original Description

I'm having trouble with another user with the OBO flow using Microsoft.Identity.Web (MIW). The code works on my machine and in my environment (Azure). However, the exact same code does not work the other users' machine & environment. The log on the other users' environment confirms that the tokens are being saved in the cache (In Memory Cache).

I can confirm that the ClaimsPrincipal is properly populated in both environment (as shown when signing in).

App Registrations have been verified on both end (mine and the other users). The token can be exchanged with the proper requested scope for the requested application using REST calls, thus not a problem with App Registrations. The admin consent has been granted and I am not using the ./default scope but rather requesting a specific scope i.e api://<app_name>/scope_name

Enabling the logs for the library, I realize that in my environment the account is saved AND is retrieved when doing the OBO call using ITokenAcquisition.GetAuthenticationResultForUserAsync. In the other users' environment, this gives the error:

Microsoft.Identity.Web.MicrosoftIdentityWebChallengeUserException: IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user. See https://aka.ms/ms-id-web/ca_incremental-consent.
---> MSAL.NetCore.4.61.3.0.MsalUiRequiredException:
                ErrorCode: user_null
Microsoft.Identity.Client.MsalUiRequiredException: No account or login hint was passed to the AcquireTokenSilent call.

The logs says that the account in the cache is not found (0 account in cache) and thus why this fails.
See logs below

Reproduction steps

1. Clone https://github.com/dstamand-msft/demo-authnauthz
2. Set the project appsettings in Demo.App and Demo.API under the EntraID section
3. run the application
4. sign-in
5. Click on "with read"
6. Access should be granted and OBO should have occurred in the PermissionActionAuthorizationHandler file

Error message

Microsoft.Identity.Web.MicrosoftIdentityWebChallengeUserException: IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user. See https://aka.ms/ms-id-web/ca_incremental-consent.
---> MSAL.NetCore.4.61.3.0.MsalUiRequiredException:
ErrorCode: user_null
Microsoft.Identity.Client.MsalUiRequiredException: No account or login hint was passed to the AcquireTokenSilent call.

Id Web logs

Own environment:

Demo.App.Authorization.PermissionActionAuthorizationHandler: Warning: Evaluating authorization requirement for permission >= read
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z] ConfidentialClientApplication 35451336 created
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z] [Internal cache] Total number of cache partitions found while getting refresh tokens: 1
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 903da1ed-fea8-42fe-960c-4b20d3ee8359] [GetAccounts] Found 1 RTs and 1 accounts in MSAL cache. 
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 903da1ed-fea8-42fe-960c-4b20d3ee8359] [Region discovery] Not using a regional authority. 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 903da1ed-fea8-42fe-960c-4b20d3ee8359] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? True. 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 903da1ed-fea8-42fe-960c-4b20d3ee8359] [GetAccounts] Found 1 RTs and 1 accounts in MSAL cache after environment filtering. 
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 903da1ed-fea8-42fe-960c-4b20d3ee8359] [Region discovery] Not using a regional authority. 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 903da1ed-fea8-42fe-960c-4b20d3ee8359] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? True. 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 903da1ed-fea8-42fe-960c-4b20d3ee8359] Filtered by home account id. Remaining accounts 1 
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z] Found 1 cache accounts and 0 broker accounts
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z] Returning 1 accounts
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] MSAL MSAL.NetCore with assembly version '4.61.3.0'. CorrelationId(0af8efb8-d448-411a-8d92-b3f5df3c6d2a)
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] === AcquireTokenSilent Parameters ===
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] LoginHint provided: False
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] Account provided: True
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] ForceRefresh: False
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] 
=== Request Data ===
Authority Provided? - True
Scopes - api://demowebapi/user_access
Extra Query Params Keys (space separated) - 
ApiId - AcquireTokenSilent
IsConfidentialClient - True
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured: 

Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] === Token Acquisition (SilentRequest) started:
	 Scopes: api://demowebapi/user_access
	Authority Host: login.microsoftonline.com
Microsoft.Identity.Web.TokenAcquisition: Warning: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] Only in-memory caching is used. The cache is not persisted and will be lost if the machine is restarted. It also does not scale for a web app or web API, where the number of users can grow large. In production, web apps and web APIs should use distributed caching like Redis. See https://aka.ms/msal-net-cca-token-cache-serialization
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] Attempting to acquire token using local cache.
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] [Internal cache] Total number of cache partitions found while getting access tokens: 1
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] [FindAccessTokenAsync] Discovered 1 access tokens in cache using partition key: 7e175b7a-d6e6-443b-a45b-341f88318c09.72f988bf-86f1-41af-91ab-2d7cd011db47
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] Filtering AT by tenant id - item count before: 1 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] Filtering AT by tenant id - item count after: 1 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] Filtering AT by home account id - item count before: 1 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] Filtering AT by home account id - item count after: 1 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] Filtering by token type - item count before: 1 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] Filtering by token type - item count after: 1 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] Filtering by scopes - item count before: 1 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] Access token with scopes email openid profile User.Read passes scope filter? False 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] Filtering by scopes - item count after: 0 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] Not filtering AT by environment, because there are no candidates
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] [FindAccessTokenAsync] No tokens found for matching authority, client_id, user and scopes. 
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] [Region discovery] Not using a regional authority. 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? True. 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] [FOCI] App is not part of the family, skipping FOCI. 
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z] [Internal cache] Total number of cache partitions found while getting refresh tokens: 1
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] [FindRefreshTokenAsync] Discovered 1 refresh tokens in cache using key: 7e175b7a-d6e6-443b-a45b-341f88318c09.72f988bf-86f1-41af-91ab-2d7cd011db47
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] Filtering RT by home account id - item count before: 1 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] Filtering RT by home account id - item count after: 1 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] Filtering RT by family id - item count before: 1 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] Filtering RT by family id - item count after: 1 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] Filtering RT by client id - item count before: 1 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] Filtering RT by client id - item count after: 1 
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] [Region discovery] Not using a regional authority. 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? True. 
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] [FindRefreshTokenAsync] Refresh token found in the cache? - True
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] Refreshing access token...
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] [Instance Discovery] Instance discovery is enabled and will be performed
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] [Region discovery] Not using a regional authority. 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? True. 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] [Instance Discovery] The network provider found an entry for login.microsoftonline.com. 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] Starting TokenClient:SendTokenRequestAsync
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] [TokenClient] Before adding the client assertion / secret
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] [TokenClient] After adding the client assertion / secret
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] [Token Client] Fetching MsalTokenResponse .... 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] Starting [Oauth2Client] Sending POST request 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.7 Microsoft Windows 10.0.22631 [2024-07-26 14:43:49Z - 0af8efb8-d448-411a-8d92-b3f5df3c6d2a] Starting [HttpManager] ExecuteAsync

Other users environment:

Demo.App.Authorization.PermissionActionAuthorizationHandler: Warning: Evaluating authorization requirement for permission >= read
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.3 Microsoft Windows 10.0.19045 [2024-08-06 14:29:12Z] ConfidentialClientApplication 14303791 created
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.3 Microsoft Windows 10.0.19045 [2024-08-06 14:29:12Z] [Internal cache] Total number of cache partitions found while getting refresh tokens: 1
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.3 Microsoft Windows 10.0.19045 [2024-08-06 14:29:12Z - 221d6e7d-91dd-4728-a5f5-c5a9af74c536] [GetAccounts] Found 0 RTs and 0 accounts in MSAL cache. 
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.3 Microsoft Windows 10.0.19045 [2024-08-06 14:29:12Z - 221d6e7d-91dd-4728-a5f5-c5a9af74c536] [Region discovery] Not using a regional authority. 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.3 Microsoft Windows 10.0.19045 [2024-08-06 14:29:12Z - 221d6e7d-91dd-4728-a5f5-c5a9af74c536] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? True. 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.3 Microsoft Windows 10.0.19045 [2024-08-06 14:29:12Z - 221d6e7d-91dd-4728-a5f5-c5a9af74c536] [GetAccounts] Found 0 RTs and 0 accounts in MSAL cache after environment filtering. 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.3 Microsoft Windows 10.0.19045 [2024-08-06 14:29:12Z - 221d6e7d-91dd-4728-a5f5-c5a9af74c536] Filtered by home account id. Remaining accounts 0 
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.3 Microsoft Windows 10.0.19045 [2024-08-06 14:29:12Z] Found 0 cache accounts and 0 broker accounts
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.3 Microsoft Windows 10.0.19045 [2024-08-06 14:29:12Z] Returning 0 accounts
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.3 Microsoft Windows 10.0.19045 [2024-08-06 14:29:12Z - 8bc1d2da-18a4-4ced-9a5c-b0ceac4d9e4f] MSAL MSAL.NetCore with assembly version '4.61.3.0'. CorrelationId(8bc1d2da-18a4-4ced-9a5c-b0ceac4d9e4f)
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.3 Microsoft Windows 10.0.19045 [2024-08-06 14:29:12Z - 8bc1d2da-18a4-4ced-9a5c-b0ceac4d9e4f] === AcquireTokenSilent Parameters ===
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.3 Microsoft Windows 10.0.19045 [2024-08-06 14:29:12Z - 8bc1d2da-18a4-4ced-9a5c-b0ceac4d9e4f] LoginHint provided: False
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.3 Microsoft Windows 10.0.19045 [2024-08-06 14:29:12Z - 8bc1d2da-18a4-4ced-9a5c-b0ceac4d9e4f] Account provided: False
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.3 Microsoft Windows 10.0.19045 [2024-08-06 14:29:12Z - 8bc1d2da-18a4-4ced-9a5c-b0ceac4d9e4f] ForceRefresh: False
Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.3 Microsoft Windows 10.0.19045 [2024-08-06 14:29:12Z - 8bc1d2da-18a4-4ced-9a5c-b0ceac4d9e4f] 
=== Request Data ===
Authority Provided? - True
Scopes - api://84c6a704-8064-48a6-a04a-e39f310f287d/Acces_GDA_READ_WRITE
Extra Query Params Keys (space separated) - 
ApiId - AcquireTokenSilent
IsConfidentialClient - True
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 8bc1d2da-18a4-4ced-9a5c-b0ceac4d9e4f
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured: 

Microsoft.Identity.Web.TokenAcquisition: Information: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.3 Microsoft Windows 10.0.19045 [2024-08-06 14:29:12Z - 8bc1d2da-18a4-4ced-9a5c-b0ceac4d9e4f] === Token Acquisition (SilentRequest) started:
	 Scopes: api://84c6a704-8064-48a6-a04a-e39f310f287f/Acces_GDA_READ_WRITE
	Authority Host: login.microsoftonline.com
Microsoft.Identity.Web.TokenAcquisition: Warning: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.3 Microsoft Windows 10.0.19045 [2024-08-06 14:29:12Z - 8bc1d2da-18a4-4ced-9a5c-b0ceac4d9e4f] Only in-memory caching is used. The cache is not persisted and will be lost if the machine is restarted. It also does not scale for a web app or web API, where the number of users can grow large. In production, web apps and web APIs should use distributed caching like Redis. See https://aka.ms/msal-net-cca-token-cache-serialization
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.3 Microsoft Windows 10.0.19045 [2024-08-06 14:29:12Z - 8bc1d2da-18a4-4ced-9a5c-b0ceac4d9e4f] No account passed to AcquireTokenSilent. 
Microsoft.Identity.Web.TokenAcquisition: Debug: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.3 Microsoft Windows 10.0.19045 [2024-08-06 14:29:12Z - 8bc1d2da-18a4-4ced-9a5c-b0ceac4d9e4f] Token cache could not satisfy silent request.
Microsoft.Identity.Web.TokenAcquisition: Error: False MSAL 4.61.3.0 MSAL.NetCore .NET 8.0.3 Microsoft Windows 10.0.19045 [2024-08-06 14:29:12Z - 8bc1d2da-18a4-4ced-9a5c-b0ceac4d9e4f] Exception type: Microsoft.Identity.Client.MsalUiRequiredException
, ErrorCode: user_null
HTTP StatusCode 0
CorrelationId 8bc1d2da-18a4-4ced-9a5c-b0ceac4d9e4f
To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
   at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)

Microsoft.Identity.Web.TokenAcquisition: Information: [MsIdWeb] An error occured during token acquisition: No account or login hint was passed to the AcquireTokenSilent call. 

MSAL.NetCore.4.61.3.0.MsalUiRequiredException:
	ErrorCode: user_null
Microsoft.Identity.Client.MsalUiRequiredException: No account or login hint was passed to the AcquireTokenSilent call. 
   at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ApiConfig.Executors.ClientApplicationBaseExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenSilentParameters silentParameters, CancellationToken cancellationToken)
   at Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForWebAppWithAccountFromCacheAsync(IConfidentialClientApplication application, ClaimsPrincipal claimsPrincipal, IEnumerable`1 scopes, String tenantId, MergedOptions mergedOptions, String userFlow, TokenAcquisitionOptions tokenAcquisitionOptions)
   at Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForUserAsync(IEnumerable`1 scopes, String authenticationScheme, String tenantId, String userFlow, ClaimsPrincipal user, TokenAcquisitionOptions tokenAcquisitionOptions)
	StatusCode: 0 
	ResponseBody:  
	Headers: 
Exception levée : 'Microsoft.Identity.Web.MicrosoftIdentityWebChallengeUserException' dans System.Private.CoreLib.dll
Demo.App.Authorization.PermissionActionAuthorizationHandler: Error: Failed to validate the permission for User a5a4a260-328c-4174-8367-78d0a179d62f for permission read

Microsoft.Identity.Web.MicrosoftIdentityWebChallengeUserException: IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user. See https://aka.ms/ms-id-web/ca_incremental-consent. 
 ---> MSAL.NetCore.4.61.3.0.MsalUiRequiredException:
	ErrorCode: user_null
Microsoft.Identity.Client.MsalUiRequiredException: No account or login hint was passed to the AcquireTokenSilent call. 
   at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ApiConfig.Executors.ClientApplicationBaseExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenSilentParameters silentParameters, CancellationToken cancellationToken)
   at Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForWebAppWithAccountFromCacheAsync(IConfidentialClientApplication application, ClaimsPrincipal claimsPrincipal, IEnumerable`1 scopes, String tenantId, MergedOptions mergedOptions, String userFlow, TokenAcquisitionOptions tokenAcquisitionOptions)
   at Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForUserAsync(IEnumerable`1 scopes, String authenticationScheme, String tenantId, String userFlow, ClaimsPrincipal user, TokenAcquisitionOptions tokenAcquisitionOptions)
	StatusCode: 0 
	ResponseBody:  
	Headers: 
   --- End of inner exception stack trace ---
   at Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForUserAsync(IEnumerable`1 scopes, String authenticationScheme, String tenantId, String userFlow, ClaimsPrincipal user, TokenAcquisitionOptions tokenAcquisitionOptions)

Relevant code snippets

string accessToken;
// ITokensAcquisition is scoped, so we need to create a new scope here as the handler is a singleton
using (var scope = _serviceProvider.CreateScope())
{
    var a = scope.ServiceProvider.GetRequiredService<ITokenAcquisition>();
    var x = await a.GetAuthenticationResultForUserAsync(_apiOptions.Scopes, user: context.User);
    accessToken = x.AccessToken;
}

Regression

No response

Expected behavior

Expected the access token to be in the cache for the other users

[BACBcnorris]

I am getting the same behavior.

[vincentlemordanttechso]

Are you not in this use case : https://github.com/AzureAD/microsoft-identity-web/wiki/Managing-incremental-consent-and-conditional-access ?

[DOMZE]

@vincentlemordanttechso no, as I mentioned, doing the OBO works using the REST endpoint, when taking the access token returned. The problem seems to be within the library (unless I'm told otherwise), as the user doesn't seem to be saved in the cache.

[VladislavAntonyuk]

seems like I get it working. I continue investigating and will publish my sample app once done.

[VladislavAntonyuk]

https://vladislavantonyuk.github.io/articles/Azure-Active-Directory-authentication-in-.NET-Aspire-Distributed-Application/

[DOMZE]

Thanks @VladislavAntonyuk

Unfortunately, this is not in a Blazor app. As per my description, this seems to be a cache problem. As the user is able to get an access token, but that access token doesn't seem to be stored in the cache and thus cannot be retrieved.

@jmprieur any idea?

[jennyf19]

@bgavrilMS can you please take a look at this cache issue? Thanks.