Azure AD B2c Xamarin 表单从不静默登录

Question

I followed the example from this repo https://github.com/Azure-Samples/active-directory-b2c-xamarin-native and got the authentication working. A user can register and authenticate perfectly.

the problem is, after a user is authenticated when this code runs, it can never aquire a silent token.

   IEnumerable<IAccount> accounts = await _pca.GetAccountsAsync();
            AuthenticationResult authResult = await _pca.AcquireTokenSilent(B2CConstants.Scopes, GetAccountByPolicy(accounts, B2CConstants.AuthoritySignInSignUp))
               .WithB2CAuthority(B2CConstants.AuthoritySignInSignUp)
               .ExecuteAsync();

            var newContext = UpdateUserInfo(authResult);
            return newContext;

I have assumed this is about refresh tokens, but I have not found a suitable example on how to accomplish this.

EDIT here is the policy config

Answer 1

Unfortunately, I have found many times that MSAL is poorly documented. For this reason, many samples and apps that rely on it are not able to provide strong documentation either.

There is a github issue with a similar experience in another xamarin repository that uses the same identity client package:

https://github.com/Azure-Samples/active-directory-xamarin-native-v2/issues/38

Include="Microsoft.Identity.Client" version="4.13.0"

This issue links to the following articles:

https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-aad-b2c-considerations#resource-owner-password-credentials-ropc

https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/msal-net-2-released#token-cache-index-keys

Which indicates:

Known issue with Azure AD B2C MSAL.NET supports a token cache. The token caching key is based on the claims returned by the identity provider (IdP). Currently, MSAL.NET needs two claims to build a token cache key:

• tid (the Azure AD tenant ID)
• preferred_username

Both of these claims may be missing in Azure AD B2C scenarios because not all social identity providers (Facebook, Google, and others) return them in the tokens they return to Azure AD B2C.A symptom of such a scenario is that MSAL.NET returns Missing from the token response when you access the preferred_username claim value in tokens issued by Azure AD B2C. MSAL uses the Missing from the token response value for preferred_username to maintain cache cross-compatibility between libraries.

Some workarounds are provided in the Microsoft article, and the GitHub article suggests implementation changes:

Workarounds Mitigation for missing tenant ID The suggested workaround is to use caching by policy described earlier.

Alternatively, you can use the tid claim if you're using custom policies in Azure AD B2C. Custom policies can return additional claims to your application by using claims transformation.

Mitigation for "Missing from the token response" One option is to use the name claim instead of preferred_username. To include the name claim in ID tokens issued by Azure AD B2C, select Display Name when you configure your user flow.

For more information about specifying which claims are returned by your user flows, see Tutorial: Create user flows in Azure AD B2C.

Hopefully, some of these discoveries can put you on the right path.