Azure Function App Web API 的 .Net Core MSAL 身份验证

Question

I have a Azure Function App that is written in C# .net Core

I use Microsoft.Identity.Client; library to do this authentication proccess.

In my Function App API, I make another call to Time Series Insights (TSI), so I must use the accessToken passed into the Function App to grab a new token for scope of TSI.

There are two main flows that need to be working, but I can only get one version to work.

The working version is getting a token in PostMan and Authenticating to the API

IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
            .Create(clientId)
            .WithClientSecret(clientSecret)
            .WithTenantId(tenantId)
            .Build();
confidentialClientApplication.AcquireTokenForClient(scopes).ExecuteAsync();
            

The NOT working flow - where the User is signed into my website and calls the API from the website. Then I must use the

UserAssertion userAssertion = new UserAssertion(accessToken);
confidentialClientApplication.AcquireTokenOnBehalfOf(scopes, userAssertion).ExecuteAsync();

The AcquireTokenOnBehalfOf works for me until the token is expired in the Cache. I am using the Azure Token Store in the Function App Authentication.

The website gets a token similarly to PostMan, and then calls the Function App API. That much is working, but then the token is expired. The documentation says that to use the token store a silent request can be used to refresh the token ( AcquireTokenSilent ) - but that does not make sense to me since I do not have an IAccount to use for confidentialClientApplication.AcquireTokenSilent(scopes, acount)

What is the correct way or a better way to have both options available for authenticating while using the built-in Function App Token Store in Azure Portal?

Answer 1

The On-Behalf-Of flow doesn't support refresh token, see here .

If you would like to use this flow, you need to authenticate again to renew the access token.