Failed to acquire token silently - Microsoft Graph API to obtain a user’s outlook groups

Question

I am trying to access the Microsoft Graph API to obtain a user's outlook groups.

Here is the code to retrieve the access token:

    public static async Task<string> GetGraphAccessTokenAsync()
    {
        string AzureAdGraphResourceURL = "https://graph.microsoft.com/";
        string signedInUserUniqueName = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;
        var userObjectId = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
        var clientCredential = new ClientCredential(SettingsHelper.ClientId, SettingsHelper.AppKey);
        var userIdentifier = new UserIdentifier(userObjectId, UserIdentifierType.UniqueId);

        AuthenticationContext authContext = new AuthenticationContext(
            SettingsHelper.Authority, new ADALTokenCache(signedInUserUniqueName));

        var result = await authContext.AcquireTokenSilentAsync(AzureAdGraphResourceURL, clientCredential, userIdentifier);
        return result.AccessToken;
    }

The method uses a settings helper as follows:

    public class SettingsHelper
{
    private static string _clientId = ConfigurationManager.AppSettings["ida:ClientID"];
    private static string _appKey = ConfigurationManager.AppSettings["ida:Password"];

    private static string _tenantId = ConfigurationManager.AppSettings["ida:TenantID"];
    private static string _authorizationUri = "https://login.windows.net";
    private static string _authority = "https://login.windows.net/{0}/";

    private static string _graphResourceId = "https://graph.windows.net";

    public static string ClientId
    {
        get
        {
            return _clientId;
        }
    }

    public static string AppKey
    {
        get
        {
            return _appKey;
        }
    }

    public static string TenantId
    {
        get
        {
            return _tenantId;
        }
    }

    public static string AuthorizationUri
    {
        get
        {
            return _authorizationUri;
        }
    }

    public static string Authority
    {
        get
        {
            return String.Format(_authority, _tenantId);
        }
    }

    public static string AADGraphResourceId
    {
        get
        {
            return _graphResourceId;
        }
    }    
}

This is the error that I get: Failed to acquire token silently. Call method AcquireToken

Exception Details:

    Microsoft.IdentityModel.Clients.ActiveDirectory.AdalSilentTokenAcquisitionException : Failed to acquire token silently. Call method AcquireToken

The error occurs specifically at this line:

     var result = await authContext.AcquireTokenSilentAsync(AzureAdGraphResourceURL, clientCredential, userIdentifier);

I have checked to ensure that the UserIdentifier matches the value in the cache, but it stills seems to reject the token. Any ideas of where I might be going wrong?

Answer 1

Firs of all, make sure to use the Microsoft graph endpoint (actually you used the Active directory endpoint)

    private static readonly string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
    private static readonly string appKey = ConfigurationManager.AppSettings["ida:ClientSecret"];
    private static readonly string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
    private static readonly string tenantId = ConfigurationManager.AppSettings["ida:TenantId"];
    private static readonly string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];

    private static readonly string graphResourceId = "https://graph.microsoft.com";
    private static readonly Uri graphEndpointId = new Uri("https://graph.microsoft.com/v1.0/");

Before making a Silent call, you have to make a classic call by retrieving a code. I assume you're in an MVC application. Here is my Startup.Auth.cs code :

    public void ConfigureAuth(IAppBuilder app)
    {
        ApplicationDbContext db = new ApplicationDbContext();

        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions());

        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = AuthenticationHelper.ClientId,
                Authority = AuthenticationHelper.AadInstance + AuthenticationHelper.TenantId,
                PostLogoutRedirectUri = AuthenticationHelper.PostLogoutRedirectUri,

                Notifications = new OpenIdConnectAuthenticationNotifications()
                {
                    // If there is a code in the OpenID Connect response, redeem it for an access token and refresh token, and store those away.
                   AuthorizationCodeReceived =async (context) => 
                   {
                       var code = context.Code;
                       string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;

                       try
                       {
                           var result = await AuthenticationHelper.GetAccessTokenByCodeAsync(signedInUserID, code);

                       }
                       catch (Exception ex)
                       {
                           Debug.WriteLine(ex.Message);
                           //throw;
                       }


                   }
                }
            });
    }

Here is the code I used in my AuthenticationHelper class :

    public async static Task<AuthenticationResult> GetAccessTokenByCodeAsync(string signedInUserID, string code)
    {
            ClientCredential credential = new ClientCredential(clientId, appKey);
            AuthenticationContext authContext = new AuthenticationContext(AadInstance + TenantId, new ADALTokenCache(signedInUserID));
            AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(
            code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId);

            return result;

    }

and Then, each time I need to make a request to the graph, here is the code I used to get a token :

    public async static Task<string> GetTokenForApplicationAsync()
    {
        string signedInUserID = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;
        string userObjectID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;

        // get a token for the Graph without triggering any user interaction (from the cache, via multi-resource refresh token, etc)
        ClientCredential clientcred = new ClientCredential(clientId, appKey);
        // initialize AuthenticationContext with the token cache of the currently signed in user, as kept in the app's database
        AuthenticationContext authenticationContext = new AuthenticationContext(AadInstance + TenantId, new ADALTokenCache(signedInUserID));
        AuthenticationResult authenticationResult = await authenticationContext.AcquireTokenSilentAsync(GraphResourceId, clientcred, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));
        return authenticationResult.AccessToken;
    }

An other thhings to notice : Make sure your tenantId is the guid of your tenant. For some reason, sometimes, if you use your tenant name, adal make a difference and could raise this kind of error.