Second sign-in required for WebAPI call. Is there a way to avoid it?

[dzak83]

Hi, I am following this sample app: https://github.com/Azure-Samples/active-directory-dotnet-webapi-onbehalfof and after I get id_token from regular login I am first trying acquireToken on AuthenticationContext and later as it fails, I am calling acquireTokenRedirect with the WebAPI resource ID. At this second step I have to sign in again.

Is there a way that my initial id_token can be all I need to get WebAPI token? I don't want to ask users to sign it twice.

I know it's only for the first time as later it will stay in cache for some time. Code: see acquireAnAccessTokenAndCallTheProtectedService (https://github.com/Azure-Samples/active-directory-dotnet-webapi-onbehalfof/blob/master/TodoListSPA/app.js)

Thanks!

[rohitnarula7176]

@dzak83 You should not need to sign in twice. Once you call login and receive an id_token , the subsequent acquireToken call should succeed assuming there are no conditional access policies or if consent is not required for the api. Can you please share the exact error that you receive when you call acquireToken from the callback(errorDesc, token, error, tokenType) passed to this api?

[dzak83]

Hi, I actually got it solved using login_hint, so user is not prompted again with another popup, just once to provide the password.