MSAL does not pass the prompt to WAM (was: WAM signout with RemoveAsync and signin with WithPrompt(Prompt.ForceLogin) does not ask password)

[viebrix]

Which version of MSAL.NET are you using? MSAL.NET 4.53.0

Platform .NET 4.8 (Winforms)

What authentication flow has the issue?

• Desktop / Mobile
  • [*] Interactive
  • [ ] Integrated Windows Authentication
  • [ ] Username Password
  • [ ] Device code flow (browserless)
• Web app
  • [ ] Authorization code
  • [ ] On-Behalf-Of
• Daemon app
  • [ ] Service to Service calls

Other?

Is this a new or existing app? This is a new app

//signout:
var accounts = await MyAuthentication.Pca.GetAccountsAsync();
if (accounts.Any())
{
        await MyAuthentication.Pca.RemoveAsync(accounts.FirstOrDefault());
        Logger.LogDebug($"User: {accounts.FirstOrDefault().Username} signed out!");
}

//signin:
authResult = await Pca.AcquireTokenInteractive(scopes).WithPrompt(Prompt.ForceLogin)
                                                  .ExecuteAsync()
                                                  .ConfigureAwait(false);

Expected behavior I expected, that user is signed out and after requesting new token with AcquireTokenInteractive, the pop-up windows opens, where user can be chosen. After user (e-mail) is chosen, the user should again enter password.

Actual behavior I expected, that user is signed out and after requesting new token with AcquireTokenInteractive, the pop-up windows opens, where user can be chosen. After user (e-mail) is chosen, the user is signed in without entering a password. Also after manual deleting cache file, user is automatically logged in. This behavior is the same for two different logins, on same desktop pc, where the password was entered only one time.

[bgavrilMS]

This is by design @viebrix . The browser has cookies and also talks to Windows to bring SSO. The fact that the browser remembers the user, and that the user has signed into Windows with that account are user concerns. You, as an app owner, should not try to change the SSO behavior.

I don't recommend you use Prompt.ForceLogin, this creates a bad auth experience for customers. Why are trying to do this?

If you need to enforce a sing-in frequency, the tenant admin can do this via Conditional Access https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-session

[viebrix]

Thanks for the quick answer! I didn't use Prompt until I read on stack overflow and here on github, that this forces the user to reenter password. My idea was, that my application uses msal to authenticate a user. But if for example a colleague (person b) signs in this app (on person a's computer) with his own credential (person b's credential) to show (person a) something. After clarified the task, person b signs out and leaves the computer. Person a is now possible to relogin with his own account. But person a is also possible to sign in with person b's login without entering a password for a long time. This is an unwanted situation. I know person b works here under person a's desktop, but in practice this will happen, if both colleagues siting side by side to examine a task.

[bgavrilMS]

Have a look at https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#persistence-of-browsing-sessions

Otherwise, the SDK does not have control of the browser / can't clear cookies etc. For accounts connected to Windows, this should not be a concern. For accounts not connected to Windows, the user can explicitly sign-out, from the browser. You can see the 3 dots menu - click on that and say "Sign Out and Forget"

[viebrix]

Thanks I understand. I will read the docs you have provided. thanks very much for your help!

[viebrix]

@bgavrilMS sorry to ask you again. Maybe I missunderstod somehthing - But I tried to remove the user in the browser(s) (with 3 dots) and the user is still in my winforms login msal window. In which browser will the cookie be stored for winforms msal interactive login?

login_firefox.jpg shows the https://login.microsoftonline.com site in my standard browser

login_chrome.jpg shows same address in browser i thought which will store cookies

login_msal_winforms.jpg shows the signin in my app.

.... ROBOT is removed in all browser - but still exists in winforms and logs in without password.

[bgavrilMS]

Each browser is separate and cookies are not shared. The embedded browser is based on IE :( but it counts as a separate browser.

We now recommend folks to use WAM, see https://aka.ms/msal-net-wam as it provides better SSO System browser is better than embedded because it supports FIDO / Windows Hello etc.

[viebrix]

I thought I'm already using WAM:

Pca = PublicClientApplicationBuilder.Create(ClientId)
              .WithAuthority(AuthorityUri)
              .WithLogging(Log, Microsoft.Identity.Client.LogLevel.Verbose, true)
              .WithRedirectUri("http://localhost") // required for DefaultOsBrowser
              .WithBroker(new BrokerOptions(BrokerOptions.OperatingSystems.Windows))
              .WithParentActivityOrWindow(WindowHandleProvider)
              //.WithWindowsDesktopFeatures(options);
              .Build();```

[bgavrilMS]

Ok got it. So are you saying that the WAM dialog does not display the 3 dots? Note that WAM is trying to get all new accounts in Windows.

For Work and School accounts, the user is asked if the account should be "app only" or in Windows. For Personal accounts, they do not get asked.

[viebrix]

Yes, it only shows the 3 dots in the right bottom corner, which only opens some status info about errors and so on. you can see the screenshot in my comment 1 hour ago. Its the one with "login_msal_winforms.jpg" - this is the WAM dialog. Both accounts which are displayed are work accounts for (in?) my tenant. They are also windows accounts on AD and on my PC. Sorry if I'm not clear in describing, but azure ad is new to me and so are all vocabulary.

Do I understand it correctly that no real sign out is possible even with WAM. Is a browser cookie also set in IE?

[bgavrilMS]

Possibly. Today, MSAL does not pass on the Prompt option to WAM. That's a bug. We can get that fixed but I don't know what WAM behavior will be like.

WAM not displaying the 3 dots will not be easy to change.

[viebrix]

Thanks for your help and analyzing the background of the issue!

[aries-zhang]

Sorry for the delay in raising a bug about the prompt to WAM. It seems this issue is now tracking it, so attaching the convo here: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4110#issuecomment-1530955885