search

AzureAD / microsoft-authentication-library-for-java

Microsoft Authentication Library (MSAL) for Java http://aka.ms/aadv2
MIT License
289 stars 145 forks source link

[Bug] acquireTokenSilently method for Operating System account is deprecated #868

Open MikeVautier opened 1 month ago

MikeVautier commented 1 month ago

Library version used

1.17.2

Java version

17

Scenario

Other - please specify

Is this a new or an existing app?

This is a new app or experiment

Issue description and reproduction steps

Hi,

I'm trying to use acquireTokenSilently with a WAM to get a token from the Operating System cache.

This works:

     Broker broker = new Broker.Builder()
           .supportWindows(true)
           .build();

     PublicClientApplication pca = PublicClientApplication.builder(CLIENT_ID)
           .authority(AUTHORITY)
           .broker(broker)
           .build();

     SilentParameters silentParameters = SilentParameters.builder(SCOPES).build();

     IAuthenticationResult result = pca.acquireTokenSilently(silentParameters).join();
     System.out.println(result.accessToken());

However, SilentParameters.builder(Set<String>) is marked deprecated and for removal in the next major build.

Is this deprecation annotation correct? If so, is there a recommended method to get the token from the OS Account? The only other builder method requires an Account to be supplied, which appears to be for an application-controlled account, not the system account.

Thanks

Relevant code snippets

Broker broker = new Broker.Builder()
           .supportWindows(true)
           .build();

     PublicClientApplication pca = PublicClientApplication.builder(CLIENT_ID)
           .authority(AUTHORITY)
           .broker(broker)
           .build();

     // with no account - this works but is deprecated
     SilentParameters silentParameters = SilentParameters.builder(SCOPES).build();

     // with the PCA account - this throws an error as there are no accounts
     // SilentParameters silentParameters = SilentParameters.builder(SCOPES, pca.getAccounts().join().iterator().next()).build();

     IAuthenticationResult result = pca.acquireTokenSilently(silentParameters).join();
     System.out.println(result.accessToken());

Expected behavior

SilentParameters.builder(SCOPES) to be un-deprecated

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

jayendranar02 commented 1 month ago

i do like to contribute pls assign...

jayendranar02 commented 1 month ago

Ensure that there are accounts in the cache. If you're expecting an account to be available, check the account retrieval logic: java code:- List accounts = pca.getAccounts().join(); if (accounts.isEmpty()) { // Handle the scenario where no accounts are available } else { SilentParameters silentParameters = SilentParameters.builder(SCOPES, accounts.get(0)).build(); IAuthenticationResult result = pca.acquireTokenSilently(silentParameters).join(); System.out.println(result.accessToken()); }

jayendranar02 commented 1 month ago

Documentation Review: Review the latest MSAL documentation to see if there are new patterns or methods for silent authentication that replace the deprecated builder.

Update Your Implementation: If the library maintains the new requirement for accounts, adjust your implementation to handle account retrieval properly and use the updated builder method.

jayendranar02 commented 1 month ago

Conclusion Your main concern revolves around the deprecation of a method that you rely on for token acquisition. As libraries evolve, it's common for methods to be deprecated in favor of more robust solutions. Adjusting your code to accommodate these changes will help maintain compatibility with future versions of the library.

Avery-Dunn commented 1 month ago

Hello @jayendranar02 : Long story short, that deprecated SilentParameters builder was originally used for confidential client scenarios (which didn't use an account), but a while back we started handling the silent flow internally so you didn't need to use it (which is why it was deprecated)

However, after support for WAM was added that API was repurposed to handle the new default OS account option when using the broker. It was an oversight to not un-deprecate it and make that behavior more clear, and we will fix that in an upcoming release. No ETA yet, but it is a simple fix and I'll update this thread once we have more info about the release.