UWP client doesn't get RefreshToken filled

[steelspace]

GetUniversalClient doesn't fill RefreshToken so it can't be used in background task to upload/download files. User must now be authenticated via AuthenticationBroker instead which breaks the single sign-on experience.

[ginach]

WebAuthenticationBroker does have SSO support if you don't provide the return URL at time of authentication. That said, the first time a user ever logs in with the app will require a user prompt. This is a Microsoft account authentication limitation.

For apps that only want to run in the background we recommend implementing a sign-in/connect to app page. The app can store the refresh tokens retrieved by that flow in their database then initialize a OneDriveClient using OneDriveClient.GetSilentlyAuthenticatedMicrosoftAccountClient().

[steelspace]

Sure, but I wanted the user doesn't need to fill credentials at all - as with GetUniversalClient.

[ginach]

If you are using GetUniversalClient and know the user already has an account connected to the current machine, say in an older Windows Phone app, you don't need the refresh token. OnlineIdAuthenticator will automatically log the current user in silently every time. If you can't be sure the user has an account connected you still need to handle user prompt since it's a limitation of MSA OAuth that no 100% silent authentication scenario is available.

The 3rd option is to have a signup web page somewhere for the user to connect and then you always use a refresh token stored in your DB at the time of running the app.

[steelspace]

My scenario is that I need to upload/download data from OneDrive in an UWP app in both - GUI and a background task without GUI. What is the recommended approach?

[dkonigsberg]

Last I checked, OnlineIdAuthenticator does not work from a background task. Is this still true, or is there some trick to making it work in that scenario? While it does work from a GUI app, it also doesn't seem to provide sufficient data to allow for background token refreshing either. Unfortunately, OnlineIdAuthenticator does seem to be the only way to provide a "friendly" authorization experience to the GUI app's user (i.e. no need to re-enter a username/password), as far as I can tell.

[ginach]

You're correct about OnlineIdAuthenticator, @dkonigsberg, I was mistaken.

@steelspace, for your case the recommended approach would be to use WebAuthenticationBroker to prompt the UI to the user, store the refresh tokens, and use the refresh tokens. Or, have a web page to connect to your app and do OAuth that way, storing the refresh tokens from there.

I understand neither of these scenarios are ideal but unfortunately we're limited to the functionality available via MSA OAuth and the Windows authentication APIs.