Get AccessTokenOnBehalfOfUser if (Current)HttpContext is not available (anymore)

[pocki]

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

The issue was found for the following scenario:

Please add an 'x' for the scenario(s) where you found an issue

1. Web app that signs in users
   1. with a work and school account in your organization: 1-WebApp-OIDC/1-1-MyOrg
   2. with any work and school account: /1-WebApp-OIDC/1-2-AnyOrg
   3. with any work or school account or Microsoft personal account: 1-WebApp-OIDC/1-3-AnyOrgOrPersonal
   4. with users in National or sovereign clouds 1-WebApp-OIDC/1-4-Sovereign
   5. with B2C users 1-WebApp-OIDC/1-5-B2C
2. Web app that calls Microsoft Graph
   1. Calling graph with the Microsoft Graph SDK: 2-WebApp-graph-user/2-1-Call-MSGraph
   2. With specific token caches: 2-WebApp-graph-user/2-2-TokenCache
   3. Calling Microsoft Graph in national clouds: 2-WebApp-graph-user/2-4-Sovereign-Call-MSGraph
3. Web app calling several APIs 3-WebApp-multi-APIs
4. Web app calling your own Web API 4-WebApp-your-API
5. Web app restricting users
   1. by Roles: 5-WebApp-AuthZ/5-1-Roles
   2. by Groups: 5-WebApp-AuthZ/5-2-Groups
6. Deployment to Azure
7. Other (please describe)

Repro-ing the issue

Repro steps

Is it somehow possible to receive an AccessToken on behalf of User if only (at least) ClaimsPrincipal (like in #159) is available but no full (Current)HttpContext?
Why: I have a long running task moved to a IHostedService. In this service I need an AccessToken at beginning and at the end (for the same scope). The AccessToken for the beginning is no problem, I can request it before the start and/or use the TokenCache. But in the end (>1 hour after begin) of the HostedService the token needs to be refreshed, but I can not call the TokenAcquisition because HttpContext is not available (out of Scope/Disposed) in IHostedService.

Actually I use TokenAcquisition.GetAccessTokenOnBehalfOfUserAsync to get and to "refresh"/get a new token

Expected behavior

Use of TokenAcquisition.GetAccessTokenOnBehalfOfUserAsync where HttpContext is not available (Disposed or out of Scope)

Actual behavior

With modifications of #159 I can pass the HttpContext.User as a Parameter to the HostedService: System.NullReferenceException "Object reference not set to an instance of an object."

var request = CurrentHttpContext.Request; //CurrentHttpContext is null/is already disposed
at Microsoft.Identity.Web.TokenAcquisition.BuildConfidentialClientApplication() in C:\xxx\Microsoft.Identity.Web\TokenAcquisition.cs:line 345
at Microsoft.Identity.Web.TokenAcquisition.GetOrBuildConfidentialClientApplication() in C:\xxx\Microsoft.Identity.Web\TokenAcquisition.cs:line 333

Line numbers may not match with this Repo

Possible Solution

Is it possible to set needed values for TokenAquisition manually?
Is there another method instead of TokenAcquisition.GetAccessTokenOnBehalfOfUserAsync to refresh a token?

Versions

ASP.NET Core 3.0
Microsoft.Identity.Web from this Repo, manually updated to ASP.NET Core 3.0 with

    <PackageReference Include="Microsoft.AspNetCore.Authentication.AzureAD.UI" Version="3.0.0" />
    <PackageReference Include="Microsoft.AspNetCore.Authentication.AzureADB2C.UI" Version="3.0.0" />
    <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="3.0.1" />
    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="3.0.1" />
    <PackageReference Include="Microsoft.Identity.Client" Version="4.7.1" />

Mention any other details that might be useful

Is there any other possiblity? Have I missed something? Anyone another suggestion how to solve this?

[jennyf19]

now tracked in microsoft identity web repo: AzureAD/microsoft-identity-web#10

[jmprieur]

This is documented in this is documented in https://github.com/AzureAD/microsoft-identity-web/wiki/Managing-incremental-consent-and-conditional-access