Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] In Web APIs we don't need to call AcquireTokenSilent before calling AcquireTokenOnBehalfOf #381

Closed
7 tasks
jmprieur opened this issue Jul 31, 2020 · 2 comments
Closed
7 tasks

[Bug] In Web APIs we don't need to call AcquireTokenSilent before calling AcquireTokenOnBehalfOf #381

jmprieur opened this issue Jul 31, 2020 · 2 comments
Assignees
@jennyf19
Labels
bug Something isn't working fixed fundamentals P1 web api
Milestone
0.2.2-preview

Comments

@jmprieur
Copy link
Collaborator

jmprieur commented Jul 31, 2020
edited
Loading

Which version of Microsoft Identity Web are you using?
0.2.1-preview

Where is the issue?

  • Web app
    • Sign-in users
    • Sign-in users and call web APIs
  • Web API
    • Protected web APIs (validating tokens)
    • Protected web APIs (validating scopes)
    • [x ] Protected web APIs call downstream web APIs
  • Token cache serialization
    • In-memory caches
    • Session caches
    • Distributed caches
  • Other (please describe)

Repro

tokenAcqusition.GetTokenForUserAsync()

Expected behavior

It's not necessary to call AcquireTokenSilent in the case of a Web API before calling AcquireTokenOnBehalfOf as AcquireTokenOnBehalfOf does a cache lookup (filtered with the hash of the incoming token). Suggesting to invert the conditions (testing first by if (validatedToken != null)), and in that case doing only OBO. In the other case do the AcquireToken from cache and process the exception to step-up.

microsoft-identity-web/src/Microsoft.Identity.Web/TokenAcquisition.cs

Line 268 in 3c77e3c

if (validatedToken != null)

BTW (but this might be another work item), in the other case (Web app) could we just challenge the user as we have all the information ?

Actual behavior
the code calls AcquireTokenSilent always, and then differentiates OBO or not. And therefore in Web APIs there are 2 cache lookups.
@jmprieur jmprieur added the P1 label Jul 31, 2020
@jmprieur
Copy link
Collaborator Author

cc: @jennyf19 @bgavrilMS

@jmprieur jmprieur added this to the [3] Fundamentals milestone Jul 31, 2020
@jennyf19 jennyf19 mentioned this issue Aug 1, 2020
Merged
2 tasks
@jennyf19 jennyf19 added fixed and removed In progress labels Aug 4, 2020
@jmprieur jmprieur added the bug Something isn't working label Aug 4, 2020
@jennyf19
Copy link
Collaborator

jennyf19 commented Aug 7, 2020

Included in 0.2.2-preview release

@jennyf19 jennyf19 closed this as completed Aug 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jennyf19 jennyf19

Labels
bug Something isn't working fixed fundamentals P1 web api
Projects
None yet
Milestone
0.2.2-preview
Development

No branches or pull requests
2 participants
@jmprieur @jennyf19