[Bug] IConfidentialClientApplication randomly generating token with older version (v1.0) #5024
Description
Library version used
4.65.0
.NET version
.Net Framework 4.8
Scenario
ConfidentialClient - service to service (AcquireTokenForClient)
Is this a new or an existing app?
The app is in production, and I have upgraded to a new version of MSAL
Issue description and reproduction steps
We are having a WCF service (in .Net Framework 4.8).
Its a OnPrem setup.
Our services tries to acquire token from AAD and invokes another endpoint (passing the token in the authorization header).
For acquiring token its using Microsoft.Identity.Client (4.65.0).
We are noticing that ~0.05% of our calls to web api is failing with Http 401 error.
On further debugging, we realized that randomly for some instance the AAD token fetched is of v1.0, and so the call is failing ahead.
For most of the requests correct version (v2.0) token is generated, but randomly for some requests its creating v1.0 token.
Relevant code snippets
public static string GetToken()
{
string[] scopes = new string[1]
{
appAuthScopes
};
IConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create(appAuthClientId)
.WithCertificate(aadAppClientCert)
.WithAuthority(new Uri(appAuthAuthority))
.Build();
var authenticationResult = app.AcquireTokenForClient(scopes)
.WithSendX5C(true)
.ExecuteAsync()
.ConfigureAwait(false);
var result = authenticationResult.GetAwaiter().GetResult();
return result.AccessToken;
}
<add key="appAuthClientId" value="some-aad-clientid"/>
<add key="appAuthClientCert" value="cert-subject"/>
<add key="appAuthAuthority" value="https://login.microsoftonline.com/<tenant>/v2.0"/>
<add key="appAuthScopes" value="<app-id-uri>"/>Expected behavior
No response
Identity provider
Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)
Regression
No response
Solution and workarounds
No response