[Bug] Requesting access token with different resource ids showing multiple login screens.

[v-npadhy]

Library version used

4.61.3

.NET version

MAUI with .NET8

Scenario

PublicClient - mobile app

Is this a new or an existing app?

This is a new app or experiment

Issue description and reproduction steps

The app is developed in MAUI and used Microsoft.Identity.Client (4.61.3) nuget package. First time during login I am passing a resource id for ex. resource_Id1. App is launching the MSAL authentication, MSAL prompting system Browser to enter login and password (Interactive Mode)

After login, to get the access to a resource we are passing a different resource id for ex. resource_Id2 to MSAL authentication. This time also I am getting system Browser to enter login and password again (Interactive Mode).

Is this an expected behaviour, and any issue with code?

I want the first authentication with resource_Id1 should be in interactive mode, then the 2nd authentication with resource_id2 should be in silent mode.

Relevant code snippets

No response

Expected behavior

I want the first authentication with resource_Id1 should be in interactive mode, then the 2nd authentication with resource_id2 should be in silent mode.

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

[iulico-1]

@v-npadhy , can you pls share your code a screenshot of the prompt you are seeing when accessing resource_id2.

[bgavrilMS]

Have a look at WithExtraScopesToConsentTo for combined consent for multiple resources. However, note that it might not work with WAM.

https://learn.microsoft.com/en-us/entra/msal/dotnet/acquiring-tokens/desktop-mobile/acquiring-tokens-interactively#withextrascopestoconsent

The flow is:

1. Try AcquireTokenSilent(R1) - it will fail because the cache is empty first time.
2. AcquireTokenInteractive(R1).WithExtraScopesToConsentTo(R2) -> displays combined consent for R1+R2 and gives you token for R1 (and refresh token which MSAL manages)
3. AcquireTokenSilent(R2) should now give you token for R2 without prompt (internally MSAL uses the refresh token for this)
4. Any subsequent logins will also be silent, because of the refresh token in the cache.

@iulico-1 - I believe WAM supports combined consent, but I don't think we ever wired it up.

[v-npadhy]

var authResult = await _pca.AcquireTokenInteractive(new string[] { "https://aadrm.com/.default" })
                  .WithExtraScopesToConsent(new string[] { "https://msmamservice.api.application/.default" })
                  .WithUseEmbeddedWebView(false)
                  .WithParentActivityOrWindow(activity)
                  .ExecuteAsync().ConfigureAwait(false);
                        tcs.TrySetResult(authResult);
Getting below error

[v-npadhy]

@bgavrilMS Could you please check this?

[bgavrilMS]

Please reach out to the service, I don't know what this error means.

[v-npadhy]

@iulico-1 Could you please check this issue?

[iulico-1]

MSAL.runtime currently doesn't support combined consent. This would be a feature ask. For now, please request tokens interactively for each necessary scope.

[v-npadhy]

Hi @iulico-1 , Is there any roadmap to include this feature?

[iulico-1]

This feature is currently not scheduled for execution, but we can add it to our backlog and prioritize it based on all other asks we get.