Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unobsolete GetAccountsAsync #4976

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Unobsolete GetAccountsAsync #4976

wants to merge 2 commits into from

Conversation

neha-bhargava
Copy link
Contributor

Fixes #

Changes proposed in this request
Remove the obsolete attribute from the GetAccountsAsync method in the IConfidentialClientApplication interface to make it available for ROPC silent flow in Id web

Testing

Performance impact

Documentation

  • All relevant documentation is updated.

@neha-bhargava neha-bhargava requested a review from a team as a code owner October 23, 2024 22:09
@gladjohn
Copy link
Contributor

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@neha-bhargava neha-bhargava mentioned this pull request Oct 24, 2024
Merged
4 tasks
@bgavrilMS
Copy link
Member

@jmprieur and @localden - can you pls provide a perspective on this? GetAccounts is still used safely in all other MSALs in both web app and ROPC scenarios.

bgavrilMS
bgavrilMS reviewed Oct 28, 2024
View reviewed changes
src/client/Microsoft.Identity.Client/IConfidentialClientApplication.cs
@@ -96,8 +96,6 @@ AcquireTokenByAuthorizationCodeParameterBuilder AcquireTokenByAuthorizationCode(
/// <summary>
/// Use <see cref="IClientApplicationBase.GetAccountAsync(string)"/> in web apps and web APIs, and use a token cache serializer for better security and performance. See https://aka.ms/msal-net-cca-token-cache-serialization.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pls add a remark that this is only for use with ROPC

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we have no way to enforce that it's only used for ROPC in CCA, though
Are we sure that the cache is always partitioned?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAIK the cache is always partitioned.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is partitioned. But please add a unit test (or update the integration test) @neha-bhargava, where you show that TokenCacheNotificationArgs has the correct SuggestedCacheKey.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@neha-bhargava and I had a chat and concluded that AcquireTokenForUsernamePassword is partitioned, but GetAccounts() is not partitioned (and can't really be partitioned).

From MSAL perspective, we can ask ppl to use GetAccount(id).
For Id.Web, this gets a bit tricky.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How would that work in MSAL? where do they get the id from? (assuming this is tid.oid?)?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Proposing that CCA.AcquireTokenByUserPassword first checks the cache, and if not found or error, goes to ESTS.
Like OBO does.

@localden
Copy link
Collaborator

@bgavrilMS @neha-bhargava - given that this is only for ROPC in CCA, no concerns on my part. This will effectively just list out the accounts in the cache?

@neha-bhargava
Copy link
Contributor Author

@bgavrilMS @neha-bhargava - given that this is only for ROPC in CCA, no concerns on my part. This will effectively just list out the accounts in the cache?

Yes, this will list the accounts in the cache. Only recommended for ROPC.

bgavrilMS
bgavrilMS requested changes Nov 4, 2024
View reviewed changes
Copy link
Member

@bgavrilMS bgavrilMS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We decided against it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bgavrilMS bgavrilMS bgavrilMS requested changes

@trwalke trwalke trwalke approved these changes

@jmprieur jmprieur Awaiting requested review from jmprieur

@localden localden Awaiting requested review from localden

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@neha-bhargava @gladjohn @bgavrilMS @localden @jmprieur @trwalke