Microsoft.Identity.Client.MsalUiRequiredException on GetAccessTokenForUserAsync

[TimDol64]

I have a Blazor Server app unsing PnP Core.
My component has
@attribute [Authorize]
On first launch, a popup screen displays where I can login.
My code runs succesfully.
When I run the same app some time later, no login popup shows, and my call to GetContextAsync() fails.

Contents of my log:

2022-03-14 05:49:26.715 +00:00 [Error] Microsoft.Identity.Web.TokenAcquisition: False MSAL 4.41.0.0 MSAL.NetCore .NET 6.0.1 Microsoft Windows 10.0.14393 [2022-03-14 05:49:26Z - 92108b68-54ea-48b1-8d43-a6f7a2fc54d7] Exception type: Microsoft.Identity.Client.MsalUiRequiredException
, ErrorCode: user_null
HTTP StatusCode 0
CorrelationId 

   at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)

Code for my PnPCoreService.cs:

using Microsoft.Extensions.Options;
using Microsoft.Identity.Web;
using PnP.Core.Auth;
using PnP.Core.Services;
using PnP.Core.Services.Builder.Configuration;
using Microsoft.AspNetCore.Components;

namespace HuisstijlServer.Services
{
    public interface IPnPCoreService
    {
        public Task<PnPContext> GetContextAsync();
    }

    public class PnPCoreService : IPnPCoreService
    {
        private readonly PnPCoreOptions _pnpCoreOptions;
        private readonly IPnPContextFactory _pnpContextFactory;
        private readonly ITokenAcquisition _tokenAcquisition;

        public PnPCoreService(IOptions<PnPCoreOptions> pnpCoreOptions, IPnPContextFactory pnpContextFactory, ITokenAcquisition tokenAcquisition)
        {
            _pnpCoreOptions = pnpCoreOptions.Value;
            _pnpContextFactory = pnpContextFactory;
            _tokenAcquisition = tokenAcquisition;
        }

        public async Task<PnPContext> GetContextAsync()
        {
            var siteUrl = new Uri(_pnpCoreOptions.Sites["DemoSite"].SiteUrl);
                return await _pnpContextFactory.CreateAsync(siteUrl,
                                new ExternalAuthenticationProvider((resourceUri, scopes) =>
                                {
                                    return _tokenAcquisition.GetAccessTokenForUserAsync(scopes).GetAwaiter().GetResult();
                                }
                                ));

        }
    }
}

Configuration of PnPCore in Program.cs:

builder.Services.AddPnPCore();
builder.Services.Configure<PnPCoreOptions>(config.GetSection("PnPCore"));
builder.Services.AddPnPCoreAuthentication();
builder.Services.Configure<PnPCoreAuthenticationOptions>(config.GetSection("PnPCore"));
builder.Services.AddScoped<IPnPCoreService, PnPCoreService>();

Probably I have a configuration error, but I don't see where. Any help would be appreciated.

[jansenbe]

@TimDol64 : not sure what goes wrong, I assume your app has all the needed permissions and you did grant them? A fiddler trace capturing the error might also reveal more details about why the request fails.

[TimDol64]

Thanks for the response. I'll try that as soon as I have time to work on this project. Have some deadlines on paid jobs first...

[TimDol64]

@jansenbe There was no change in needed permissions. I am still not up to speed will Microsoft Identity, but it seems that the token in the ITokenAcquisitionCache cache gets invalid after an hour.
I tried to validate this assumption by just calling

using (var ctx = await pnPCoreService.GetContextAsync())
{
    // Just try to create the context
}

in the OnInitialized() override on my page. After > 1 hour of inactivity, I would get the error when I reloaded the component.

I tried to implement an MicrosoftIdentityConsentAndConditionalAccessHandler in the calling page, but ConsentHandler.HandleException(msalException); resulted in a 'There is nothing at this address' message.

So, I ended up adding a _tokenExpiration timestamp to my PnPCoreService class, and adding a TokenAcquisitionOptions { ForceRefresh = true } parameter to the _tokenAcquisition.GetAccessTokenForUserAsync call, which - so far - seems to work for me:

    public class PnPCoreService : IPnPCoreService
    {
        private readonly PnPCoreOptions _pnpCoreOptions;
        private readonly IPnPContextFactory _pnpContextFactory;
        private readonly ITokenAcquisition _tokenAcquisition;
        private DateTime? _tokenExpiration;

        public PnPCoreService(IOptions<PnPCoreOptions> pnpCoreOptions, IPnPContextFactory pnpContextFactory, ITokenAcquisition tokenAcquisition)
        {
            _pnpCoreOptions = pnpCoreOptions.Value;
            _pnpContextFactory = pnpContextFactory;
            _tokenAcquisition = tokenAcquisition;
        }

    public async Task<PnPContext> GetContextAsync()
        {
            var siteUrl = new Uri(_pnpCoreOptions.Sites["Test"].SiteUrl);
            {
                try
                {
                    if (_tokenExpiration == null ||
                        DateTime.Now.Subtract(new TimeSpan(0, 58,0)) < DateTime.Now)
                    {
                        _tokenExpiration = DateTime.Now;
                        return await _pnpContextFactory.CreateAsync(siteUrl,
                            new ExternalAuthenticationProvider((resourceUri, scopes) =>
                            {
                                return _tokenAcquisition.GetAccessTokenForUserAsync(scopes, null, null, null, new TokenAcquisitionOptions { ForceRefresh = true }).GetAwaiter().GetResult();
                            }
                            ));
                    }
                    else
                    {
                        _tokenExpiration = DateTime.Now;
                        return await _pnpContextFactory.CreateAsync(siteUrl,
                            new ExternalAuthenticationProvider((resourceUri, scopes) =>
                            {
                                return _tokenAcquisition.GetAccessTokenForUserAsync(scopes).GetAwaiter().GetResult();
                            }
                            ));
                    }
                }
                catch (Exception ex)
                {
                    throw; // handle in component
                }
            }
        }

[jansenbe]

Good solution for the problem @TimDol64. You can also opt to create and dispose a PnPContext whenever you need it although this has a slight performance overhead as 2 server calls are made during initialization of the context