[Bug] CIAM CUD fails to populate IAccount TenantProfiles property when using WithOidcAuthority about microsoft-authentication-library-for-dotnet HOT 6 CLOSED

Tenant profiles are just parsed ID tokens.

In a work and school environment, you can have your home account in tenant A and be invited to tenant B. If you login to an app with both account A and account B, there will be 2 tenant profiles, corresponding to the 2 id tokens in the cache. Note that MSAL doesn't discover all tenants where your account is guest, it's strictly based on Id tokens.

Afaik this is not supported in CIAM world - i.e. you can invite work and school accounts as guests in the CIAM tenant, but that's about it. So there would always be a single tenant profile - i.e. 1 id token per user. And you can access that IdToken directly or parsed in the ClaimsPrincipal, properties of AuthenticationResult

from microsoft-authentication-library-for-dotnet.

My scenario is the member account type for home users of the CIAM tenant. The parsing of the ClaimsPrincipal works only on the first request to IDP because afterward if I need to get information from the Id token then it isn't accessible from IAccount out of the token cache because of how the Authority isn't declared as CanBeTenanted the ability to get any Id token out of the token cache to parse for properties of the user is blocked. Reaching into the token cache to get the current user works offline whereas attempting to send a request to ESTS would fail if there is no connection. This type of scenario can occur if the user opens the app on their mobile device without connectivity during which any parsing of user properties that would normally happen to get the user's permissions would need a durable location to pull from such as the token cache.

from microsoft-authentication-library-for-dotnet.

So you are interested in a mobile app. With public client, we expect you to call AcquireTokenSilent. This may or may not go to the network, i.e. if a valid access token is in the cache, MSAL will return it without going to the STS. AcquireTokenSilent returns an AuthenticationResult, which has the id token (raw and parsed in ClaimsPrincipal).

Did you expect to see token profiles via GetAccounts ?

from microsoft-authentication-library-for-dotnet.

Yes, I would expect to be able to access that via GetAccounts because the points in the application where I would be checking for the user properties are not tied to a particular scope that would used in a call to AcquireTokenSilent. Additionally, if access tokens are only valid for 1 hour but the user opens their app the next day and is offline then I would still want to be able to know who the user is and what they are permissioned to do inside the app even when offline using cached data.

Sample Code:

IAccount currentAccount = (await pca.GetAccounts()).FirstOrDefault();
IEnumerable<TenantProfile> tenantProfiles = currentAccount.GetTenantProfiles(); //This works with B2C in all cases and CIAM when not using custom domains based on the above-describeded authority configurations.
var profile = tenantProfiles.FirstOrDefault();
List<Claim> parsedClaims = MyClaimsMapper.ParseClaims(profile?.ClaimsPrincipal?.Claims)
//...do stuff with claims processed...

from microsoft-authentication-library-for-dotnet.

Current workaround is to call AcquireTokenSilent. You can use no scopes to ensure token cache hit.

from microsoft-authentication-library-for-dotnet.

Closing as workaround exists and the reported problem not being supported by CIAM.

from microsoft-authentication-library-for-dotnet.