Accessing the logged-in user's token cache from background apps, APIs and services

These ASP.Net Core samples show how background apps, APIs and services can access the MSAL's access token cache and continue to act on-behalf of users in their absence.

The MSAL.NET and the Microsoft.Identity.Web libraries provide various mechanisms for apps that authenticate users with the Microsoft Identity Platform to cache Access Tokens for various resources like Microsoft Graph to a distributed token cache implementations like Sql Server or Redis.

This tutorial explains how by sharing the same app registration in Azure Portal (sharing the same client Id), background processes and services can still continue to work on behalf of the user after the user has exited the frontend web app.

Today, most background processes that need to work with user's data without them being present to authenticate or re-authenticate make use of Application Permissions which often require an admin consent. This requires an elevation of privilege and is often an unnecessary hassle as the developer originally did not intend to obtain a permission over what a user consents to their app.

Contents

Setup

Step 1

Using a command line interface such as VS Code integrated terminal, clone or download this repository:

git clone https://github.com/Azure-Samples/ms-identity-dotnet-advanced-token-cache.git

⚠️ Given that the name of the sample is quite long, and so are the names of the referenced NuGet packages, you might want to clone it in a folder close to the root of your hard drive, to avoid file size limitations on Windows.

Step 2

Navigate to the Sharing the MSAL token cache between a web app and a background console worker app tutorial where we'll learn about how to share the token cache between a Web App that signs-in users and a background console worker process.

or

Navigate to the Share the MSAL token cache between a web app, its web API and a background console worker app tutorial where we'll learn about how to share the token cache between a Web App that signs-in users, its backed Web API and a background console worker process.

More information

For more information, visit the following links:

• Articles about the Microsoft identity platform
• Learn about Microsoft.Identity.Web
• Learn how to enable distributed caches in token cache serialization
• Use HttpClientFactory to implement resilient HTTP requests used by the Graph custom service

Community Help and Support

Use Stack Overflow to get support from the community. Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before. Make sure that your questions or comments are tagged with [msal dotnet azure-active-directory].

If you find a bug in the sample, please raise the issue on GitHub Issues.

To provide a recommendation, visit the following User Voice page.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

Code of Conduct

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments