Authentication to a Azure AD (auth 2.0) WebAPI from WPF-desktop app on .NET Core

Question

We are creating a desktop application using WPF on .NET Core 3.1.

Im trying to connect to a web api with Azure AD Authenticaton, by following for example this guide. However, the sample project (which works ok) is written in WPF on .NET Framework.

There is a client part and a server (web api)-part. Since the client is a desktop application you should register api-part with (Azure-->AD--> app registrations... ) with a reply url of "https://login.microsoftonline.com/common/oauth2/nativeclient"

I initialize my PublicClientApplicationBuilder with

var app = PublicClientApplicationBuilder
        .Create(ClientIdPorterApplication)
        .WithAuthority(authority) 
        .WithRedirectUri("https://login.microsoftonline.com/common/oauth2/nativeclient")
        .Build();     

and when running app.AcquireTokenInteractive(...) get the error message:

Only loopback redirect uri is supported, but https://login.microsoftonline.com/common/oauth2/nativeclient was found. Configure http://localhost or http://localhost:port both during app registration and when you create the PublicClientApplication object. See https://aka.ms/msal-net-os-browser for details

(this address works well to use in the example, but again, its written on .NET FW)

so, just for fun I changed the replyUrl (both in initialization above and Azure Portal App registration) to "http://localhost:1234". The user gets the "choose account"-dialog in a web browser and after selecting account myname@mycompany.com the message below is displayed:

Authentication complete. You can return to the application. Feel free to close this browser tab.

Yeay!, right?...not quite. In the code I still get the exception with with error message:

{"A configuration issue is preventing authentication - check the error message from the server for details.You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.\r\nTrace ID: 7b0f6384-64eb-422c-a996-cadaa52f1f00\r\nCorrelation ID: 0c579b5b-e706-4625-96da-fbf03e5a21f9\r\nTimestamp: 2020-04-23 12:14:59Z"}

Any clues? I read somewhere in a googling frenzy that this is not possible on a WPF on .net core-scenario. Im sure the must be a solution

EDIT: In my my final browser window (with the message "Authentication complete...", the url in the url-window has a qstring param code=

Answer 1

I can only accept my own answer tomorrow, if I forget, this is the answer

This is what worked for me: The just for fun-settings is the way to go:

var app = PublicClientApplicationBuilder
            .Create(ClientIdPorterApplication)                                              
            .WithAuthority(authority)
            .WithRedirectUri("http://localhost:1234")
            .Build();

(could be any port, but it must be not used by any other). ...

result = await app.AcquireTokenInteractive(scopes) 
                                        .WithAuthority(authority) 
                                        .ExecuteAsync()
                                        .ConfigureAwait(false);
_httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);

The msal will listen to this port and get the token from the browser in a magical way

In azure there are two app registration, client(my desktop app) and server (web api).

• Server: Just follow the guide in original question
• Client (plus guide): For the (Azure Portal->AAD-->App reg-page->Authentication:
  • "Treat application as a public client." should be "Yes"
  • [Add a platform] ->Mobile and desktop, add your reply url here (mine is http://localhost:1234 above)