CODEWITHSUNDEEP
windowsazureazure-active-directoryazure-ad-msal
IcyBrk
IcyBrk

Reputation: 1270

Can OperatingSystemAccount Get User Account

When I am learning the MSAL library, I met some code that use PublicClientApplication.OperatingSystemAccount to get an access token, as shown in this code here:

var publicAppBuilder = PublicClientApplicationBuilder
      .Create(appClientId)
      .WithParentActivityOrWindow(consoleWindowHandleProvider)
      .WithAuthority(authorityUri)
      .WithBrokerPreview(true)
      .WithDefaultRedirectUri()
      .Build();

var result = publicAppBuilder.AcquireTokenSilent(scope, 
   PublicClientApplication.OperatingSystemAccount)
                             .ExecuteAsync().GetAwaiter().GetResult();

The PublicClientApplication documentation also mentioned OperatingSystemAccount as:

A special account value that indicates that the current operating system account should be used to log the user in.

I think the MSAL library code can get the user account from OperatingSystemAccount, and then use that user account to get the access token of the user from Azure AD, is my reasoning correct?

Upvotes: 0

Views: 49

Answers (1)

Rukmini
Rukmini

Reputation: 16054

Yes, when you use OperatingSystemAccount in your code, MSAL will try to acquire an access token for the currently logged-in user (from the operating system) and use that to authenticate against Azure AD.

  • The user's credentials, though not explicitly entered, are implicitly used by leveraging the OS authentication mechanism.
  • You can decode the token in jwt.ms and check the user details.
var publicAppBuilder = PublicClientApplicationBuilder
      .Create(appClientId)
      .WithParentActivityOrWindow(consoleWindowHandleProvider)
      .WithAuthority(authorityUri)
      .WithBrokerPreview(true)
      .WithDefaultRedirectUri()
      .Build();

var result = publicAppBuilder.AcquireTokenSilent(scope, 
   PublicClientApplication.OperatingSystemAccount)
                             .ExecuteAsync().GetAwaiter().GetResult();
  • The AcquireTokenSilent method is trying to acquire an access token silently using the currently logged-in operating system account. If successful, the access token is returned.

How does MSAL get the user credential from that account, what is the implementation details roughly like?

OperatingSystemAccount is not a special user account on your local machine. It’s a special identifier used within MSAL to indicate that the authentication should happen using the current operating system user’s account (the user who is currently logged into the machine).

  • MSAL first attempts to retrieve an access token silently using cached credentials or session information from the OS. If valid, it returns the token; otherwise, it falls back to other authentication methods.
  • MSAL first checks the cache for any valid tokens associated with the OperatingSystemAccount.
  • OperatingSystemAccount is not a special local account, but a reference to the authenticated OS user.

Upvotes: 0

Related Questions