public async Task ATI_WithPicker_MsaPt_Async()
{
string homeAccId = $"{TestConstants.Uid}.{TestConstants.Utid}";
// Arrange
using (var harness = CreateTestHarness())
{
var requestParams = harness.CreateAuthenticationRequestParameters(
TestConstants.AuthorityHomeTenant); // AAD authorities for whi
// msa-pt scenario
requestParams.AppConfig.IsMsaPassthrough = true;
var accountPicker = Substitute.For <IAccountPicker>();
_accountPickerFactory.Create(Arg.Any <IntPtr>(), null, null, null, false).ReturnsForAnyArgs(accountPicker);
var msaProvider = new WebAccountProvider("msa", "*****@*****.**", null);
accountPicker.DetermineAccountInteractivelyAsync().Returns(Task.FromResult(msaProvider));
// AAD plugin + consumer provider = Guest MSA-PT scenario
_webAccountProviderFactory.IsConsumerProvider(msaProvider).Returns(true);
_msaPassthroughHandler.TryFetchTransferTokenAsync(requestParams, msaProvider)
.Returns(Task.FromResult("transfer_token"));
var aadProvider = new WebAccountProvider("aad", "*****@*****.**", null);
_webAccountProviderFactory.GetAccountProviderAsync("home").Returns(aadProvider);
// make sure the final request is done with the AAD provider
var webTokenRequest = new WebTokenRequest(aadProvider);
_aadPlugin.CreateWebTokenRequestAsync(
aadProvider,
requestParams,
isForceLoginPrompt: false,
isInteractive: true,
isAccountInWam: false)
.Returns(Task.FromResult(webTokenRequest));
var webTokenResponseWrapper = Substitute.For <IWebTokenRequestResultWrapper>();
webTokenResponseWrapper.ResponseStatus.Returns(WebTokenRequestStatus.Success);
var webTokenResponse = new WebTokenResponse();
webTokenResponseWrapper.ResponseData.Returns(new List <WebTokenResponse>()
{
webTokenResponse
});
_wamProxy.RequestTokenForWindowAsync(Arg.Any <IntPtr>(), webTokenRequest).
Returns(Task.FromResult(webTokenResponseWrapper));
_aadPlugin.ParseSuccessfullWamResponse(webTokenResponse, out _).Returns(_msalTokenResponse);
var atiParams = new AcquireTokenInteractiveParameters();
// Act
var result = await _wamBroker.AcquireTokenInteractiveAsync(requestParams, atiParams)
.ConfigureAwait(false);
// Assert
Assert.AreSame(_msalTokenResponse, result);
_msaPassthroughHandler.Received(1).AddTransferTokenToRequest(webTokenRequest, "transfer_token");
}
}
private async Task <MsalTokenResponse> AcquireInteractiveWithPickerAsync(
AuthenticationRequestParameters authenticationRequestParameters,
Prompt msalPrompt)
{
bool isMsaPassthrough = _wamOptions.MsaPassthrough;
var accountPicker = _accountPickerFactory.Create(
_parentHandle,
_logger,
_synchronizationContext,
authenticationRequestParameters.Authority,
isMsaPassthrough);
IWamPlugin wamPlugin;
WebTokenRequest webTokenRequest;
try
{
WebAccountProvider accountProvider = await
accountPicker.DetermineAccountInteractivelyAsync().ConfigureAwait(false);
if (accountProvider == null)
{
var errorMessage = "WAM Account Picker did not return an account.";
#if !WINDOWS_APP
if (WindowsNativeUtils.IsElevatedUser())
{
errorMessage = MsalErrorMessage.AuthenticationFailedWamElevatedProcess;
}
#endif
throw new MsalClientException(MsalError.AuthenticationCanceledError, errorMessage);
}
bool isConsumerTenant = _webAccountProviderFactory.IsConsumerProvider(accountProvider);
// WAM returns the tenant here, not the full authority
wamPlugin = (isConsumerTenant && !isMsaPassthrough) ? _msaPlugin : _aadPlugin;
string transferToken = null;
bool isForceLoginPrompt = false;
if (isConsumerTenant && isMsaPassthrough)
{
// Get a transfer token to avoid prompting the user twice
transferToken = await _msaPassthroughHandler.TryFetchTransferTokenAsync(
authenticationRequestParameters,
accountProvider).ConfigureAwait(false);
// If a TT cannot be obtained, force the interactive experience again
isForceLoginPrompt = string.IsNullOrEmpty(transferToken);
// For MSA-PT, the MSA provider will issue v1 token, which cannot be used.
// Only the AAD provider can issue a v2 token
accountProvider = await _webAccountProviderFactory.GetAccountProviderAsync(
authenticationRequestParameters.Authority.TenantId)
.ConfigureAwait(false);
}
webTokenRequest = await wamPlugin.CreateWebTokenRequestAsync(
accountProvider,
authenticationRequestParameters,
isForceLoginPrompt : isForceLoginPrompt,
isInteractive : true,
isAccountInWam : false)
.ConfigureAwait(true);
_msaPassthroughHandler.AddTransferTokenToRequest(webTokenRequest, transferToken);
WamAdapters.AddMsalParamsToRequest(authenticationRequestParameters, webTokenRequest, _logger);
AddPromptToRequest(msalPrompt, isForceLoginPrompt, webTokenRequest);
}
catch (Exception ex) when(!(ex is MsalException))
{
_logger.ErrorPii(ex);
throw new MsalServiceException(
MsalError.WamPickerError,
"Could not get the account provider - account picker. See inner exception for details", ex);
}
IWebTokenRequestResultWrapper wamResult;
try
{
wamResult = await _wamProxy.RequestTokenForWindowAsync(_parentHandle, webTokenRequest).ConfigureAwait(false);
}
catch (Exception ex)
{
_logger.ErrorPii(ex);
throw new MsalServiceException(
MsalError.WamPickerError,
"Could not get the result - account picker. See inner exception for details", ex);
}
return(WamAdapters.CreateMsalResponseFromWamResponse(
wamResult,
wamPlugin,
authenticationRequestParameters.AppConfig.ClientId,
_logger,
isInteractive: true));
}
