Azure AD B2C - .NET-Web app calling web api - No account or login hint was passed to the AcquireTokenSilent cal

Question

Hello All, We have configured web app and web api on Azure as per the sample code and instructions provided by Micosoft (https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi) What is the issue? When I am trying to access the token in web controller, I am getting the following error: "No account or login hint was passed to the AcquireTokenSilent call." Refer the following image where we can making a call to get the token.

Refer the following image where the method details are there.

The main issue is, account is coming as null. Refer the following image:-

We are not able to find where is the issue, why account is coming as null. So I did the following to ensure web api is configured properly:- Added one more redirect uri on Web Api on Azure (https://www.postman.com/oauth2/callback) for postman
Added all configuration in postman
Started the web api project locally
Manage to get access token
Able to hit one end point successfully to the web api(Get call)
Able one end point successfully to the web api (Post call)
So this test ensures that web api project is configured in Azure and working fine using Azure AD B2C Authentication. I did a similar test by running a userflow againts the web api project and I could see tokens getting generated (Not sure if this is a legitimate test) I have been reading the issue on internet.But not able to find an exact issue like this. Any pointers would be very hekpfull.
best regards

Answer 1

Hi @Siddartha Pal ,

Thanks for reaching out and apologies for the delay in response.

The error message "No account or login hint was passed to the AcquireTokenSilent call" indicates that the user is not authenticated, or the token cache is empty.

If you want to acquire a token silently, you need to ensure that the user is already authenticated and that the token cache is not empty. AcquireTokenSilent() attempts to acquire an access token for the account from the user token cache.

The recommended pattern is to call the AcquireTokenSilent method first and if it fails with a MsalUiRequiredException, then acquires a token interactively using AcquireTokenInteractive().

AuthenticationResult result = null;
try
{
     result = await app.AcquireTokenSilent(scopes, accounts.FirstOrDefault())
                       .ExecuteAsync();
}
catch (MsalUiRequiredException ex)
{
    // A MsalUiRequiredException happened on AcquireTokenSilent.
    // This indicates you need to call AcquireTokenInteractive to acquire a token
    Debug.WriteLine($"MsalUiRequiredException: {ex.Message}");

    try
    {
        result = await app.AcquireTokenInteractive(scopes)
                          .ExecuteAsync();
    }
    catch (MsalException msalex)
    {
        ResultText.Text = $"Error Acquiring Token:{System.Environment.NewLine}{msalex}";
    }
}
catch (Exception ex)
{
    ResultText.Text = $"Error Acquiring Token Silently:{System.Environment.NewLine}{ex}";
    return;
}

if (result != null)
{
    string accessToken = result.AccessToken;
    // Use the token
}

However, for confidential client applications called the AcquireTokenForClient(), it does not use the user token cache, but an application token cache. This method takes care of verifying this application token cache before sending a request.

Hope this will help.

Thanks,

Shweta

---

Please remember to "Accept Answer" if answer helped you.

Answer 2

MSAL.NET team has picked this issue as follows:- https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi/issues/149