Handle errors and exceptions in MSAL for Android
Exceptions in the Microsoft Authentication Library (MSAL) are intended to help app developers troubleshoot their application. Exception messages aren't localized.
When processing exceptions and errors, you can use the exception type itself and the error code to distinguish between exceptions. For a list of error codes, see Microsoft Entra authentication and authorization error codes.
During the sign-in experience, you can encounter errors about consents, Conditional Access (MFA, Device Management, Location-based restrictions), token issuance and redemption, and user properties.
Error class | Cause/error string | How to handle |
---|---|---|
MsalUiRequiredException |
|
Call acquireToken() to prompt the user to enter their username and password, and possibly consent and perform multifactor authentication. |
MsalDeclinedScopeException |
|
The developer should decide whether to continue authentication with the granted scopes or end the authentication process. Option to resubmit the acquire token request only for the granted scopes and provide hints for which permissions have been granted by passing silentParametersForGrantedScopes and calling acquireTokenSilent . |
MsalServiceException |
|
This exception class represents errors when communicating to the service, can be from the authorize or token endpoints. MSAL reads the error and error_description from the server response. Generally, these errors are resolved by fixing app configurations either in code or in the app registration portal. Rarely a service outage can trigger this warning, which can only be mitigated by waiting for the service to recover. |
MsalClientException |
|
This exception class represents general errors that are local to the library. These exceptions can be handled by correcting the request. |
MsalUserCancelException |
|
|
MsalArgumentException |
|
These errors can be mitigated by the developer correcting arguments and ensuring activity for interactive auth, completion callback, scopes, and an account with a valid ID have been provided. |
Catching errors
The following code snippet shows an example of catching errors for the silent acquireToken
calls.
/**
* Callback used in for silent acquireToken calls.
*/
private SilentAuthenticationCallback getAuthSilentCallback() {
return new SilentAuthenticationCallback() {
@Override
public void onSuccess(IAuthenticationResult authenticationResult) {
Log.d(TAG, "Successfully authenticated");
/* Successfully got a token, use it to call a protected resource - MSGraph */
callGraphAPI(authenticationResult);
}
@Override
public void onError(MsalException exception) {
/* Failed to acquireToken */
Log.d(TAG, "Authentication failed: " + exception.toString());
displayError(exception);
if (exception instanceof MsalClientException) {
/* Exception inside MSAL, more info inside MsalError.java */
} else if (exception instanceof MsalServiceException) {
/* Exception when communicating with the STS, likely config issue */
} else if (exception instanceof MsalUiRequiredException) {
/* Tokens expired or no session, retry with interactive */
}
}
};
}
Next steps
Learn more about Logging in MSAL for Android.