authenticationoauthuwpmicrosoft-graph-apimicrosoft-account

How to correctly use WebAuthenticationCoreManager to get a Microsoft Account token?


Things have changed so much over the last 5 years that I'm not sure exactly how get this sample to work:

https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/WebAccountManagement

This uses an "Account Manager" UI window to display a list of mostly Microsoft accounts to get an access token from. I understand how to interact with the window. What I'm having problems with are the OAuth endpoints, scopes, and app ids.

FYI, I'm using a personal Microsoft Account.

This is what I thought was the correct way to enable a UWP app to use this token service:

  1. Associate your UWP app with the store. (This gives it an SID that goes into the manifest automatically.)
  2. Register an app name/id on https://apps.dev.microsoft.com.
  3. Copy the app id from step 2 from the Converged applications section to the sample's SingleMicrosoftAccountScenario project as the AccountClientId.
  4. Run the app and try to login.

This gives me an error everytime. Here's what's confusing me:

  1. The default scope in the sample is a OneDrive API scope. I thought that had gone away in favor of MS Graph.
  2. Am I supposed to be using the old, old Live SDK app id?
  3. Are the default native app callback URI's ok? Do I need to use something different? From reading somewhere deep in the docs, I tried adding ms-appx-web://Microsoft.AAD.BrokerPlugIn/{app sid}, but that didn't work, either.
  4. So many posts are talking about the cross-platform ADAL or MSAL library. I like it, too. I'm going to use it for the Xamarin stuff... but for native UWP, I'd like to use the really convenient AccountsSettingsPane with WebAuthenticationCoreManager. I've already got Facebook added to it using WebAuthenticationBroker for acquiring the token.

I'm just stuck until I figure out this Microsoft Account stuff. Merging the personal accounts and business accounts really made this complicated...


Solution

  • Here's what I've discovered:

    1. For Microsoft accounts using WebAuthenticationCoreManager, you only have two authorities that will let you "find" built-in Microsoft accounts on your PC that are registered in Windows 10. You can use either "consumers" or "organizations".

    2. If you use the "organizations" authority, WebAuthenticationCoreManager will acquire a token for you using the v1 AAD endpoint... and while this theoretically can use MS Graph, I couldn't get it to work. In order to get this to work in the samples, you must change the added property to the WebTokenRequest as below. Note the URL is different. My scopes are preset on the app registration site. You use the Converged applications ID when you register your application at https://apps.dev.microsoft.com and you use plain Graph API scopes like 'user.read'.

      webTokenRequest.Properties.Add("resource", "https://graph.microsoft.com");
    3. If you use the "consumers" authority, you're not getting a token compatible with MS Graph at all. Instead, you're getting an old Live API token. You can confirm this by using this endpoint to get your username with the token https://apis.live.net/v5.0/me . While I would be fine with using this token just to Authenticate my user, this API is already deprecated and will go offline in November of 2018 (next month!). So, it seems that you can't use it for personal accounts. If you want to get this to work, you need to use the Converged ID number, but instead use the old Live API scope "wl.basic".

    My workaround was to not add the default accounts at all and instead add a custom account that uses MSAL to login. It sucks because this still requires an initial login. It's a shame because we're already logged into the PC using that account. Seems silly we need to enter credentials again.

    UPDATE

    The github repo here has a working solution for using WebAuthenticationCoreManager to get a token that works with the MS Graph API. The file that shows how they do it is here: https://github.com/CommunityToolkit/Graph-Controls/blob/main/CommunityToolkit.Authentication.Uwp/WindowsProvider.cs