Things have changed so much over the last 5 years that I'm not sure exactly how get this sample to work:
https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/WebAccountManagement
This uses an "Account Manager" UI window to display a list of mostly Microsoft accounts to get an access token from. I understand how to interact with the window. What I'm having problems with are the OAuth endpoints, scopes, and app ids.
FYI, I'm using a personal Microsoft Account.
This is what I thought was the correct way to enable a UWP app to use this token service:
SingleMicrosoftAccountScenario
project as the AccountClientId
. This gives me an error everytime. Here's what's confusing me:
I'm just stuck until I figure out this Microsoft Account stuff. Merging the personal accounts and business accounts really made this complicated...
Here's what I've discovered:
For Microsoft accounts using WebAuthenticationCoreManager
, you only have two authorities that will let you "find" built-in Microsoft accounts on your PC that are registered in Windows 10. You can use either "consumers" or "organizations".
If you use the "organizations" authority, WebAuthenticationCoreManager
will acquire a token for you using the v1 AAD endpoint... and while this theoretically can use MS Graph, I couldn't get it to work. In order to get this to work in the samples, you must change the added property to the WebTokenRequest
as below. Note the URL is different. My scopes are preset on the app registration site. You use the Converged applications ID when you register your application at https://apps.dev.microsoft.com and you use plain Graph API scopes like 'user.read'.
webTokenRequest.Properties.Add("resource", "https://graph.microsoft.com");
If you use the "consumers" authority, you're not getting a token compatible with MS Graph at all. Instead, you're getting an old Live API token. You can confirm this by using this endpoint to get your username with the token https://apis.live.net/v5.0/me . While I would be fine with using this token just to Authenticate my user, this API is already deprecated and will go offline in November of 2018 (next month!). So, it seems that you can't use it for personal accounts. If you want to get this to work, you need to use the Converged ID number, but instead use the old Live API scope "wl.basic".
My workaround was to not add the default accounts at all and instead add a custom account that uses MSAL to login. It sucks because this still requires an initial login. It's a shame because we're already logged into the PC using that account. Seems silly we need to enter credentials again.
The github repo here has a working solution for using WebAuthenticationCoreManager
to get a token that works with the MS Graph API. The file that shows how they do it is here: https://github.com/CommunityToolkit/Graph-Controls/blob/main/CommunityToolkit.Authentication.Uwp/WindowsProvider.cs