Skip to content
This repository has been archived by the owner on Jun 30, 2023. It is now read-only.

AcquireTokenSilentAsync using a cached token

Jump to bottom
Jean-Marc Prieur edited this page Feb 13, 2018 · 8 revisions

Token are cached

Once ADAL.NET has acquired a token for a user for a Web API, it caches it. Next time the application wants a token, it can first call AcquireTokenSilentAsync to verify if an acceptable token is in the cache, and if not, call AcquireTokenAsync.

AcquireTokenAsync gets token from the cache

Like AcquireTokenAsync, in ADAL.NET, AcquireTokenSilentAsync has several overrides which are not available for public client applications. We'll see them later. For the moment, let's get interested in the last three overrides which are for public client applications. image Un-surprisingly, the overrides are very similar to the public application client overrides of AcquireTokenAsync, and they take as parameters:

  • The resource for which you want an access token. you can pass here either the Resource URI of a Web API, or the clientId of the target Web API. Both work.

  • The clientId parameter is the clientId/applicationId of the public client application.

  • userId is optional. It's still set from the DisplayableId of a user

  • parameters is also still optional to describe the desired user interaction (See the same parameter AcquireTokenAsync). Note that if you specify PromptBehaviors which would induce some user interaction (Always, SelectAccount), the token acquisition is, nevertheless done silently (equivalent to RefreshSession) as AcquireTokenSilent is ... silent, and therefore there is no user interaction.

Recommended pattern to acquire a token

Now that you have seen both AcquireTokenAsync, AcquireTokenSilentAsync, it's the right moment to present the recommended usage pattern for calling these methods. The idea is that the developer wants to minimize the number of signings for the user, and therefore, first tries to acquire a token silently, and if this fails s/he tries to get one interactively. Note that AcquireTokenSilent can fail for several reasons, such as the cache does not contain a token for the user, or the token has expired. For these reasons a call to AcquireTokenAsync will usually get at token. But there are also issues such as network problems, STS un-availability, etc . which won't be directly solvable (and will be seen in more details in the topic about best practices for Handling errors.

In ADAL.NET the recommended pattern is the following:

// STS
string cloud = "https://login.microsoftonline.com";
string tenantId = "331e6716-26e8-4651-b323-2563936b416e";
string authority = $"{cloud}/{tenantId}";

// Application
string clientId = "65b27a1c-693c-44bf-bf92-c49e408ccc70";
Uri redirectUri = new Uri("https://TodoListClient");

// Application ID of the Resource (could also be the Resource URI)
string resource = "eab51d24-076e-44ee-bcf0-c2dce7577a6a";

AuthenticationContext ac = new AuthenticationContext(authority);
AuthenticationResult result=null;
try
{
 result = await ac.AcquireTokenSilentAsync(resource, clientId);
}
catch (AdalException adalException)
{
 if (adalException.ErrorCode == AdalError.FailedToAcquireTokenSilently 
     || adalException.ErrorCode == AdalError.InteractionRequired)
  {
   result = await ac.AcquireTokenAsync(resource, clientId,redirectUri,
                                       new PlatformParameters(PromptBehavior.Auto));
  }
}

Getting started with ADAL.NET

Desktop/Mobile apps

Web apps/Web APIs/daemon apps

Advanced topics

News

Contribute

FAQ

Other resources

Log messages

Clone this wiki locally