Class AuthenticationResult

Namespace

Microsoft.Identity.Client

Assembly

Microsoft.Identity.Client.dll

Contains the results of one token acquisition operation in PublicClientApplication or ConfidentialClientApplication. For details see https://aka.ms/msal-net-authenticationresult

public class AuthenticationResult

Inheritance

object

AuthenticationResult

Inherited Members

object.GetType()

object.MemberwiseClone()

object.ToString()

object.Equals(object)

object.Equals(object, object)

object.ReferenceEquals(object, object)

object.GetHashCode()

Constructors

AuthenticationResult(string, bool, string, DateTimeOffset, DateTimeOffset, string, IAccount, string, IEnumerable<string>, Guid, string, AuthenticationResultMetadata, ClaimsPrincipal, string, IReadOnlyDictionary<string, string>)

Constructor meant to help application developers test their apps. Allows mocking of authentication flows. App developers should never new-up AuthenticationResult in product code.

public AuthenticationResult(string accessToken, bool isExtendedLifeTimeToken, string uniqueId, DateTimeOffset expiresOn, DateTimeOffset extendedExpiresOn, string tenantId, IAccount account, string idToken, IEnumerable<string> scopes, Guid correlationId, string tokenType = "Bearer", AuthenticationResultMetadata authenticationResultMetadata = null, ClaimsPrincipal claimsPrincipal = null, string spaAuthCode = null, IReadOnlyDictionary<string, string> additionalResponseParameters = null)

Parameters

accessToken string

Access Token that can be used as a bearer token to access protected web APIs

isExtendedLifeTimeToken bool

See IsExtendedLifeTimeToken

uniqueId string

Unique Id of the account. It can be null. When the IdToken is not null, this is its ID, that is its ObjectId claim, or if that claim is null, the Subject claim.

expiresOn DateTimeOffset

Expiry date-time for the access token

extendedExpiresOn DateTimeOffset

See ExtendedExpiresOn

tenantId string

Identifier for the Azure AD tenant from which the token was acquired. Can be null

account IAccount

Account information

idToken string

ID token

scopes IEnumerable<string>

Granted scope values as returned by the service

correlationId Guid

The correlation id of the authentication request

tokenType string

The token type, defaults to Bearer. Note: this property is experimental and may change in future versions of the library.

authenticationResultMetadata AuthenticationResultMetadata

Contains metadata related to the Authentication Result.

claimsPrincipal ClaimsPrincipal

Claims from the ID token

spaAuthCode string

Auth Code returned by the Microsoft identity platform when you use AcquireTokenByAuthorizationCode.WithSpaAuthorizationCode(). This auth code is meant to be redeemed by the frontend code. See https://aka.ms/msal-net/spa-auth-code

additionalResponseParameters IReadOnlyDictionary<string, string>

Other properties from the token response.

Properties

AccessToken

Access Token that can be used as a bearer token to access protected web APIs

public string AccessToken { get; }

Property Value

string

Account

Gets the account information. Some elements in IAccount might be null if not returned by the service. The account can be passed back in some API overloads to identify which account should be used such as AcquireTokenSilent(IEnumerable<string>, IAccount) or RemoveAsync(IAccount) for instance

public IAccount Account { get; }

Property Value

IAccount

AdditionalResponseParameters

Exposes additional response parameters returned by the token issuer (AAD).

public IReadOnlyDictionary<string, string> AdditionalResponseParameters { get; }

Property Value

IReadOnlyDictionary<string, string>

Remarks

Not all parameters are added here, only the ones that MSAL doesn't interpret itself and only scalars. Not supported on mobile frameworks (e.g. net6-android or net6-ios)

AuthenticationResultMetadata

Contains metadata for the Authentication result.

public AuthenticationResultMetadata AuthenticationResultMetadata { get; }

Property Value

AuthenticationResultMetadata

ClaimsPrincipal

All the claims present in the ID token.

public ClaimsPrincipal ClaimsPrincipal { get; }

Property Value

ClaimsPrincipal

CorrelationId

Gets the correlation id used for the request.

public Guid CorrelationId { get; }

Property Value

Guid

ExpiresOn

Gets the point in time in which the Access Token returned in the AccessToken property ceases to be valid. This value is calculated based on current UTC time measured locally and the value expiresIn received from the service.

public DateTimeOffset ExpiresOn { get; }

Property Value

DateTimeOffset

IdToken

Gets the Id Token if returned by the service or null if no Id Token is returned.

public string IdToken { get; }

Property Value

string

Scopes

Gets the granted scope values returned by the service.

public IEnumerable<string> Scopes { get; }

Property Value

IEnumerable<string>

SpaAuthCode

Gets the SPA Authorization Code, if it was requested using WithSpaAuthorizationCode method on the AcquireTokenByAuthorizationCode builder. See https://aka.ms/msal-net/spa-auth-code for details.

public string SpaAuthCode { get; }

Property Value

string

TenantId

Gets an identifier for the Azure AD tenant from which the token was acquired. This property will be null if tenant information is not returned by the service.

public string TenantId { get; }

Property Value

string

TokenType

Identifies the type of access token. By default tokens returned by Azure Active Directory are Bearer tokens.
CreateAuthorizationHeader() for getting an HTTP authorization header from an AuthenticationResult.

public string TokenType { get; }

Property Value

string

UniqueId

Gets the Unique Id of the account in this TenantId It is set as the oid (ObjectId) claim, or if that claim is null, as the sub (Subject) claim which is guaranteed not-null.

public string UniqueId { get; }

Property Value

string

Remarks

The oid claim identifies a user in all apps - Microsoft Identity Providers issue ID tokens with this claim, although it can be null in rare cases. The sub claim is "a locally unique and never reassigned identifier within the Issuer for the End-User" as per https://openid.net/specs/openid-connect-core-1_0.html and it is a mandatory claim with OIDC compliant issuers. Guest AAD accounts have different oid claim values in each tenant. Use HomeAccountId to uniquely identify users across tenants. See https://docs.microsoft.com/azure/active-directory/develop/id-tokens#payload-claims

Methods

CreateAuthorizationHeader()

Creates the content for an HTTP authorization header from this authentication result, so that you can call a protected API

public string CreateAuthorizationHeader()

Returns

string

Created authorization header of the form "Bearer {AccessToken}"

Examples

Here is how you can call a protected API from this authentication result (in the result variable):

HttpClient client = new HttpClient();
client.DefaultRequestHeaders.Add("Authorization", result.CreateAuthorizationHeader());
HttpResponseMessage r = await client.GetAsync(urlOfTheProtectedApi);