Class PublicClientApplication
Represents public client applications - desktop and mobile applications.
public sealed class PublicClientApplication : ClientApplicationBase, IPublicClientApplication, IClientApplicationBase, IApplicationBase, IByRefreshToken- Inheritance
-
PublicClientApplication
- Implements
- Inherited Members
- Extension Methods
Remarks
Public client applications are not trusted to safely keep application secrets and therefore they can only access web APIs in the name of the authenticating user. See Client Applications.
Unlike IConfidentialClientApplication, public clients are unable to securely store secrets on a client device and as a result do not require the use of a client secret.
The redirect URI needed for interactive authentication is automatically determined by the library. It does not need to be passed explicitly in the constructor. Depending on the authentication strategy (e.g., through the Web Account Manager, the Authenticator app, web browser, etc.), different redirect URIs will be used by MSAL. Redirect URIs must always be configured for the application in the Azure Portal.
Properties
IsSystemWebViewAvailable
Tells if the application can use the system web browser, therefore enabling single-sign-on with web applications. By default, MSAL will try to use a system browser on the mobile platforms, if it is available. See our documentation for more details.
public bool IsSystemWebViewAvailable { get; }Property Value
- bool
Returns
trueif MSAL can use the system web browser.
Remarks
On Windows, macOS, and Linux a system browser can always be used, except in cases where there is no UI (e.g., a SSH session). On Android, the browser must support tabs.
OperatingSystemAccount
A special account value that indicates that the current operating system account should be used to log the user in. Not all operating systems and authentication flows support this concept, in which case calling AcquireTokenSilent(IEnumerable<string>, IAccount) will throw an MsalUiRequiredException.
public static IAccount OperatingSystemAccount { get; }Property Value
Remarks
Currently only the Windows broker is able to login with the current operating system user. For additional details, see the documentation on the Windows broker.
Methods
AcquireTokenByIntegratedWindowsAuth(IEnumerable<string>)
This API is no longer recommended and will be deprecated in future versions in favor of similar functionality via the Windows broker (WAM). WAM does not require any setup for desktop apps to login with the Windows account.
Acquires a token non-interactively for the signed-in user in Windows via Integrated Windows Authentication. The account used in this overrides is pulled from the operating system as the current user principal name. This method does not look in the token cache, but stores the result in it. Before calling this method, use other methods such as AcquireTokenSilent(IEnumerable<string>, IAccount) to check the token cache.
public AcquireTokenByIntegratedWindowsAuthParameterBuilder AcquireTokenByIntegratedWindowsAuth(IEnumerable<string> scopes)Parameters
scopesIEnumerable<string>Scopes requested to access a protected API.
Returns
- AcquireTokenByIntegratedWindowsAuthParameterBuilder
A builder enabling you to add optional parameters before executing the token request.
Remarks
See our documentation for more details.
AcquireTokenByUsernamePassword(IEnumerable<string>, string, string)
Acquires a token without user interaction using username and password authentication. This method does not look in the token cache, but stores the result in it. Before calling this method, use other methods such as AcquireTokenSilent(IEnumerable<string>, IAccount) to check the token cache.
public AcquireTokenByUsernamePasswordParameterBuilder AcquireTokenByUsernamePassword(IEnumerable<string> scopes, string username, string password)Parameters
scopesIEnumerable<string>Scopes requested to access a protected API.
usernamestringIdentifier of the user application requests token on behalf. Generally in UserPrincipalName (UPN) format, e.g.
john.doe@contoso.compasswordstringUser password as a string.
Returns
- AcquireTokenByUsernamePasswordParameterBuilder
A builder enabling you to add optional parameters before executing the token request.
Remarks
Available only for .NET Framework and .NET Core applications. See our documentation for details.
AcquireTokenInteractive(IEnumerable<string>)
Acquires a token interactively for the specified scopes. Either a system browser, an embedded browser, or a broker will handle this request, depending on the version of .NET framework used and on configuration. For Microsoft Entra applications, a broker is recommended. See Windows Broker. This method does not look in the token cache, but stores the result in it. Before calling this method, use other methods such as AcquireTokenSilent(IEnumerable<string>, IAccount) to check the token cache. See Interactive Authentication.
[CLSCompliant(false)]
public AcquireTokenInteractiveParameterBuilder AcquireTokenInteractive(IEnumerable<string> scopes)Parameters
scopesIEnumerable<string>Scopes requested to access a protected API.
Returns
- AcquireTokenInteractiveParameterBuilder
A builder enabling you to add optional parameters before executing the token request.
Remarks
The user will be signed-in interactively and will consent to scopes, as well as perform a multi-factor authentication step if such a policy was enabled in the Azure AD tenant.
AcquireTokenWithDeviceCode(IEnumerable<string>, Func<DeviceCodeResult, Task>)
Acquires a token on a device without a web browser by letting the user authenticate on another device. This method does not look in the token cache, but stores the result in it. Before calling this method, use other methods such as AcquireTokenSilent(IEnumerable<string>, IAccount) to check the token cache.
public AcquireTokenWithDeviceCodeParameterBuilder AcquireTokenWithDeviceCode(IEnumerable<string> scopes, Func<DeviceCodeResult, Task> deviceCodeResultCallback)Parameters
scopesIEnumerable<string>Scopes requested to access a protected API.
deviceCodeResultCallbackFunc<DeviceCodeResult, Task>Callback containing information to show the user about how to authenticate and enter the device code.
Returns
- AcquireTokenWithDeviceCodeParameterBuilder
A builder enabling you to add optional parameters before executing the token request.
Remarks
The token acquisition is done in two steps:
- The method first acquires a device code from the authority and returns it to the caller via
the
deviceCodeResultCallback. This callback takes care of interacting with the user to direct them to authenticate (i.e., to a specific URL, with a code). - The method then proceeds to poll for the security token which is granted upon successful login by the user based on the device code information.
IsBrokerAvailable()
Returns true if an authentication broker can be used.
This method is only needed for mobile scenarios which support Mobile Application Management (MAM). In other cases, use WithBroker, which will fall back to use a browser if an authentication broker is unavailable.
public bool IsBrokerAvailable()Returns
Remarks
- On Windows, the broker (WAM) can be used on Windows 10 and is always installed. See https://aka.ms/msal-net-wam
- On Mac, Linux, and older versions of Windows a broker is not available.
- In .NET 6 apps, target
net6.0-windows10.0.17763.0for all Windows versions and targetnet6.0for Linux and Mac. - In .NET classic or .NET Core 3.1 apps, install Microsoft.Identity.Client.Desktop first and call
WithDesktopFeatures(). - In mobile apps, the device must be Intune joined and Authenticator or Company Portal must be installed. See https://aka.ms/msal-brokers
IsEmbeddedWebViewAvailable()
Returns true if MSAL can use an embedded web view (web browser).
public bool IsEmbeddedWebViewAvailable()Returns
Remarks
All .NET Framework applications will use the legacy web view. .NET 6 and .NET Core applications must use the Microsoft.Identity.Client.Desktop package with WebView2. .NET 6 for Windows comes with WebView2 by default. WebView2 UI is only shown for non-AAD authorities. Refer to our documentation for additional details.
IsProofOfPossessionSupportedByClient()
Used to determine if the currently available broker is able to perform Proof-of-Possession.
public bool IsProofOfPossessionSupportedByClient()Returns
- bool
Boolean indicating if Proof-of-Possession is supported
IsUserInteractive()
Returns false when the application runs in headless mode (e.g., when SSH-d into a Linux machine).
Browsers (web views) and brokers cannot be used if there is no UI support. For those scenarios, use AcquireTokenWithDeviceCode(IEnumerable<string>, Func<DeviceCodeResult, Task>).
public bool IsUserInteractive()