[Bug] "Back" button appears in MSAL.net (which was not appearing in ADAL.net)

[smohanty05]

Library version used

Microsoft.Identity.Client 4.60.3

.NET version

.net framework 4.8

Scenario

PublicClient - desktop app

Is this a new or an existing app?

The app is in production, I haven't upgraded MSAL, but started seeing this issue

Issue description and reproduction steps

I am migrating from ADAL.net to MSAL.net
From desktop app username is sent to the method which acquires token.
publicClient = PublicClientApplicationBuilder.Create(clientId) .WithAuthority(authority) .WithRedirectUri(redirectUri.ToString()) .Build(); FileCache.EnableSerialization(publicClient.UserTokenCache); var accounts = await publicClient.GetAccountsAsync(); AuthenticationResult result = null; try { result = await publicClient.AcquireTokenSilent(scopes, accounts.FirstOrDefault()) .ExecuteAsync(); if (!string.IsNullOrEmpty(userName) && !result.Account.Username.Equals(userName + "@" + tenant, StringComparison.InvariantCultureIgnoreCase)) throw new MsalUiRequiredException(MsalError.MultipleTokensMatchedError, "Multiple tokens matched"); } catch (MsalUiRequiredException ex) { if (ex.ErrorCode == MsalError.MultipleTokensMatchedError) { // clear the cache ClearCache(); } if (string.IsNullOrEmpty(userName)) result = await publicClient.AcquireTokenInteractive(scopes) .WithPrompt(Prompt.ForceLogin) .ExecuteAsync(); else result = await publicClient.AcquireTokenInteractive(scopes) .WithPrompt(Prompt.ForceLogin) .WithLoginHint(userName + "@" + tenant) .ExecuteAsync();
AcquireTokenInteractive showing the dialog box with "Back" button when username provided to the method is an invalid user. But there is no use of Back button here. Clicking on it causes User Authentication Cancelled exception.

---

In ADAL.net, the old code was as below:
authContext = new AuthenticationContext(authority, new FileCache()); AuthenticationResult result = null; try { result = await authContext.AcquireTokenSilentAsync(resourceId, clientId); if (!string.IsNullOrEmpty(userName) && !result.UserInfo.DisplayableId.Equals(userName + "@" + tenant, StringComparison.InvariantCultureIgnoreCase)) { throw new AdalException(AdalError.MultipleTokensMatched); } } catch (AdalException ex) { if (ex.ErrorCode == AdalError.UserInteractionRequired || ex.ErrorCode == AdalError.FailedToAcquireTokenSilently || ex.ErrorCode == AdalError.MultipleTokensMatched) { if(ex.ErrorCode == AdalError.MultipleTokensMatched) { if (authContext != null) authContext.TokenCache.Clear(); } if (string.IsNullOrEmpty(userName)) { result = await authContext.AcquireTokenAsync(resourceId, clientId, redirectUri, new PlatformParameters(PromptBehavior.Always)); } else { result = await authContext.AcquireTokenAsync(resourceId, clientId, redirectUri, new PlatformParameters(PromptBehavior.Always), new UserIdentifier(userName + "@" + tenant, UserIdentifierType.RequiredDisplayableId)); } } }

I have attached screenshots from both MSAL.net and ADAL.net below.

MSAL.net=>

ADAL.net=>

Users will consider this as regression after migration from ADAL.net to MSAL.net.

Is there a way to remove/hide the Back button?

Relevant code snippets

No response

Expected behavior

Back button should not be shown in this case as there is no use of it (in the scenario described).

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

[bgavrilMS]

This is a service problem, SDK does not control UI

[localden]

@bgavrilMS it does seem odd, however, that the behavior would be different between ADAL and MSAL in UI rendering (even if it's not the library that controls the UI). Let me reach out to service folks and see if we can get some clarity here.

[rayluo]

@bgavrilMS it does seem odd, however, that the behavior would be different between ADAL and MSAL in UI rendering (even if it's not the library that controls the UI). Let me reach out to service folks and see if we can get some clarity here.

ADAL talks to v1 endpoint and MSAL talks to v2. It could be the different out-of-the-box behaviors of the two endpoints. Just a hypothesis, though. I did not try it myself. :-)

[localden]

@smohanty05 - let's take a look at the HTTP requests that are issued by ADAL and one issued by MSAL. Can you please post those here (without authenticating/providing credentials). I want to see if there is a good way for us to see the delta between what ADAL does vs. what MSAL does.

You can use a tool like Fiddler on Windows to get this data.

[smohanty05]

@localden , please find the Fiddler result for ADAL and MSAL.
MSAL_ADAL.zip

[localden]

@smohanty05 I only see the CONNECT handshakes in there, but not the actual requests. Can you please enable HTTPS decryption and then re-capture the requests?

Same as last time - please don't enter any creds 😀

[localden]

@smohanty05 appreciate the context, we are investigating.