PublicClientApplication Class

Definition

Class to be used to acquire tokens in desktop or mobile applications (Desktop / UWP / Xamarin.iOS / Xamarin.Android). public client applications are not trusted to safely keep application secrets, and therefore they only access Web APIs in the name of the user only. For details see https://aka.ms/msal-net-client-applications

public sealed class PublicClientApplication : Microsoft.Identity.Client.ClientApplicationBase, Microsoft.Identity.Client.IByRefreshToken, Microsoft.Identity.Client.IPublicClientApplication
type PublicClientApplication = class
    inherit ClientApplicationBase
    interface IPublicClientApplication
    interface IClientApplicationBase
    interface IByRefreshToken
Public NotInheritable Class PublicClientApplication
Inherits ClientApplicationBase
Implements IByRefreshToken, IPublicClientApplication
Inheritance
PublicClientApplication
Implements

Remarks

  • Contrary to ConfidentialClientApplication, public clients are unable to hold configuration time secrets, and as a result have no client secret
  • The redirect URL is pre-proposed by the library. It does not need to be passed in the constructor
  • .NET Core does not support UI, and therefore this platform does not provide the interactive token acquisition methods

Constructors

PublicClientApplication(String)

Constructor of the application. It will use https://login.microsoftonline.com/common as the default authority.

PublicClientApplication(String, String)

Constructor of the application.

PublicClientApplication(String, String, TokenCache)

Constructor to create application instance. This constructor is only available for Desktop and NetCore apps

Properties

AppConfig

Details on the configuration of the ClientApplication for debugging purposes.

(Inherited from ClientApplicationBase)
Authority (Inherited from ClientApplicationBase)
ClientId

Gets the Client ID (also known as Application ID) of the application as registered in the application registration portal (https://aka.ms/msal-net-register-app) and as passed in the constructor of the application

(Inherited from ClientApplicationBase)
IsSystemWebViewAvailable
RedirectUri

The redirect URI (also known as Reply URI or Reply URL), is the URI at which Azure AD will contact back the application with the tokens. This redirect URI needs to be registered in the app registration (https://aka.ms/msal-net-register-app). In MSAL.NET, PublicClientApplication define the following default RedirectUri values:

  • urn:ietf:wg:oauth:2.0:oob for desktop (.NET Framework and .NET Core) applications
  • msal{ClientId} for Xamarin iOS and Xamarin Android (as this will be used by the system web browser by default on these platforms to call back the application)
These default URIs could change in the future. In ConfidentialClientApplication, this can be the URL of the Web application / Web API. (Inherited from ClientApplicationBase)
UserTokenCache (Inherited from ClientApplicationBase)

Methods

AcquireTokenAsync(IEnumerable<String>)

Interactive request to acquire token for the specified scopes. The user is required to select an account

AcquireTokenAsync(IEnumerable<String>, IAccount)

Interactive request to acquire token for the specified scopes. The user will need to sign-in but an account will be proposed based on the provided account

AcquireTokenAsync(IEnumerable<String>, IAccount, Prompt, String)

Interactive request to acquire token for an account with control of the UI prompt and possibility of passing extra query parameters like additional claims

AcquireTokenAsync(IEnumerable<String>, IAccount, Prompt, String, IEnumerable<String>, String)

Interactive request to acquire token for a given account, with the possibility of controlling the user experience, passing extra query parameters, providing extra scopes that the user can pre-consent to, and overriding the authority pre-configured in the application

AcquireTokenAsync(IEnumerable<String>, IAccount, Prompt, String, IEnumerable<String>, String, UIParent)

Interactive request to acquire token for a given account, with the possibility of controlling the user experience, passing extra query parameters, providing extra scopes that the user can pre-consent to, and overriding the authority pre-configured in the application

AcquireTokenAsync(IEnumerable<String>, IAccount, Prompt, String, UIParent)

Interactive request to acquire token for an account with control of the UI prompt and possiblity of passing extra query parameters like additional claims

AcquireTokenAsync(IEnumerable<String>, IAccount, UIParent)

Interactive request to acquire token for the specified scopes. The user will need to sign-in but an account will be proposed based on the provided account

AcquireTokenAsync(IEnumerable<String>, String)

Interactive request to acquire token for the specified scopes. The user will need to sign-in but an account will be proposed based on the loginHint

AcquireTokenAsync(IEnumerable<String>, String, Prompt, String)

Interactive request to acquire token for a login with control of the UI prompt and possibility of passing extra query parameters like additional claims

AcquireTokenAsync(IEnumerable<String>, String, Prompt, String, IEnumerable<String>, String)

Interactive request to acquire token for a given login, with the possibility of controlling the user experience, passing extra query parameters, providing extra scopes that the user can pre-consent to, and overriding the authority pre-configured in the application

AcquireTokenAsync(IEnumerable<String>, String, Prompt, String, IEnumerable<String>, String, UIParent)

Interactive request to acquire token for a given login, with the possibility of controlling the user experience, passing extra query parameters, providing extra scopes that the user can pre-consent to, and overriding the authority pre-configured in the application

AcquireTokenAsync(IEnumerable<String>, String, Prompt, String, UIParent)

Interactive request to acquire token for a login with control of the UI prompt and possiblity of passing extra query parameters like additional claims

AcquireTokenAsync(IEnumerable<String>, String, UIParent)

Interactive request to acquire token for the specified scopes. The interactive window will be parented to the specified window. The user will need to sign-in but an account will be proposed based on the loginHint

AcquireTokenAsync(IEnumerable<String>, UIParent)

Interactive request to acquire token for the specified scopes. The interactive window will be parented to the specified window. The user will be required to select an account

AcquireTokenByIntegratedWindowsAuth(IEnumerable<String>)

Non-interactive request to acquire a security token for the signed-in user in Windows, via Integrated Windows Authentication. See https://aka.ms/msal-net-iwa. The account used in this overrides is pulled from the operating system as the current user principal name.

AcquireTokenByIntegratedWindowsAuthAsync(IEnumerable<String>)

Non-interactive request to acquire a security token for the signed-in user in Windows, via Integrated Windows Authentication. See https://aka.ms/msal-net-iwa. The account used in this overrides is pulled from the operating system as the current user principal name

AcquireTokenByIntegratedWindowsAuthAsync(IEnumerable<String>, String)

Non-interactive request to acquire a security token for the signed-in user in Windows, via Integrated Windows Authentication. See https://aka.ms/msal-net-iwa. The account used in this overrides is pulled from the operating system as the current user principal name

AcquireTokenByUsernamePassword(IEnumerable<String>, String, SecureString)

Non-interactive request to acquire a security token from the authority, via Username/Password Authentication. See https://aka.ms/msal-net-up for details.

AcquireTokenByUsernamePasswordAsync(IEnumerable<String>, String, SecureString)

Non-interactive request to acquire a security token from the authority, via Username/Password Authentication. Available only on .net desktop and .net core. See https://aka.ms/msal-net-up for details.

AcquireTokenInteractive(IEnumerable<String>)

Interactive request to acquire a token for the specified scopes. The interactive window will be parented to the specified window. The user will be required to select an account

AcquireTokenSilent(IEnumerable<String>, IAccount)

[V3 API] Attempts to acquire an access token for the account from the user token cache. See https://aka.ms/msal-net-acquiretokensilent for more details

(Inherited from ClientApplicationBase)
AcquireTokenSilent(IEnumerable<String>, String)

[V3 API] Attempts to acquire an access token for the IAccount having the Username match the given loginHint, from the user token cache. See https://aka.ms/msal-net-acquiretokensilent for more details

(Inherited from ClientApplicationBase)
AcquireTokenSilentAsync(IEnumerable<String>, IAccount)

[V2 API] Attempts to acquire an access token for the account from the user token cache.

(Inherited from ClientApplicationBase)
AcquireTokenSilentAsync(IEnumerable<String>, IAccount, String, Boolean)

[V2 API] Attempts to acquire an access token for the account from the user token cache, with advanced parameters controlling network call.

(Inherited from ClientApplicationBase)
AcquireTokenWithDeviceCode(IEnumerable<String>, Func<DeviceCodeResult,Task>)

Acquires a security token on a device without a Web browser, by letting the user authenticate on another device. This is done in two steps:

  • The method first acquires a device code from the authority and returns it to the caller via the deviceCodeResultCallback. This callback takes care of interacting with the user to direct them to authenticate (to a specific URL, with a code)
  • The method then proceeds to poll for the security token which is granted upon successful login by the user based on the device code information
See https://aka.ms/msal-device-code-flow.
AcquireTokenWithDeviceCodeAsync(IEnumerable<String>, Func<DeviceCodeResult,Task>)

Acquires a security token on a device without a Web browser, by letting the user authenticate on another device. This is done in two steps:

  • the method first acquires a device code from the authority and returns it to the caller via the deviceCodeResultCallback. This callback takes care of interacting with the user to direct them to authenticate (to a specific URL, with a code)
  • The method then proceeds to poll for the security token which is granted upon successful login by the user based on the device code information
See https://aka.ms/msal-device-code-flow.
AcquireTokenWithDeviceCodeAsync(IEnumerable<String>, Func<DeviceCodeResult,Task>, CancellationToken)

Acquires a security token on a device without a Web browser, by letting the user authenticate on another device, with possiblity of cancelling the token acquisition before it times out. This is done in two steps:

  • the method first acquires a device code from the authority and returns it to the caller via the deviceCodeResultCallback. This callback takes care of interacting with the user to direct them to authenticate (to a specific URL, with a code)
  • The method then proceeds to poll for the security token which is granted upon successful login by the user based on the device code information. This step is cancelable
See https://aka.ms/msal-device-code-flow.
AcquireTokenWithDeviceCodeAsync(IEnumerable<String>, String, Func<DeviceCodeResult,Task>)

Acquires a security token on a device without a Web browser, by letting the user authenticate on another device, with possiblity of passing extra parameters. This is done in two steps:

  • the method first acquires a device code from the authority and returns it to the caller via the deviceCodeResultCallback. This callback takes care of interacting with the user to direct them to authenticate (to a specific URL, with a code)
  • The method then proceeds to poll for the security token which is granted upon successful login by the user based on the device code information
See https://aka.ms/msal-device-code-flow.
AcquireTokenWithDeviceCodeAsync(IEnumerable<String>, String, Func<DeviceCodeResult,Task>, CancellationToken)

Acquires a security token on a device without a Web browser, by letting the user authenticate on another device, with possiblity of passing extra query parameters and cancelling the token acquisition before it times out. This is done in two steps:

  • the method first acquires a device code from the authority and returns it to the caller via the deviceCodeResultCallback. This callback takes care of interacting with the user to direct them to authenticate (to a specific URL, with a code)
  • The method then proceeds to poll for the security token which is granted upon successful login by the user based on the device code information. This step is cancelable
See https://aka.ms/msal-device-code-flow.
GetAccountAsync(String)

Get the IAccount by its identifier among the accounts available in the token cache.

(Inherited from ClientApplicationBase)
GetAccountsAsync()

Returns all the available IAccount in the user token cache for the application.

(Inherited from ClientApplicationBase)
RemoveAsync(IAccount)

Removes all tokens in the cache for the specified account.

(Inherited from ClientApplicationBase)

Explicit Interface Implementations

IByRefreshToken.AcquireTokenByRefreshToken(IEnumerable<String>, String)
IByRefreshToken.AcquireTokenByRefreshTokenAsync(IEnumerable<String>, String)

Acquires an access token from an existing refresh token and stores it and the refresh token into the application user token cache, where it will be available for further AcquireTokenSilentAsync calls. This method can be used in migration to MSAL from ADAL v2 and in various integration scenarios where you have a RefreshToken available. (see https://aka.ms/msal-net-migration-adal2-msal2)

Applies to