PublicClientApplication Class

Reference

Definition

Namespace:: Microsoft.Identity.Client

Assembly:: Microsoft.Identity.Client.dll

Package:: Microsoft.Identity.Client v4.67.0

Important

Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Abstract class containing common API methods and properties. For details see https://aka.ms/msal-net-client-applications

public sealed class PublicClientApplication : Microsoft.Identity.Client.ClientApplicationBase, Microsoft.Identity.Client.IByRefreshToken, Microsoft.Identity.Client.IPublicClientApplication

type PublicClientApplication = class
    inherit ClientApplicationBase
    interface IPublicClientApplication
    interface IClientApplicationBase
    interface IApplicationBase
    interface IByRefreshToken

Public NotInheritable Class PublicClientApplication
Inherits ClientApplicationBase
Implements IByRefreshToken, IPublicClientApplication

Inheritance: Object

ApplicationBase

ClientApplicationBase
PublicClientApplication

Implements: IApplicationBase IByRefreshToken IClientApplicationBase IPublicClientApplication

Examples

Here is an example of how to use PublicClientApplication with an authentication broker and caching.

    return $"https://login.microsoftonline.com/{tenant}";
}

private static IPublicClientApplication CreatePca(bool withWamBroker = false)
{
    // <PCABootstrapSample>
    var pcaBuilder = PublicClientApplicationBuilder
                    .Create(s_clientIdForPublicApp)
                    .WithAuthority(GetAuthority())
                    .WithLogging(Log, LogLevel.Verbose, true);

    if(withWamBroker)
    {
        IntPtr consoleWindowHandle = GetConsoleWindow();
        Func<IntPtr> consoleWindowHandleProvider = () => consoleWindowHandle;
        pcaBuilder.WithBroker(new BrokerOptions(BrokerOptions.OperatingSystems.Windows) { Title = "Only Windows" })
                  .WithParentActivityOrWindow(consoleWindowHandleProvider);
    }

    Console.WriteLine($"IsBrokerAvailable: {pcaBuilder.IsBrokerAvailable()}");

    var pca = pcaBuilder.WithRedirectUri("http://localhost") // required for DefaultOsBrowser
                    .Build();

    pca.UserTokenCache.SetBeforeAccess(notificationArgs =>
    {
        notificationArgs.TokenCache.DeserializeMsalV3(File.Exists(CacheFilePath)
            ? File.ReadAllBytes(CacheFilePath)
            : null);
    });
    pca.UserTokenCache.SetAfterAccess(notificationArgs =>
    {
        // if the access operation resulted in a cache update

Remarks

Unlike ConfidentialClientApplication, public clients are unable to hold configuration time secrets, and as a result have no client secret.

The redirect URI needed for interactive authentication is automatically determined by the library. It does not need to be passed explicitly in the constructor. Depending on the authentication strategy (e.g., through the Web Authentication Manager, Authentication app, browser, etc.), different redirect URIs will be used by MSAL. Redirect URIs must always be configured in the Azure Active Directory blade in the Azure Portal.

Properties

AppConfig	Details on the configuration of the ClientApplication for debugging purposes. (Inherited from ClientApplicationBase)
Authority	Gets the URL of the authority, or security token service (STS) from which MSAL.NET will acquire security tokens The return value of this property is either the value provided by the developer in the constructor of the application, or otherwise the value of the Microsoft.Identity.Client.ApplicationBase.DefaultAuthority static member (that is `https://login.microsoftonline.com/common/`) (Inherited from ClientApplicationBase)
IsSystemWebViewAvailable	Returns true if MSAL can use a system browser.
OperatingSystemAccount	A special account value that indicates that the current operating system account should be used to log the user in. Not all operating systems and authentication flows support this concept, in which case calling AcquireTokenSilent(IEnumerable<String>, IAccount) will throw an MsalUiRequiredException.
UserTokenCache	User token cache. It holds access tokens, id tokens and refresh tokens for accounts. It's used and updated silently if needed when calling AcquireTokenSilent(IEnumerable<String>, IAccount) or one of the overrides of AcquireTokenSilent(IEnumerable<String>, IAccount). It is updated by each AcquireTokenXXX method, with the exception of `AcquireTokenForClient` which only uses the application cache (see `IConfidentialClientApplication`). (Inherited from ClientApplicationBase)

Methods

AcquireTokenByIntegratedWindowsAuth(IEnumerable<String>)	Non-interactive request to acquire a security token for the signed-in user in Windows, via Integrated Windows Authentication. See https://aka.ms/msal-net-iwa. The account used in this overrides is pulled from the operating system as the current user principal name.
AcquireTokenByUsernamePassword(IEnumerable<String>, String, SecureString)	Obsolete. Non-interactive request to acquire a security token from the authority, via Username/Password Authentication. See https://aka.ms/msal-net-up for details.
AcquireTokenByUsernamePassword(IEnumerable<String>, String, String)	Non-interactive request to acquire a security token from the authority, via Username/Password Authentication. See https://aka.ms/msal-net-up for details.
AcquireTokenInteractive(IEnumerable<String>)	Interactive request to acquire a token for the specified scopes. The interactive window will be parented to the specified window. The user will be required to select an account.
AcquireTokenSilent(IEnumerable<String>, IAccount)	[V3 API] Attempts to acquire an access token for the `account` from the user token cache. See https://aka.ms/msal-net-acquiretokensilent for more details (Inherited from ClientApplicationBase)
AcquireTokenSilent(IEnumerable<String>, String)	[V3 API] Attempts to acquire an access token for the IAccount having the Username match the given `loginHint`, from the user token cache. See https://aka.ms/msal-net-acquiretokensilent for more details (Inherited from ClientApplicationBase)
AcquireTokenWithDeviceCode(IEnumerable<String>, Func<DeviceCodeResult,Task>)	Acquires a security token on a device without a web browser, by letting the user authenticate on another device. This is done in two steps: The method first acquires a device code from the authority and returns it to the caller via the `deviceCodeResultCallback`. This callback takes care of interacting with the user to direct them to authenticate (to a specific URL, with a code) The method then proceeds to poll for the security token which is granted upon successful login by the user based on the device code information See https://aka.ms/msal-device-code-flow.
GetAccountAsync(String, CancellationToken)	Get the IAccount by its identifier among the accounts available in the token cache. (Inherited from ClientApplicationBase)
GetAccountAsync(String)	Get the IAccount by its identifier among the accounts available in the token cache. (Inherited from ClientApplicationBase)
GetAccountsAsync()	Returns all the available accounts in the user token cache for the application. (Inherited from ClientApplicationBase)
GetAccountsAsync(CancellationToken)	Returns all the available accounts in the user token cache for the application. (Inherited from ClientApplicationBase)
GetAccountsAsync(String, CancellationToken)	Get the IAccount collection by its identifier among the accounts available in the token cache, based on the user flow. This is for Azure AD B2C scenarios. (Inherited from ClientApplicationBase)
GetAccountsAsync(String)	Get the IAccount collection by its identifier among the accounts available in the token cache, based on the user flow. This is for Azure AD B2C scenarios. (Inherited from ClientApplicationBase)
IsBrokerAvailable()	Returns `true` if an authentication broker can be used. This method is only needed for mobile scenarios which support Mobile Application Management (MAM). In other cases, use `WithBroker`, which will fall back to use a browser if an authentication broker is unavailable.
IsEmbeddedWebViewAvailable()	Returns `true` if MSAL can use an embedded web view (web browser).
IsProofOfPossessionSupportedByClient()	Used to determine if the currently available broker is able to perform Proof-of-Possession.
IsUserInteractive()	Returns `false` when the application runs in headless mode (e.g., when SSH-d into a Linux machine). Browsers (web views) and brokers cannot be used if there is no UI support. For those scenarios, use AcquireTokenWithDeviceCode(IEnumerable<String>, Func<DeviceCodeResult,Task>).
RemoveAsync(IAccount, CancellationToken)	Removes all tokens in the cache for the specified account. (Inherited from ClientApplicationBase)
RemoveAsync(IAccount)	Removes all tokens in the cache for the specified account. (Inherited from ClientApplicationBase)

Explicit Interface Implementations

IByRefreshToken.AcquireTokenByRefreshToken(IEnumerable<String>, String)

Acquires an access token from an existing refresh token and stores it, and the refresh token, in the user token cache, where it will be available for further AcquireTokenSilent calls. This method can be used in migration to MSAL from ADAL v2, and in various integration scenarios where you have a RefreshToken available. See https://aka.ms/msal-net-migration-adal2-msal2.

Extension Methods

IsEmbeddedWebViewAvailable(IPublicClientApplication)	Returns true if MSAL can use an embedded webview (browser).
IsSystemWebViewAvailable(IPublicClientApplication)	Returns true if MSAL can use a system browser.
IsUserInteractive(IPublicClientApplication)	Returns false when the program runs in headless OS, for example when SSH-ed into a Linux machine. Browsers (webviews) and brokers cannot be used if there is no UI support. Instead, please use AcquireTokenWithDeviceCode(IEnumerable<String>, Func<DeviceCodeResult,Task>) or AcquireTokenByIntegratedWindowsAuth(IEnumerable<String>)
IsProofOfPossessionSupportedByClient(IPublicClientApplication)	Used to determine if the currently available broker is able to perform Proof-of-Possession.

Applies to

Condividi tramite