I'm encountering an issue with the implementation of Single Sign-On (SSO) in our WPF application, and I'd appreciate some guidance or insights from the community.
Here's a breakdown of our setup:
- We have a main WPF application that utilizes ADFS with MSAL for login purposes.
- Within this application, we've developed a custom WebView2 control, leveraging the PublicClientApplication to integrate with our custom control.
- Additionally, we provide support for hosting web applications within our WPF application. Recently, we incorporated an Angular (SPA) web application into our WPF environment, which also uses ADFS with MSAL for login.
- Our objective is to enable Single Sign-On (SSO) functionality in the hosted web application, utilizing the cache generated during the login process of our WPF application.
We've managed to achieve this integration successfully. However, we encountered a roadblock when attempting to implement automatic login in the WPF application under specific conditions. More specifically:
- We aim to automate the login process in the WPF application if a certain flag, let's call it "SingleSignOnUser," is set to True by the user. This is accomplished using the AcquireTokenSilent API provided by PublicClientApplication.
- The issue arises when calling AcquireTokenSilent: it doesn't display any prompts at the start of the WPF application and logs in automatically, and we're unable to achieve Single Sign-On (SSO) functionality in the hosted web application.
It's important to note that we retain the user data folder in its path, and we're not deleting it along with the cache.
Has anyone else encountered a similar issue, or perhaps have insights into what might be causing this behavior?
Single Sign-On should be working with above scenario.
AcquireTokenSilent
but I think this knowledge is way easier to comprehend if you are familiar with standard OIDC. So with that in mind, are you aware if it's storingaccess_token
andrefresh_token
under the hood?access_token
andrefresh_token
have a validity period and it wouldn't require another authentication process if those are still valid. What I think you'd like to do instead is to set theexpires_in
to 0 from the IdP or don't storeaccess_token
at all. You may also want to excluderefresh_token
from the auth response as I'm not really clear on the requirements.