Share via


IPublicClientApplication Interface

Definition

Represents public client applications - desktop and mobile applications.

public interface IPublicClientApplication : Microsoft.Identity.Client.IClientApplicationBase
type IPublicClientApplication = interface
    interface IClientApplicationBase
    interface IApplicationBase
Public Interface IPublicClientApplication
Implements IClientApplicationBase
Derived
Implements

Remarks

Public client applications are not trusted to safely keep application secrets and therefore they can only access web APIs in the name of the authenticating user. See Client Applications.

Unlike IConfidentialClientApplication, public clients are unable to securely store secrets on a client device and as a result do not require the use of a client secret.

The redirect URI needed for interactive authentication is automatically determined by the library. It does not need to be passed explicitly in the constructor. Depending on the authentication strategy (e.g., through the Web Account Manager, the Authenticator app, web browser, etc.), different redirect URIs will be used by MSAL. Redirect URIs must always be configured for the application in the Azure Portal.

Properties

AppConfig

Details on the configuration of the ClientApplication for debugging purposes.

(Inherited from IClientApplicationBase)
Authority

Gets the URL of the authority, or the security token service (STS) from which MSAL.NET will acquire security tokens. The return value of this property is either the value provided by the developer in the constructor of the application, or otherwise the value of the Microsoft.Identity.Client.ApplicationBase.DefaultAuthority static member (that is https://login.microsoftonline.com/common/)

(Inherited from IClientApplicationBase)
ClientId
Obsolete.

Gets the Client ID (also known as Application ID) of the application as registered in the application registration portal (https://aka.ms/msal-net-register-app) and as passed in the constructor of the application.

(Inherited from IClientApplicationBase)
Component
Obsolete.

Identifier of the component (libraries/SDK) consuming MSAL.NET. This will allow for disambiguation between MSAL usage by the app vs MSAL usage by component libraries.

(Inherited from IClientApplicationBase)
IsSystemWebViewAvailable

Tells if the application can use the system web browser, therefore enabling single-sign-on with web applications. By default, MSAL will try to use a system browser on the mobile platforms, if it is available. See our documentation for more details.

RedirectUri
Obsolete.

The redirect URI (also known as Reply URI or Reply URL), is the URI at which Azure AD will contact back the application with the tokens. This redirect URI needs to be registered in the app registration (https://aka.ms/msal-net-register-app) In MSAL.NET, PublicClientApplication define the following default RedirectUri values:

  • urn:ietf:wg:oauth:2.0:oob for desktop (.NET Framework and .NET Core) applications
  • msal{ClientId} for Xamarin iOS and Xamarin Android (as this will be used by the system web browser by default on these platforms to call back the application)
These default URIs could change in the future. In ConfidentialClientApplication, this can be the URL of the web application / web API. (Inherited from IClientApplicationBase)
SliceParameters
Obsolete.

Sets or Gets a custom query parameters that may be sent to the STS for dogfood testing or debugging. This is a string of segments of the form key=value separated by an ampersand character. Unless requested otherwise, this parameter should not be set by application developers as it may have adverse effect on the application.

(Inherited from IClientApplicationBase)
Users
Obsolete.

In MSAL 1.x returned an enumeration of IUser. From MSAL 2.x, use GetAccountsAsync() instead. See https://aka.ms/msal-net-2-released for more details.

(Inherited from IClientApplicationBase)
UserTokenCache

User token cache which holds ID tokens, access tokens, and refresh tokens for accounts. It's used and updated silently if needed when calling AcquireTokenSilent(IEnumerable<String>, IAccount) It is updated by each acquire token method, with the exception of AcquireTokenForClient(IEnumerable<String>) which only uses the application cache (see AppTokenCache).

(Inherited from IClientApplicationBase)
ValidateAuthority
Obsolete.

Gets a boolean value telling the application if the authority needs to be verified against a list of known authorities. The default value is true. It should currently be set to false for Azure AD B2C authorities as those are customer specific (a list of known B2C authorities cannot be maintained by MSAL.NET)

(Inherited from IClientApplicationBase)

Methods

AcquireTokenAsync(IEnumerable<String>, IAccount, Prompt, String, IEnumerable<String>, String, UIParent)
Obsolete.

Interactive request to acquire token for a given account, with the possibility of controlling the user experience, passing extra query parameters, providing extra scopes that the user can pre-consent to, and overriding the authority pre-configured in the application

AcquireTokenAsync(IEnumerable<String>, IAccount, Prompt, String, IEnumerable<String>, String)
Obsolete.

Interactive request to acquire token for a given account, with the possibility of controlling the user experience, passing extra query parameters, providing extra scopes that the user can pre-consent to, and overriding the authority pre-configured in the application

AcquireTokenAsync(IEnumerable<String>, IAccount, Prompt, String, UIParent)
Obsolete.

Interactive request to acquire token for an account with control of the UI behavior and possibility of passing extra query parameters like additional claims

AcquireTokenAsync(IEnumerable<String>, IAccount, Prompt, String)
Obsolete.

Interactive request to acquire token for an account with control of the UI behavior and possibility of passing extra query parameters like additional claims

AcquireTokenAsync(IEnumerable<String>, IAccount, UIParent)
Obsolete.

Interactive request to acquire token for the specified scopes. The user will need to sign-in but an account will be proposed based on the provided account

AcquireTokenAsync(IEnumerable<String>, IAccount)
Obsolete.

Interactive request to acquire token for the specified scopes. The user will need to sign-in but an account will be proposed based on the provided account

AcquireTokenAsync(IEnumerable<String>, String, Prompt, String, IEnumerable<String>, String, UIParent)
Obsolete.

Interactive request to acquire token for a given login, with the possibility of controlling the user experience, passing extra query parameters, providing extra scopes that the user can pre-consent to, and overriding the authority pre-configured in the application

AcquireTokenAsync(IEnumerable<String>, String, Prompt, String, IEnumerable<String>, String)
Obsolete.

Interactive request to acquire token for a given login, with the possibility of controlling the user experience, passing extra query parameters, providing extra scopes that the user can pre-consent to, and overriding the authority pre-configured in the application

AcquireTokenAsync(IEnumerable<String>, String, Prompt, String, UIParent)
Obsolete.

Interactive request to acquire token for a login with control of the UI behavior and possibility of passing extra query parameters like additional claims

AcquireTokenAsync(IEnumerable<String>, String, Prompt, String)
Obsolete.

Interactive request to acquire token for a login with control of the UI behavior and possibility of passing extra query parameters like additional claims

AcquireTokenAsync(IEnumerable<String>, String, UIParent)
Obsolete.

Interactive request to acquire token for the specified scopes. The interactive window will be parented to the specified window. . The user will need to sign-in but an account will be proposed based on the loginHint

AcquireTokenAsync(IEnumerable<String>, String)
Obsolete.

Interactive request to acquire token for the specified scopes. The user will need to sign-in but an account will be proposed based on the loginHint

AcquireTokenAsync(IEnumerable<String>, UIParent)
Obsolete.

Interactive request to acquire token for the specified scopes. The interactive window will be parented to the specified window. The user will be required to select an account

AcquireTokenAsync(IEnumerable<String>)
Obsolete.

Interactive request to acquire token for the specified scopes. The user is required to select an account

AcquireTokenByIntegratedWindowsAuth(IEnumerable<String>)

This API is no longer recommended and will be deprecated in future versions in favor of similar functionality via the Windows broker (WAM). WAM does not require any setup for desktop apps to login with the Windows account.

Acquires a token non-interactively for the signed-in user in Windows via Integrated Windows Authentication. The account used in this overrides is pulled from the operating system as the current user principal name. This method does not look in the token cache, but stores the result in it. Before calling this method, use other methods such as AcquireTokenSilent(IEnumerable<String>, IAccount) to check the token cache.

AcquireTokenByIntegratedWindowsAuthAsync(IEnumerable<String>, String)
Obsolete.

Non-interactive request to acquire a security token for the signed-in user in Windows, via Integrated Windows Authentication. See https://aka.ms/msal-net-iwa. The account used in this overrides is pulled from the operating system as the current user principal name

AcquireTokenByIntegratedWindowsAuthAsync(IEnumerable<String>)
Obsolete.

Non-interactive request to acquire a security token for the signed-in user in Windows, via Integrated Windows Authentication. See https://aka.ms/msal-net-iwa. The account used in this overrides is pulled from the operating system as the current user principal name

AcquireTokenByUsernamePassword(IEnumerable<String>, String, SecureString)
Obsolete.

Non-interactive request to acquire a token via username and password authentication.

AcquireTokenByUsernamePassword(IEnumerable<String>, String, String)

Acquires a token without user interaction using username and password authentication. This method does not look in the token cache, but stores the result in it. Before calling this method, use other methods such as AcquireTokenSilent(IEnumerable<String>, IAccount) to check the token cache.

AcquireTokenByUsernamePasswordAsync(IEnumerable<String>, String, SecureString)
Obsolete.

Non-interactive request to acquire a security token from the authority, via Username/Password Authentication. See https://aka.ms/msal-net-up.

AcquireTokenInteractive(IEnumerable<String>)

Acquires a token interactively for the specified scopes. Either a system browser, an embedded browser, or a broker will handle this request, depending on the version of .NET framework used and on configuration. For Microsoft Entra applications, a broker is recommended. See Windows Broker. This method does not look in the token cache, but stores the result in it. Before calling this method, use other methods such as AcquireTokenSilent(IEnumerable<String>, IAccount) to check the token cache. See Interactive Authentication.

AcquireTokenSilent(IEnumerable<String>, IAccount)

Attempts to acquire an access token for the account from the user token cache, with advanced parameters controlling the network call. See Acquire tokens silently.

(Inherited from IClientApplicationBase)
AcquireTokenSilent(IEnumerable<String>, String)

Attempts to acquire an access token for the loginHint from the user token cache, with advanced parameters controlling the network call. See Acquire tokens silently.

(Inherited from IClientApplicationBase)
AcquireTokenSilentAsync(IEnumerable<String>, IAccount, String, Boolean)
Obsolete.

Attempts to acquire and access token for the account from the user token cache, with advanced parameters making a network call.

(Inherited from IClientApplicationBase)
AcquireTokenSilentAsync(IEnumerable<String>, IAccount)
Obsolete.

Attempts to acquire an access token for the account from the user token cache.

(Inherited from IClientApplicationBase)
AcquireTokenWithDeviceCode(IEnumerable<String>, Func<DeviceCodeResult,Task>)

Acquires a token on a device without a web browser by letting the user authenticate on another device. This method does not look in the token cache, but stores the result in it. Before calling this method, use other methods such as AcquireTokenSilent(IEnumerable<String>, IAccount) to check the token cache.

AcquireTokenWithDeviceCodeAsync(IEnumerable<String>, Func<DeviceCodeResult,Task>, CancellationToken)
Obsolete.

Acquires a security token on a device without a web browser, by letting the user authenticate on another device, with possibility of cancelling the token acquisition before it times out. This is done in two steps:

  • the method first acquires a device code from the authority and returns it to the caller via the deviceCodeResultCallback. This callback takes care of interacting with the user to direct them to authenticate (to a specific URL, with a code)
  • The method then proceeds to poll for the security token which is granted upon successful login by the user based on the device code information. This step is cancelable
See https://aka.ms/msal-device-code-flow.
AcquireTokenWithDeviceCodeAsync(IEnumerable<String>, Func<DeviceCodeResult,Task>)
Obsolete.

Acquires a security token on a device without a web browser, by letting the user authenticate on another device. This is done in two steps:

  • the method first acquires a device code from the authority and returns it to the caller via the deviceCodeResultCallback. This callback takes care of interacting with the user to direct them to authenticate (to a specific URL, with a code)
  • The method then proceeds to poll for the security token which is granted upon successful login by the user based on the device code information
See https://aka.ms/msal-device-code-flow.
AcquireTokenWithDeviceCodeAsync(IEnumerable<String>, String, Func<DeviceCodeResult,Task>, CancellationToken)
Obsolete.

Acquires a security token on a device without a web browser, by letting the user authenticate on another device, with possibility of passing extra query parameters and cancelling the token acquisition before it times out. This is done in two steps:

  • the method first acquires a device code from the authority and returns it to the caller via the deviceCodeResultCallback. This callback takes care of interacting with the user to direct them to authenticate (to a specific URL, with a code)
  • The method then proceeds to poll for the security token which is granted upon successful login by the user based on the device code information. This step is cancelable
See https://aka.ms/msal-device-code-flow.
AcquireTokenWithDeviceCodeAsync(IEnumerable<String>, String, Func<DeviceCodeResult,Task>)
Obsolete.

Acquires a security token on a device without a web browser, by letting the user authenticate on another device, with possibility of passing extra parameters. This is done in two steps:

  • the method first acquires a device code from the authority and returns it to the caller via the deviceCodeResultCallback. This callback takes care of interacting with the user to direct them to authenticate (to a specific URL, with a code)
  • The method then proceeds to poll for the security token which is granted upon successful login by the user based on the device code information
See https://aka.ms/msal-device-code-flow.
GetAccountAsync(String)

Get the IAccount by its identifier among the accounts available in the token cache and of the same environment (authority host) as Authority.

(Inherited from IClientApplicationBase)
GetAccountsAsync()

Returns all the available accounts in the user token cache for the application.

(Inherited from IClientApplicationBase)
GetAccountsAsync(String)

Only for Azure AD B2C scenarios, get the IAccount collection by its identifier among the accounts available in the token cache based on the user flow.

(Inherited from IClientApplicationBase)
GetUser(String)
Obsolete.

In MSAL 1.x, return a user from its identifier. From MSAL 2.x, use GetAccountsAsync() instead. See https://aka.ms/msal-net-2-released for more details.

(Inherited from IClientApplicationBase)
Remove(IUser)
Obsolete.

In MSAL 1.x removed a user from the cache. From MSAL 2.x, use RemoveAsync(IAccount) instead. See https://aka.ms/msal-net-2-released for more details.

(Inherited from IClientApplicationBase)
RemoveAsync(IAccount)

Removes all tokens in the cache for the specified account.

(Inherited from IClientApplicationBase)

Extension Methods

IsEmbeddedWebViewAvailable(IPublicClientApplication)

Returns true if MSAL can use an embedded webview (browser).

IsSystemWebViewAvailable(IPublicClientApplication)

Returns true if MSAL can use a system browser.

IsUserInteractive(IPublicClientApplication)

Returns false when the program runs in headless OS, for example when SSH-ed into a Linux machine. Browsers (webviews) and brokers cannot be used if there is no UI support. Instead, please use AcquireTokenWithDeviceCode(IEnumerable<String>, Func<DeviceCodeResult,Task>) or AcquireTokenByIntegratedWindowsAuth(IEnumerable<String>)

IsProofOfPossessionSupportedByClient(IPublicClientApplication)

Used to determine if the currently available broker is able to perform Proof-of-Possession.

Applies to