MSAL client type
Public
Problem Statement
When executing the acquireToken on the PublicClientApplication with a UsernamePasswordParameters object, a user discovery is made to understand if the user is a federated one or not. In case the user is federated, then a WSTrust request is made to obtain a SAML1.1 token which is then exchanged with a JWT via Entra ID.
Since a while, Entra ID supports (but discourages) the ROPC flow for Federated user directly against Entra ID:
If you have everything setup on Entra ID, MSAL will still not do ROPC against Entra ID since it makes decision based on the user discovery, so based on the username in the UsernamePasswordParameters object.
Proposed solution
Add a parameter to tell MSAL to bypass the User Discovery and directly make the ROPC request against the configured authority regardless of the fact the user is federated or not.
Alternatives
As of now the only alternative is to use a cloud-only (non-federated) user.
cc: @Avery-Dunn
MSAL client type
Public
Problem Statement
When executing the acquireToken on the PublicClientApplication with a UsernamePasswordParameters object, a user discovery is made to understand if the user is a federated one or not. In case the user is federated, then a WSTrust request is made to obtain a SAML1.1 token which is then exchanged with a JWT via Entra ID.
Since a while, Entra ID supports (but discourages) the ROPC flow for Federated user directly against Entra ID:
If you have everything setup on Entra ID, MSAL will still not do ROPC against Entra ID since it makes decision based on the user discovery, so based on the username in the UsernamePasswordParameters object.
Proposed solution
Add a parameter to tell MSAL to bypass the User Discovery and directly make the ROPC request against the configured authority regardless of the fact the user is federated or not.
Alternatives
As of now the only alternative is to use a cloud-only (non-federated) user.
cc: @Avery-Dunn