MsalUiRequiredException: No account or login hint was passed to the AcquireTokenSilent call.

[bastonnc]

Please provide us with the following information:

This issue is for a: (mark with an x)

- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

The issue was found for the following scenario:

Please add an 'x' for the scenario(s) where you found an issue

1. Web app that signs in users
   1. with a work and school account in your organization: 1-WebApp-OIDC/1-1-MyOrg
   2. with any work and school account: /1-WebApp-OIDC/1-2-AnyOrg
   3. with any work or school account or Microsoft personal account: 1-WebApp-OIDC/1-3-AnyOrgOrPersonal
   4. with users in National or sovereign clouds 1-WebApp-OIDC/1-4-Sovereign
   5. with B2C users 1-WebApp-OIDC/1-5-B2C
2. Web app that calls Microsoft Graph
   1. Calling graph with the Microsoft Graph SDK: 2-WebApp-graph-user/2-1-Call-MSGraph
   2. With specific token caches: 2-WebApp-graph-user/2-2-TokenCache
   3. Calling Microsoft Graph in national clouds: 2-WebApp-graph-user/2-4-Sovereign-Call-MSGraph
3. Web app calling several APIs 3-WebApp-multi-APIs
4. Web app calling your own Web API
   1. with a work and school account in your organization: 4-WebApp-your-API/4-1-MyOrg
   2. with B2C users: 4-WebApp-your-API/4-2-B2C
   3. with any work and school account: 4-WebApp-your-API/4-3-AnyOrg
5. Web app restricting users
   1. by Roles: 5-WebApp-AuthZ/5-1-Roles
   2. by Groups: 5-WebApp-AuthZ/5-2-Groups
6. Deployment to Azure
7. Other (please describe)

Repro-ing the issue

Repro steps

I have a .net6 web app that uses graph to access info from my AAD. I had gone through the process of adding role restrictions and group restriction. Im using memory token cache and a middleware i built myself. I realized i didn't need group restrictions, mainly because it didn't work as expected, and as i was going through the process of removing those moving parts, it all went wrong. MsalUiRequiredException: No account or login hint was passed to the AcquireTokenSilent call. I tracked the problem down to the middleware, where it has this line :
var tokenAcquisition = httpContext.RequestServices.GetRequiredService<ITokenAcquisition>();
The middleware is used to make a Graph request and the put the base64 data of the user profile pic in a custom claim.

The thing is the problem started roughly at 11am, but i've had this middleware untouched for thee days with no issue. I tried going back in my Git to two days ago, even though it was working fine yesterday, and the problem persists. My code doesn't logically seem to be the issue. I see it as if the problem is like barbs on a fence and my middleware a shirt getting caught on it; you can remove the shirt and be fine, but the barbs are still there.(and i need the shirt to not be naked)

I've looked at this issue here, but it doesn't exactly match my situation : #540

I'm mainly confused because all was fine until it just wasn't.

This is my first time making a GitHub bug report/call for help, so I'm fairly certain I should be giving other information but I don't know what it is. I'll be haooy to provide it though.

Expected behavior
The app starts, the cookie is there meaning the user is still signed in, so it uses that information to log the user in. The middleware doesn't fumble the ball and i have the information from the graph request. (It was doing it this morning)

Actual behavior
The app starts, the cookie is there meaning the user is still signed in, so it uses that information to log the user in. The middleware fumbles the ball because the token is expired probably and an execption is thrown. MsalUiRequiredException: No account or login hint was passed to the AcquireTokenSilent call.

Possible Solution
the issue refered earlier has a work around.

Additional context/ Error codes / Screenshots

Any log messages given by the failure

Add any other context about the problem here, such as logs.

info: Microsoft.Hosting.Lifetime[14]
Now listening on: https://localhost:7298
info: Microsoft.Hosting.Lifetime[14]
Now listening on: http://localhost:5119
info: Microsoft.Hosting.Lifetime[0]
Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
Hosting environment: Development
info: Microsoft.Hosting.Lifetime[0]
Content root path: C:\Users\myself\source\repos\name\name
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.51.0.0 MSAL.NetCore .NET 6.0.15 Microsoft Windows 10.0.22621 [2023-04-06 20:47:46Z] [Internal cache] Total number of cache partitions found while getting refresh tokens: 0
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.51.0.0 MSAL.NetCore .NET 6.0.15 Microsoft Windows 10.0.22621 [2023-04-06 20:47:46Z - c37c315a-b337-45ea-b02f-93b47485eaa3] [Region discovery] Not using a regional authority.
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.51.0.0 MSAL.NetCore .NET 6.0.15 Microsoft Windows 10.0.22621 [2023-04-06 20:47:46Z] Found 0 cache accounts and 0 broker accounts
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.51.0.0 MSAL.NetCore .NET 6.0.15 Microsoft Windows 10.0.22621 [2023-04-06 20:47:46Z] Returning 0 accounts
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.51.0.0 MSAL.NetCore .NET 6.0.15 Microsoft Windows 10.0.22621 [2023-04-06 20:47:47Z - b6642d77-61b8-468c-b5a6-8755bb4ee695] MSAL MSAL.NetCore with assembly version '4.51.0.0'. CorrelationId(b6642d77-61b8-468c-b5a6-8755bb4ee695)
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.51.0.0 MSAL.NetCore .NET 6.0.15 Microsoft Windows 10.0.22621 [2023-04-06 20:47:47Z - b6642d77-61b8-468c-b5a6-8755bb4ee695] === AcquireTokenSilent Parameters ===
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.51.0.0 MSAL.NetCore .NET 6.0.15 Microsoft Windows 10.0.22621 [2023-04-06 20:47:47Z - b6642d77-61b8-468c-b5a6-8755bb4ee695] LoginHint provided: False
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.51.0.0 MSAL.NetCore .NET 6.0.15 Microsoft Windows 10.0.22621 [2023-04-06 20:47:47Z - b6642d77-61b8-468c-b5a6-8755bb4ee695] Account provided: False
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.51.0.0 MSAL.NetCore .NET 6.0.15 Microsoft Windows 10.0.22621 [2023-04-06 20:47:47Z - b6642d77-61b8-468c-b5a6-8755bb4ee695] ForceRefresh: False
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.51.0.0 MSAL.NetCore .NET 6.0.15 Microsoft Windows 10.0.22621 [2023-04-06 20:47:47Z - b6642d77-61b8-468c-b5a6-8755bb4ee695]
=== Request Data ===
Authority Provided? - True
Scopes - User.Read User.ReadBasic.All Directory.Read.All
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - True
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - b6642d77-61b8-468c-b5a6-8755bb4ee695
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.51.0.0 MSAL.NetCore .NET 6.0.15 Microsoft Windows 10.0.22621 [2023-04-06 20:47:47Z - b6642d77-61b8-468c-b5a6-8755bb4ee695] === Token Acquisition (SilentRequest) started:
Scopes: User.Read User.ReadBasic.All Directory.Read.All
Authority Host: login.microsoftonline.com
warn: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.51.0.0 MSAL.NetCore .NET 6.0.15 Microsoft Windows 10.0.22621 [2023-04-06 20:47:47Z - b6642d77-61b8-468c-b5a6-8755bb4ee695] Only in-memory caching is used. The cache is not persisted and will be lost if the machine is restarted. It also does not scale for a web app or web API, where the number of users can grow large. In production, web apps and web APIs should use distributed caching like Redis. See https://aka.ms/msal-net-cca-token-cache-serialization
fail: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.51.0.0 MSAL.NetCore .NET 6.0.15 Microsoft Windows 10.0.22621 [2023-04-06 20:47:47Z - b6642d77-61b8-468c-b5a6-8755bb4ee695] Exception type: Microsoft.Identity.Client.MsalUiRequiredException
, ErrorCode: user_null
HTTP StatusCode 0
CorrelationId

     at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.ExecuteAsync(CancellationToken cancellationToken)
     at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)

info: Microsoft.Identity.Web.TokenAcquisition[300]
[MsIdWeb] An error occured during token acquisition: No account or login hint was passed to the AcquireTokenSilent call.
MSAL.NetCore.4.51.0.0.MsalUiRequiredException:
ErrorCode: user_null
Microsoft.Identity.Client.MsalUiRequiredException: No account or login hint was passed to the AcquireTokenSilent call.
at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.ExecuteAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.ApiConfig.Executors.ClientApplicationBaseExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenSilentParameters silentParameters, CancellationToken cancellationToken)
at Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForWebAppWithAccountFromCacheAsync(IConfidentialClientApplication application, ClaimsPrincipal claimsPrincipal, IEnumerable1 scopes, String tenantId, MergedOptions mergedOptions, String userFlow, TokenAcquisitionOptions tokenAcquisitionOptions) at Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForUserAsync(IEnumerable1 scopes, String authenticationScheme, String tenantId, String userFlow, ClaimsPrincipal user, TokenAcquisitionOptions tokenAcquisitionOptions)
StatusCode: 0
ResponseBody:
Headers:
fail: Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware[1]
An unhandled exception has occurred while executing the request.
Status Code: 0
Microsoft.Graph.ServiceException: Code: generalException
Message: An error occurred sending the request.

   ---> Microsoft.Identity.Web.MicrosoftIdentityWebChallengeUserException: IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user. See https://aka.ms/ms-id-web/ca_incremental-consent.
   ---> MSAL.NetCore.4.51.0.0.MsalUiRequiredException:
    ErrorCode: user_null

Microsoft.Identity.Client.MsalUiRequiredException: No account or login hint was passed to the AcquireTokenSilent call.
at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.ExecuteAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.ApiConfig.Executors.ClientApplicationBaseExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenSilentParameters silentParameters, CancellationToken cancellationToken)
at Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForWebAppWithAccountFromCacheAsync(IConfidentialClientApplication application, ClaimsPrincipal claimsPrincipal, IEnumerable1 scopes, String tenantId, MergedOptions mergedOptions, String userFlow, TokenAcquisitionOptions tokenAcquisitionOptions) at Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForUserAsync(IEnumerable1 scopes, String authenticationScheme, String tenantId, String userFlow, ClaimsPrincipal user, TokenAcquisitionOptions tokenAcquisitionOptions)
StatusCode: 0
ResponseBody:
Headers:
--- End of inner exception stack trace ---
at Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForUserAsync(IEnumerable1 scopes, String authenticationScheme, String tenantId, String userFlow, ClaimsPrincipal user, TokenAcquisitionOptions tokenAcquisitionOptions) at Microsoft.Identity.Web.TokenAcquisition.GetAccessTokenForUserAsync(IEnumerable1 scopes, String authenticationScheme, String tenantId, String userFlow, ClaimsPrincipal user, TokenAcquisitionOptions tokenAcquisitionOptions)
at RapportBudgetEcoles.Middlewares.AddCustomClaims.<>c__DisplayClass3_0.<b__0>d.MoveNext() in C:\Users\bastonnc\source\repos\RapportBudgetEcoles\RapportBudgetEcoles\Middlewares\AddCustomClaims.cs:line 37
--- End of stack trace from previous location ---
at Microsoft.Graph.AuthenticationHandler.SendAsync(HttpRequestMessage httpRequestMessage, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
at Microsoft.Graph.HttpProvider.SendRequestAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at Microsoft.Graph.HttpProvider.SendRequestAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)
at Microsoft.Graph.HttpProvider.SendAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)
at Microsoft.Graph.BaseRequest.SendRequestAsync(Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)
at Microsoft.Graph.BaseRequest.SendStreamRequestAsync(Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)
at RapportBudgetEcoles.Middlewares.AddCustomClaims.InvokeAsync(HttpContext httpContext) in C:\Users\bastonnc\source\repos\RapportBudgetEcoles\RapportBudgetEcoles\Middlewares\AddCustomClaims.cs:line 47
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

• You can enable Middleware diagnostics by uncommenting the following lines
• You can enable personally identifiable information in your exceptions to get more information in the open id connect middleware see Seeing [PII is hidden] in log messages
• Logging for MSAL.NET is described at Loggin in MSAL.NET

OS and Version?

Windows 11 but my system always says 10

Versions

of ASP.NET Core, of MSAL.NET
net6.0

Attempting to troubleshooting yourself:

I tried making a new azure app but it didn't change anything

• did you go through the README.md in the folder where you found the issue?
• did you go through the documentation:
  • Scenario: Web app that signs in users
  • Scenario: Web app that calls web APIs

Mention any other details that might be useful

---

Thanks! We'll be in touch soon.

[bastonnc]

Update:
I shut down my laptop when I left work. It turn on by itself (like a big boy)

Now it works. I don't know if I should be mad or relieved. Oh well, that's six hours I'm not getting back...

[bastonnc]

I'm re-opening in case a genius has a clue as to what might've happened, as it might happen again.

[bastonnc]

i managed to re-create it three or four times by removing Directory.Read.All from everything while also being connected to my workplace through a VPN, but now I can't do it again even when those requirements are met. Odd thing is even when I re-institute the scopes i removed, the laptop always needs a restart to fix it. :\

[MattCosturos]

I too am running into this issue.
I tried many things, but restarting was the only way to resolve the issue.

Now that I have restarted, I can stop and restart my webapp, and the error comes back.
But I am able to resolve the error by logging out, then logging back in.
There is something going on with the token cache not working correctly

[msisterna]

hi, i have the same issue. Anyone found out the solution?.

[jmprieur]

Did you use the AuthorizeForScopes attribute on the controller or the controller action?
https://github.com/AzureAD/microsoft-identity-web/wiki/Managing-incremental-consent-and-conditional-access