Skip to content

[Bug] AcquireTokenInteractive fails to continue if ClientSecretCredential is used when calling AddAzureKeyVault #5424

New issue
New issue
Open
Open
[Bug] AcquireTokenInteractive fails to continue if ClientSecretCredential is used when calling AddAzureKeyVault#5424
Labels
Possible-SolutionSimilar-Issueneeds attentionDelete label after triagepublic-clientuntriagedDo not delete. Needed for Automation
@MattOG

Description

@MattOG
MattOG
opened on Aug 5, 2025

Library version used

4.66.2

.NET version

.NET 8.0

Scenario

PublicClient - desktop app

Is this a new or an existing app?

This is a new app or experiment

Issue description and reproduction steps

When building the PublicClientApplication, I'm adding Azure Key Vault using a ClientSecretCredential to load some configuration settings.

Later the app is getting a token to access an API using AcquireTokenInteractive.
After the user completes the login process, the window (sometimes) shows "Authentication complete. You can return to the application. Feel free to close this browser tab.", sometimes not, however either way, the code doesn't continue.

If the initial call to the KeyVault is instead set up with DefaultAzureCredential, then the app will carry on as expected after completing the login process.

ClientSecretCredential - Fail.log
DefaultAzureCredential - Succeed.log
InteractiveBrowserCredential - Fail.log

Relevant code snippets

// Initial Code - Using azureCsCredential fails later, azureIbCredential continues later.
// KeyVault settings
var tenantId = configuration["AzureAd:TenantId"];
var clientId = configuration["AzureAd:ClientId"];
var clientSecret = configuration["AzureAd:ClientSecret"];
var azureCsCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);
var azureDaCredential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { TenantId = tenantId });
var keyVaultEndPoint = new Uri(configuration["AzureKeyVault:KeyVaultEndPoint"]);
configurationBuilder.AddAzureKeyVault(keyVaultEndPoint, azureCsCredential);
configurationBuilder.Build();

_publicClientApp = PublicClientApplicationBuilder.Create(proNetDesktopClientId)
                        .WithAuthority(AzureCloudInstance.AzurePublic, tenantId)
                        .WithDefaultRedirectUri()
                        .Build();

// Token Retrieval
public AuthenticationResult GetToken(string baseAddress)
{
    AuthenticationResult authResult = null;
    var accounts = _publicClientApplication.GetAccountsAsync().Result;
    var firstAccount = accounts.FirstOrDefault();
    var scopes = _configuration.GetRequiredSection("AzureAD:Scopes").Value;
    var scopes = new[] { scopes };

    try
    {
        authResult = _publicClientApplication.AcquireTokenSilent(scopes, firstAccount).ExecuteAsync().Result;
    }
    catch (Exception ex)
    {
        try
        {
            // THIS DOESN'T CONTINUE IF CLIENTSECRET WAS USED EARLIER
            authResult = _publicClientApplication.AcquireTokenInteractive(scopes)
                .ExecuteAsync()
                .Result;
        }
        catch (MsalException msalex)
        {
        }
        catch (Exception ex2)
        {
        }
    }

    return authResult;
}

Expected behavior

App should carry on after receiving the token.

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Possible-SolutionSimilar-Issueneeds attentionDelete label after triagepublic-clientuntriagedDo not delete. Needed for Automation

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions