[Bug] IConfidentialClientApplication randomly generating token with older version (v1.0)

[arifskhangmail]

Library version used

4.65.0

.NET version

.Net Framework 4.8

Scenario

ConfidentialClient - service to service (AcquireTokenForClient)

Is this a new or an existing app?

The app is in production, and I have upgraded to a new version of MSAL

Issue description and reproduction steps

We are having a WCF service (in .Net Framework 4.8).
Its a OnPrem setup.

Our services tries to acquire token from AAD and invokes another endpoint (passing the token in the authorization header).
For acquiring token its using Microsoft.Identity.Client (4.65.0).
We are noticing that ~0.05% of our calls to web api is failing with Http 401 error.
On further debugging, we realized that randomly for some instance the AAD token fetched is of v1.0, and so the call is failing ahead.
For most of the requests correct version (v2.0) token is generated, but randomly for some requests its creating v1.0 token.

Relevant code snippets

public static string GetToken()
{
	string[] scopes = new string[1]
	{
		appAuthScopes
	};

	IConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create(appAuthClientId)
		.WithCertificate(aadAppClientCert)
		.WithAuthority(new Uri(appAuthAuthority))
		.Build();

	var authenticationResult = app.AcquireTokenForClient(scopes)
		.WithSendX5C(true)
		.ExecuteAsync()
		.ConfigureAwait(false);

	var result = authenticationResult.GetAwaiter().GetResult();

	return result.AccessToken;
}

    <add key="appAuthClientId" value="some-aad-clientid"/>
    <add key="appAuthClientCert" value="cert-subject"/>
    <add key="appAuthAuthority" value="https://login.microsoftonline.com/<tenant>/v2.0"/>
    <add key="appAuthScopes" value="<app-id-uri>"/>

Expected behavior

No response

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

[bgavrilMS]

Hi @arifskhangmail

The version of the access token depends on the app manifest of the web api. In other words, Entra ID will issue a token with a version that is acceptable for the downstream API. See https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens#token-formats

The version of the ID Token is always v2 (except for WAM desktop app scenarios) and you can rely on that. Id Tokens are not issued for service pricipals (AcquireTokenForCLient)

Important: clients should never parse access tokens. The access token format could change, for example a tenant admin can enable token encryption and in this case Entra ID will issue JWEs instead of JWTs.

If you have your own web api, we recommend that you always set it to accept v2 tokens in the app manifest by setting "accessTokenAcceptedVersion": 2,