I have a Blazor (SSR) app that makes a call to another service on behalf of the logged in user. To get the bearer token I call
await tokenAcquisition.GetAccessTokenForUserAsync(["api://<myappid>/user_impersonation"]);But on the first time in a session the user does this I get a MicrosoftIdentityWebChallengeUserException with an InnerException that reads "No account or login hint was passed to the AcquireTokenSilent call." Calling ConsentHandler.HandleException(ex); on that exception fixes the issue without the user having to do anything, but it does cause a refresh which causes a new session to start. Subsequent calls work as expected.
I assume it's something to do with the token cache being empty, but is there a way to get a token with an appropriate scope at login rather than when the user clicks the button that makes the external call?
Would using .EnableTokenAcquisitionToCallDownstreamApi([scope]) work if I switched to the DownstreamApi rather than using Flurl to make the call? (DownstreamApi makes my brain hurt)