I'm using IdentityModel.OidcClient to authenticate a user in a WinForms application against Microsoft Entra ID . I'm using the WebView based approach.
It works great. Too great.
Basically, the sign in page never asks me for my username/email or password. It just seamlessly (hint..) signs me in using my currently logged-in windows account.
I'm guessing this is because the windows user currently logged into the machine running the WinForms app is in fact a valid user within the tenant i'm trying to authenticate against. So Microsofts Seamless SSO
kicks in and uses Kerberos to authenticate me. This is a really cool feature, but not always what I want.
In some cases I may want to explicitly choose a different user to sign in with. I dont want to disable Seamless SSO on the Entra ID side for the whole application/tenant, since in some cases this is exactly what I want.
So I'm looking for a way to explicitly tell WebView to not pass any Kerberos ticket along following a Negotiate
challenge from the sign-in page. At least I think that's what I'm looking for - feel free to correct me if I'm on the wrong track.
The end result should look like that: My WinForms App has a "Sign In" button and a "Use current user" checkbox. Clicking on the button with the checkbox checked authenticates me using seamless SSO. Clicking the button with the checkbox unchecked results in Microsofts sign-in page asking me for my credentials.
I'm really stuck here since the internet is full of content describing how to get SSO working.. not much out there about how to get it to stop working :D
I went about this in the wrong way. This can be handled on the OIDC side by adding
prompt=login
to the authorization code request: