azuread / microsoft-authentication-library-for-js Goto Github PK

We have a custom logger and don't want this library to write to stdout by itself.

For now, this is how we overwrite the default bunyan logger:

  var Logging = require('passport-azure-ad/lib/logging');
  class CustomLogger {
    info(m) {}
    warn(m) {
      Log.warn('Azure AD: ' + m);
    }
    error(m) {
      Log.warn('Azure AD: ' + m);
    }
    levels(m) {}
  }
  Logging.getLogger = CustomLogger;
  var OIDCStrategy = require('passport-azure-ad').OIDCStrategy;

It seems to be working but we'd prefer to have a OIDCStrategy constructor option to do that.

Repro steps

1. Clone https://github.com/jmprieur/angular-msgraph-rest-sample-with-msaljs.git
2. Run the application (just follow the README.md of that repo. You don't need to register the application, though.
3. execute http://localhost:8080 in your favorite browser
4. Sign-in
5. Sign-out

Actual
the pages announces "which account do you want to use?", which is not clear. It even appears if you have signed-in with only one identity.
I guess, that you are requested to choose the account to sign-out (?). This is confusing. I thought initially that it was trying to sign-in.

Expected

• If the browser/msal knows the identity I signed-in with, this should be preselected?
• Or do we want to propose a separate experience where we can remove other identities?
  I'd like to discuss the experience, actually.

Question: Is it possible to use the token obtained by Msal.UserAgentApplication.acquireTokenSilent() method to post as a bearer authorization header to authenticate against a dotnet core Web API? If so, what should I use as JwtBearerOptions in app.UseJwtBearerAuthentication() method?

I tried the standard options used by one of my other apps that uses Azure Active Directory. But getting the following error:
IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey , KeyId:

Hi,

I've cloned this repository and changed the settings to my Azure AD B2C. It opens the popup but it seems that during the process of acquiring the token, it's raising the error:

Refused to display 'https://login.microsoftonline.com/te/x.onmicrosoft.com/b2c_1_jms-su-si/oauth2/v2.0/authorize?response_type=token&scope=https%3A%2F%2Fx.onmicrosoft.com%2Fdemoapi%2Fdemo.read%20openid%20profile&client_id=d4ea3a10-bf58-43c7-9a0d-189a1cacee07&redirect_uri=http%3A%2F%2Flocalhost%3A62592%2F&state=b500b7af-6aee-4d32-8e34-5ec1ead1fa84&nonce=41fff769-56e9-41cf-a559-778dc10026e4&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=0.1.1&client-request-id=ea9d0c0b-38fd-49cc-921e-4e21176aaede&prompt=none&domain_req=534fe24d-0068-4fe9-84a2-7872f971da75&login_req=0f09664c-2e62-48c2-b26c-adc5acf9debf-b2c_1_jms-su-si&domain_hint=organizations' in a frame because it set 'X-Frame-Options' to 'deny'.

Is that because Chrome updated it's settings or it's a wrong configuration on my side?

I've just got Msal for JS working in an angular application but I had a problem supporting multiple login types for an Azure B2C scenario.

I was doing (for a quick proto)
environment.authSettings.forEach(setting => { //setup new msal and store in array });

I basically had something like
[{policyName: 'b2c_1_facebook',...}, {policyName: 'b2c_1_linkedin',...}, ...]

So that I could have a login(policy) function that picked the appropriate policy and logged in. What the problem is is that as a part of constructing the object, the current best practice is to grab window.msal as the current UserAgentApplication in the tokenRecievedCallback.

UserAgentApplication.ts sets
window.msal = this;

which was causing me to use the facebook agent app for my linkedin agent app.

Can you look at one of these options:

1. Making window.msal either an array of UserAgentApplications or a dictionary based on the policy name. I understand that this would be a breaking change but it would much more easily support Azure B2C.

2. Altering tokenRecievedCallback to pass in the userAgentApplication so that we can call the acquire methods on that argument.

Alternatively, if I'm completely missing something obvious that would let me pick out the right application after instantiating an array of them, do let me know. I currently have a hacky workaround that can complete this but this seems like a problem the greater community might want fixed.

If I'm not being clear, I can make a small repo to show what I'm trying to accomplish.

Thanks!

Currently, if a UI action asynchronously triggers multiple authenticated requests, only one token will get resolved. This is because only one iframe request ever gets made and the callback values set on window.callbacksMappedToRenewState are set for their unique authentication request state GUIDs.

I forked the MSAL.js SPA Sample and tried using loginRedirect instead of loginPopup. The problem I'm having is that sometimes the window.onload event is firing multiple times. It seems to correspond to the call to acquireTokenSilent.

Is there a working sample using loginRedirect for a SPA app?

Why is window.onload firing twice sometimes? Seems to be a timing bug/issue.

This branch has my minor changes plus some logging code to try to track this down.

Overview of my Changes

function login() {
            clientApplication.loginRedirect(applicationConfig.b2cScopes);
        }

var clientApplication = new Msal.UserAgentApplication(applicationConfig.clientID, applicationConfig.authority, (errorDesc, token, error, tokenType) => {
            // Called after loginRedirect or acquireTokenPopup
            console.info('cacheLocation (B): ' + clientApplication.cacheLocation);
            //updateUI();

            this.clientApplication.acquireTokenSilent(applicationConfig.b2cScopes).then(async accessToken => {
                console.debug('Got an access token - 1');

                updateUI();
            });

        }, { cacheLocation: 'localStorage' });

console.info('cacheLocation (A): ' + clientApplication.cacheLocation);

window.onload = function () {
            console.info('PAGE LOADED');
        }

Sometimes I get the expected flow

Sometimes I see 2 page load events fired

Use github pages to host the documentation for this library.

With a SPA application that leverages Azure AD B2C, I would like to allow the user to enter email password WITHIN the application without requiring a popup or a redirect.

Can I do this with MSAL? If so, how and is there any example available?

Note: I'd also offer social logins for the user, and in that case would want a popup, but not when the user chooses email/password option.

https://secure.aadcdn.microsoftonline-p.com/lib/0.1.1/js/msal.min.js does exist BUT
https://secure.aadcdn.microsoftonline-p.com/lib/0.1.1/js/msal.js does not exist.

Please post a version that can be used for debugging on the CDN.

Hello team,

I'm getting the above error whenever I try to use acquireTokenSilent().

any guidance?

I want to integrate with Miscrosoft Outlook. I am able to login with MSAL.js and get an access token, but I am not able to get a refresh token. Is there a way to do it?

Repro steps

1. Clone https://github.com/jmprieur/angular-msgraph-rest-sample-with-msaljs.git
2. Run the application (just follow the README.md of that repo. You don't need to register the application, though.
3. execute http://localhost:8080 in Internet Explorer

Actual
In IE we get a blank page, using the F12 tools, we can notice that there is a Syntax error in msal.js(3,5):
ReferenceError: 'MSAL' is undefined

Expected
We'd expect that is this is working in IE (it's working fine in Chrome, and Edge)

The response from OIDC configuration endpoint and endpoint discovery should be cached. Right now there is a todo in the code.

Token renewal in an Angular app causes an infinite loop in which:

1. acquireTokenSilent([clientId]) causes iframe reassigment
2. Iframe src assignment causes app to get reconstructed
3. Hash "callback" is for access token (not id token)
4. acquireTokenSilent([clientId]) causes iframe reassigment

Bug in call to insertAdjacentHTML('beforeEnd', ...) in UserAgentApplication.ts.

The specifications states that it should be "beforeend", not "beforeEnd":
https://www.w3.org/TR/2011/WD-html5-20110525/apis-in-html-documents.html

This broke the TypeScript pre-processing for me since InsertPosition in lib.es6.d.ts in the typescript node-package is defined as:
type InsertPosition = "beforebegin" | "afterbegin" | "beforeend" | "afterend";

Pull request coming.
Feel free to add a CONTRIBUTING.MD if I'm out of line.

Like old Azure Active Directory Authentication Library (ADAL) for JavaScript had a library AngularJS 1 (adal-angular.js), and we hope Angular 2 and Angular 4.

Are there any plans to develop Angular library inside MSAL for major stable version (1,2,4) ?

Repro steps

1. Clone https://github.com/jmprieur/angular-msgraph-rest-sample-with-msaljs.git
2. Run the application (just follow the README.md of that repo. You don't need to register the application, though.
3. execute http://localhost:8080 in an Edge "In Private Window"
4. Sign-in with your corporate credentials (which requires 2FA)

Actual
Once the authentication dance has happened, the screen looks like this

Note that the dialog used for the authentication now has the content of the application, which is not authenticated.

Expected
We'd expect that the user gets authenticated, and the "send email" button to appear, as is the case in Edge in normal (not in private) mode.

Note that this works fine in Chrome "incognito window"

Is there a possibility to disable Microsoft Account to login, so to only use AAD account as login option?

UserAgentApplication.redirectUri is hard coded as

window.location.href.split("?")[0].split("#")[0],

which assumes that routing is hash-based (e.g. https://spa.com/#/path/to/page).

If the routing is non-hash-based, this results in the login request's "redirect-uri" header being set to whatever the specific SPA path is. If this is not the app's registered redirect URI (e.g. https://spa.com/#/asset/6), the subsequent authentication request will fail.

Replace login.windows.net authority host with login.microsoftonline.com

Before the loginRedirect() function is called I set the cacheLocation to 'localStorage'. When my user is authenticated, the token is stored in sessionStorage.

var clientApplication = new Msal.UserAgentApplication(applicationConfig.clientID, applicationConfig.authority, authCallback);

function login() {
    clientApplication['cacheLocation'] = 'localStorage';
    clientApplication['redirectUri'] = 'http://localhost:60849/'
    clientApplication.loginRedirect(applicationConfig.b2cScopes);
}

I also tried clientApplication.cacheLocation('localStorage'); but .cacheLocation is not a function

I find that when creating a new client application, a few seconds passes before the component is ready. Clicking a login button to sign (_clientApplication.loginPopup) in throws this exception
"angular.js:14525 TypeError: Cannot read property 'loginPopup' of undefined", because the component is not yet created. Wait few seconds and it works fine.

I would like to something like this

        _clientApplication = new Msal.UserAgentApplication(clientId, null, authCallback).then(function () {
            //show log in button
        });

Also I would like to allow "Auto" login?

Allow user to refresh access token.

I'm trying to import this module in Angular 4 but it looks like the client library is not exported. Use commonjs as used by Microsoft JS Graph SDK

When I call loginPopup() and I don't have access I get (in the console window)

Refused to display 'https://login.microsoftonline.com/te/spottedmahnb2c.onmicrosoft.com/b2c_1_s…-423f-90fc-d9a30e5dc7ea-b2c_1_sign-up_or_sign-in&domain_hint=organizations' in a frame because it set 'X-Frame-Options' to 'deny'.

It turns out my real problem was:

This application does not have sufficient permissions against this web resource to perform the operation

Please see this GitHub Issue on the MSAL SPA Sample repo additional details.

Can MSAL.js provide better error handling/reporting in this scenario?

Hi guys,
I was just wondering if MSAL.js is supposed to be the replacement for adal.js to consume from single-page applications Azure AD version > 1.

Separate the repository for the example and the library.

Implement Telemetry public API surface

I am using the userAgentApplication.loginRedirect(config.b2cScopes) function to authenticate the users for my app.

Occasionally when I login, I receive the following message:
Set-Cookie header is ignored in response from url: https://login.microsoftonline.com/xxxxxxx.onmicrosoft.com/login. Cookie length should be less then or equal to 4096 characters.

This prevents msal.js from authenticating the user until the browser is closed or the cookies are cleared.

Token renewal iframe resolves the token renewed within the iframe. In this case, any request associated with the current SPA route that is waiting on the token will get executed in the iframe. It would be preferable for the iframe only to resolve the token promise for the parent.

I'm experiencing the following issue but I'm not sure where I should report it. And advice? Thanks!

1. I'm getting an error when trying to save my scopes complaining about my reply url
2. The url in the error is not clickable
3. I can't copy the url in error message

Repro steps

1. Clone https://github.com/jmprieur/v2jsapp
2. Run the application. For this instance use Python as proposed in the README.md file or open in VS:

• Open Visual Studio, and use File | Open | Web Site, and choose from the file system, the root of your repo
• in the browser combo box in the toolbar choose "Google Chrome" as the default browser.
• Debug | Start Without Debugging, which will run the web site in Chrome

3. Sign-in.
4. Once signed-in click on "Send email"

Actual
We get an error: **Popup Window is null. This can happen if you are using IE ** while trying to get the token, because the popup used to show the consent cannot be shown.

Expected
This should just works (it works in Edge)

Note
If the consent was accepted with Edge for the user, this error does not repro. It's only to do with the consent.

After user signs-in, a call to acquireTokenPopup(["https://graph.microsoft.com/user.read"]) fails due built-in pop-up blocker in Chrome or Firefox when consent is needed. The following error is happens:

popup_window_error:Error opening popup window. This can happen if you are using IE or if popups are blocked in the browser

In order to test this, create a new brand new application in ARP, login with a user using a private session, and then call acquireTokenPopup to acquire the token

Part 3 of the example on the index page of the repo (https://github.com/AzureAD/microsoft-authentication-library-for-js) appears to contain an typo of a misplaced parentheses,
// interaction required
if(error.indexOf("interaction_required" != -1)) {

should isntead be:
if(error.indexOf("interaction_required") != -1){

Implement Logger API and request context per .NET implementation.

Hello,

Apparently (see https://stackoverflow.com/questions/44228493/how-to-properly-import-and-use-the-msal-microsoft-authentication-library-for-js) it is not possible to import msal in an es6 style i.e. like :

import {Msal} from 'msal';
var msal   = new Msal.UserAgentApplication ....

Is there a reason ? If not, would it possible to make it possible ? Thanks in advance.

I'm using Msal for Azure B2C authentication & API authorization. When using acquireTokenSilent for the Id Token (scope being the application id). It always resolves unless the id_token has expired. A renewal never resolves and leaves an error in the console that cannot be caught (doesn't even have a stacktrace).

Uncaught (in promise) Please call ResolveEndpointsAsync first

I can see the HTTP request to openid-configuration being resolved in my network logs, so I don't really get why ResolveEndpointsAsync is causing issues. The acquire process is started, since I can see msal_acquireTokenUser entries pile up in the sessionStorage & I also see the msalIdTokenFrame being an empty Iframe (since it has no url assigned to it)
AccessTokens to for my API scopes are being renewed properly.

Am I doing something wrong, or is this a bug in the library? If the latter, any ETA on a new release resolving this? Or if available a quick workaround that I can implement?

Any plan to add ADFS support as the.net library seems to be working on it.?

AzureAD/microsoft-authentication-library-for-dotnet#143

Today MSAL has no way of detecting a user cancel programmatically.
MSAL.js should detect user cancellation, and let the developer handle it

I'm seeing a weird behavior in my app where id token for my Msal.UserAgentApplication has expired but it still returns the user information when getUser() is called. Am I missing something here?

If this is intended behavior then what's the best way to check if user is authenticated? Something like app.isUserAuthenticated()?

Scopes like 'openid' and 'profile' are sent with every request.

When using local accounts with B2C, asking for the 'profile' scope forces users to specify a Microsoft account before logging in. This behavior is faulty since a user who decides to use a local account is not guaranteed to have a Microsoft account.

Different proposed solutions:
1- Stop sending the 'profile' scope automatically.
2- Add a property 'Target' on the 'UserAgentApplication' class (AD, B2C, Unspecified) and avoid sending 'profile' when set on 'B2C' (This could also help other scenarios where certain things are not supported for 'B2C').
3- Automatically detect whether the request is sent to B2C based on the authority and follow the same rules as solution #2.