-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The "AAD Instance Discovery Endpoint" should be azureCloudInstance
enum specific
#4586
Comments
Closing as we whitelisted the '.com' version of the URL in our network. |
This issue was not resolved. I used
I read through the code of relevant repo https://github.com/AzureAD/microsoft-authentication-library-for-js
that allowed me to see that the metadata discovery for that URL was not being found until going down to the
but when I found this suggestion ( #4879 (comment) ) to set knownAuthorities to include the url I thought that might be a way to go... and sure enough once I included it ...
I was able to confirm with that earlier tcpdump command that I was now in fact hitting
Dependencies (msal-node was tried with both 1.17.2 and as shown 1.9.0, neither worked.)
|
Core Library
MSAL.js v2 (@azure/msal-browser)
Core Library Version
2.22.1
Wrapper Library
MSAL Angular (@azure/msal-angular)
Wrapper Library Version
2.1.2
Description
The "AAD Instance Discovery Endpoint" is hardcoded to use "https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=" in the file "msal-common\src\utils\Constants.ts". It should be based on the environment/AzureCloudInstance specified by the config enum "AzureCloudInstance" in at the time of instantiating the object
PublicClientApplication
.For example, If I specify the environment as
AzureCloudInstance.AzureUsGovernment
, then the endpoint should use "https://login.microsoftonline.us/common/discovery/instance?api-version=1.1&authorization_endpoint=" (.us instead of .com).Or at least, there should be a way for client applications to override the "Default AAD Instance Discovery Endpoint".
This is a critical requirement for us as we allow only "https://login.microsoftonline.us" in our network and .com version is blocked.
Need this to be fixed as soon as possible.
Error Message
No response
Msal Logs
No response
MSAL Configuration
Relevant Code Snippets
None
Reproduction Steps
Using the above configuration, at runtime, once we try to login to the AD, it is making a call to the "AAD Instance Discovery Endpoint" i.e., "https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=".
The URL login.microsoftonline.com is blocked for us in our network level as we only allow login.microsoftonline.us.
As we use
AzureUsGovernment
environment, it should use `login.microsoftonline.us' throughout the application.``Expected Behavior
The library should use the AAD Instance Discovery Endpoint based on the
AzureCloudInstance
enum value passed in the configuration. or it should let the consumers override the default endpoint.Identity Provider
Azure AD / MSA
Browsers Affected (Select all that apply)
Chrome, Firefox, Edge, Safari, Internet Explorer
Regression
No response
Source
External (Customer)
The text was updated successfully, but these errors were encountered: