Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

msal browser sample VanillaJSTestApp2.0 fails with ADFS #7107

Closed
1 of 2 tasks
billvolt opened this issue May 16, 2024 · 2 comments
Closed
1 of 2 tasks

msal browser sample VanillaJSTestApp2.0 fails with ADFS #7107

billvolt opened this issue May 16, 2024 · 2 comments
Assignees
@konstantin-msft
Labels
adfs Related to ADFS bug-unconfirmed A reported bug that needs to be investigated and confirmed msal-browser Related to msal-browser package public-client Issues regarding PublicClientApplications question Customer is asking for a clarification, use case or information.

Comments

@billvolt
Copy link
Contributor

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

current

Wrapper Library

Not Applicable

Wrapper Library Version

N/A

Public or Confidential Client?

Public

Description

Followed setup instructions included with the sample, configured authority as per docs.

authority: "https://fs.corpdomain.com/adfs/",

Edge browser shows:

MS Identity Platform ... Sign In
Vanilla JavaScript SPA calling MS Graph API with MSAL.JS

When the user clicks "Sign In" and either the Popup or Redirect options, their is neither a sign-in option nor does the sample progress with an automatic Windows login.

Fiddler shows this GET:

GET https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=https://fs.corpdomain.com/adfs/oauth2/v2.0/authorize HTTP/1.1

Error Message

Fiddler shows this response:

{"error":"invalid_instance","error_description":"AADSTS50049: Unknown or invalid instance. Trace ID: 95de1718-11c2-4bba-933c-714460e66302 Correlation ID: 2dfbf8cf-3419-48e9-9400-a32c7cd4a19b Timestamp: 2024-05-16 17:00:20Z","error_codes":[50049],"timestamp":"2024-05-16 17:00:20Z","trace_id":"95de1718-11c2-4bba-933c-714460e66302","correlation_id":"2dfbf8cf-3419-48e9-9400-a32c7cd4a19b","error_uri":"https://login.microsoftonline.com/error?code=50049"}

MSAL Logs

Not applicable.

Network Trace (Preferrably Fiddler)

  • Sent
  • Pending

MSAL Configuration

// Config object to be passed to Msal on creation
const msalConfig = {
    auth: {
        //clientId: "b5c2e510-4a17-4feb-b219-e55aa5b74144",
        clientId: "e5e38fe1-a478-479e-9d77-5e47626e2af2",
        authority: "https://fs.corpdomain.com/adfs/",
            //"https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47",
            
    },
    cache: {
        cacheLocation: "sessionStorage", // This configures where your cache will be stored
        storeAuthStateInCookie: false, // Set this to "true" if you are having issues on IE11 or Edge
    },
    system: {
        loggerOptions: {
            logLevel: msal.LogLevel.Trace,
            loggerCallback: (level, message, containsPii) => {
                if (containsPii) {
                    return;
                }
                switch (level) {
                    case msal.LogLevel.Error:
                        console.error(message);
                        return;
                    case msal.LogLevel.Info:
                        console.info(message);
                        return;
                    case msal.LogLevel.Verbose:
                        console.debug(message);
                        return;
                    case msal.LogLevel.Warning:
                        console.warn(message);
                        return;
                    default:
                        console.log(message);
                        return;
                }
            },
        },
    },
    telemetry: {
        application: {
            appName: "MSAL Browser V2 Default Sample",
            appVersion: "1.0.0",
        },
    },
};

// Add here scopes for id token to be used at MS Identity Platform endpoints.
const loginRequest = {
    scopes: ["User.Read"],
};

// Add here the endpoints for MS Graph API services you would like to use.
const graphConfig = {
    graphMeEndpoint: "https://graph.microsoft.com/v1.0/me",
    graphMailEndpoint: "https://graph.microsoft.com/v1.0/me/messages",
};

// Add here scopes for access token to be used at MS Graph API endpoints.
const tokenRequest = {
    scopes: ["Mail.Read"],
    forceRefresh: false, // Set this to "true" to skip a cached token and go to the server to get a new token
};

const silentRequest = {
    scopes: ["openid", "profile", "User.Read", "Mail.Read"],
};

const logoutRequest = {};

Relevant Code Snippets

https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-browser-samples/VanillaJSTestApp2.0

Reproduction Steps

  1. Edit all authconfig.js files to point to ADFS authority and valid Client ID configured there in an application group.
  2. Build as per instructions.
  3. npm start
  4. browse http://localhost:30662/

Expected Behavior

When sign-in is selected either:

  1. An automatic login should occur based on the current Windows and the sample should progress.
  2. A manual login should be accepted.

Identity Provider

ADFS

Browsers Affected (Select all that apply)

Edge

Regression

N/A

Source

External (Customer)
@billvolt billvolt added bug-unconfirmed A reported bug that needs to be investigated and confirmed question Customer is asking for a clarification, use case or information. labels May 16, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: Attention 👋 Awaiting response from the MSAL.js team label May 16, 2024
@github-actions github-actions bot added adfs Related to ADFS msal-browser Related to msal-browser package public-client Issues regarding PublicClientApplications labels May 16, 2024
@konstantin-msft
Copy link
Collaborator

Hi @billvolt. Please add auth.knowAuthorities to MSAL config to make cloud discovery resolution work properly for ADFS scenario. Please refer here for more details.

@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Author Feedback Awaiting response from issue author and removed Needs: Attention 👋 Awaiting response from the MSAL.js team labels May 16, 2024
@konstantin-msft konstantin-msft self-assigned this May 16, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot removed the Needs: Author Feedback Awaiting response from issue author label May 17, 2024
@billvolt
Copy link
Contributor Author

Hi @billvolt. Please add auth.knowAuthorities to MSAL config to make cloud discovery resolution work properly for ADFS scenario. Please refer here for more details.

This worked. Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@konstantin-msft konstantin-msft

Labels
adfs Related to ADFS bug-unconfirmed A reported bug that needs to be investigated and confirmed msal-browser Related to msal-browser package public-client Issues regarding PublicClientApplications question Customer is asking for a clarification, use case or information.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@billvolt @konstantin-msft