MSAL 1.4.0 was released, and is causing infinite redirection loop #2185
Comments
kumarunster
added
the
bug
|
Hi @kumarunster . Can you please provide the following information:
The changelog can be found here. |
|
Hi @Technical-Boy, thanks for your reply. We are using msal with react-aad-msal. hereby our provider instantiation: authProvider = new MsalAuthProvider(
{
auth: {
authority: authority,
clientId: clientId,
postLogoutRedirectUri: window.location.origin,
redirectUri: redirectUri,
validateAuthority: false,
// After being redirected to the "redirectUri" page, should user
// be redirected back to the Url where their login originated from?
navigateToLoginRequestUrl: false
},
cache: {
cacheLocation: 'localStorage',
storeAuthStateInCookie: false,
},
system: {
tokenRenewalOffsetSeconds: 600
}
},
{
scopes: scopes,
},
{
loginType
}
);the scopes we are using are so far we did't any further debugging why exactly the loop is caused, we quickly reverted the version and everything is working again as expected. |
|
Hi, @kumarunster, thanks for following up. Could you please use the MSAL Logger, reproduce the bug and send us the logs? Thanks. |
|
here is the log file seems something to be wrong with cached id token or/and with access to cached token by key. MSAL returns id token with access token as tokenType instead, although a correct id token exists in local storage multiple times. Hence this is the cause for infinite login loop. Could it be related to the changes in PR#2022? Could another method be used to determine the correctness of tokenType? AuthCache.ts: UserAgentApplication.ts#getCachedToken: LocalStorage: |
|
@kumarunster could you clarify if you're calling acquireTokenSilent with the scopes in the "https://graph.microsoft.com/openid" "https://graph.microsoft.com/profile" format? Does the loop still happen if you add the scopes as just "openid" and "profile"? |
|
@Technical-Boy acquireTokenSilent is invoked inside react-aad-msal, with clientId as the only scope, see here. MSAL 1.4.0 replaces client id with list of default scopes. You can see the scopes in the log file I provided in my last comment: as explained before, the id token is correctly returned from server, but msal library is not able to find it in local storage. |
|
Hey, @kumarunster. I can confirm this is in fact a bug in the |
|
@Technical-Boy thanks for confirmation. yes we stay with 1.3.4. |
|
Hello, @Technical-Boy, @tnorling any issues with PR #2206 ? It is two weeks already since the pr is hanging, is any further help required? |
|
Hi @kumarunster . We're currently working on testing the changes in the PR, we'll let you know if we need more information. Thanks! |
|
Closing since msal@1.4.1, which includes a fix for this issue, has been published. Please let us know if the issue persists after upgrading to msal@1.4.1. |
Library
msal@1.4.0@azure/msal-browser@2.x.x@azure/msal-angular@0.x.x@azure/msal-angular@1.x.x@azure/msal-angularjs@1.x.xFramework
React
Description
We noticed an upgrade of msal to the version 1.4.0 today in our dev environment. It was released at the same day (25. Aug. 2020). The login with underlying msal library does not work anymore and is ending in infinite redirection loop to login.microsoft.com.
More, after short search on this project side I cannot find any migration guide or release note to the released version. Was this version released by accident? Could someone clarify?
For now we changed the version back to the latest 1.3.x and everything works fine.
Error Message
Security
Regression
Version:
MSAL Configuration
Reproduction steps
Expected behavior
Browsers/Environment
The text was updated successfully, but these errors were encountered: