[msal-browser][msal-common] Instance Aware Authentication (updated) #1804
Conversation
pkanher617
requested review from
DarylThayil,
jasonnutter,
jmckennon,
jo-arroyo,
sameerag,
hectormmg and
tnorling
as code owners
github-actions
bot
added
msal-browser
|
This PR has not seen activity in 14 days. It may be closed if it remains stale. |
|
@pkanher617 Status on this PR? |
Need to update this to latest dev and follow up with proper caching schema. Will update in the next week. |
|
This PR has not seen activity in 14 days. It may be closed if it remains stale. |
tnorling
added
work-in-progress
| const loginRequest = { | ||
| scopes: ["User.Read"], | ||
| extraQueryParameters: { | ||
| "instance_aware": "true" |
There was a problem hiding this comment.
Does this need its own sample? Can we write a short doc instead?
There was a problem hiding this comment.
Would prefer to have a sample that shows how to use the flow and the graph endpoints correctly. Happy to revisit if we have a lot of pushback on this.
There was a problem hiding this comment.
I think we should write a doc (or update an existing one) for this regardless. The sample may or may not become redundant at that point
There was a problem hiding this comment.
Will definitely update the docs to add the instance_aware flow
Unit tests are updated, and I am adding more for the scenarios around instance_aware. Also going to add e2e tests if I can.
Would like to merge the strictNullChecks PR before I fully confirm this, but I think we should be fine. |
|
|
||
| // Get cached items | ||
| const nonceKey = this.browserStorage.generateNonceKey(requestState); | ||
| const cachedNonce = this.browserStorage.getTemporaryCache(nonceKey); | ||
|
|
||
| // Assign code to request | ||
| this.authCodeRequest.code = authCode; | ||
| this.authCodeRequest.code = authCodeResponse.code; |
There was a problem hiding this comment.
nit: Isn't the name confusing? I am assuming here authCodeResponse is from the fetch-auth-code request and authcodeRequest is the auth call for token?
There was a problem hiding this comment.
Yes that's correct. If you have suggestions please suggest, but I think it is clear enough. The authCodeRequest is a field and the response is not.
|
|
||
| protected async updateTokenEndpointAuthority(cloudInstanceHostname: string, authority: Authority, networkModule: INetworkModule): Promise<void> { | ||
| const cloudInstanceAuthorityUri = `https://${cloudInstanceHostname}/${authority.tenant}/`; | ||
| if (cloudInstanceAuthorityUri !== authority.canonicalAuthority) { |
There was a problem hiding this comment.
Should we check aliases here? eg: login.windows.net is the same as login.microsoftonline.com and should not reinstantiate the authority instance in that case.
| this.browserCrypto = browserCrypto; | ||
| } | ||
|
|
||
| /** | ||
| * Redirects window to given URL. | ||
| * @param urlNavigate | ||
| */ | ||
| initiateAuthRequest(requestUrl: string, authCodeRequest: AuthorizationCodeRequest, redirectTimeout: number, redirectStartPage?: string): Promise<void> { | ||
| initiateAuthRequest(requestUrl: string, authCodeRequest: AuthorizationCodeRequest, redirectTimeout?: number, redirectStartPage?: string): Promise<void> { |
There was a problem hiding this comment.
Why is redirectTimeout set to optional? FYI in #2669, I also made redirectStartPage required, since it will always be passed: https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/2669/files#diff-d592fb8a2a52b3d36d8625f2210c27b8360c6d1f0cff4fe06494d1baf77ac593
There was a problem hiding this comment.
Oh, is it because it now implements InteractionHandler?
There was a problem hiding this comment.
Yeah that's correct. The interface implementation does not include redirectTimeout.
There was a problem hiding this comment.
Can we remove the initiateAuthRequest abstract from InteractionHandler so that we dont have to make these optional?
There was a problem hiding this comment.
I would like to keep the abstract function as a constraint for subclasses implementing this. I understand that there needs to be a compiler level way to ensure that the redirectTimeout and redirectStartPage are passed, but for now can we ensure this by adding code errors?
There was a problem hiding this comment.
I personally don't like making a param optional but then throwing if it's not provided. Would prefer either making this its own function that doesn't implement the abstract or getting rid of the abstract altogether.
There was a problem hiding this comment.
I personally think it's worse design to take out the abstract functionality than to check if an optional parameter is provided or not. Let me see if I can find an alternative, but in the meantime @tnorling can you approve the PR so I can merge as soon as it is ready?
There was a problem hiding this comment.
I also don't like the idea of throwing an error if the params are not passed. I would rather the code just handle it gracefully.
There was a problem hiding this comment.
So you can also just leave this as you have it, and I can deal with adjustments that need to be made for my PR.
There was a problem hiding this comment.
made an update to the initiateAuthRequest function, please check and see if it works for you guys.
| @@ -303,7 +303,10 @@ export abstract class ClientApplication { | |||
|
|
|||
| const redirectStartPage = (request && request.redirectStartPage) || window.location.href; | |||
| // Show the UI once the url has been created. Response will come back in the hash, which will be handled in the handleRedirectCallback function. | |||
| return interactionHandler.initiateAuthRequest(navigateUrl, authCodeRequest, this.config.system.redirectNavigationTimeout, redirectStartPage); | |||
| return interactionHandler.initiateAuthRequest(navigateUrl, authCodeRequest, { | |||
There was a problem hiding this comment.
nit: Can we define the params above and make this a one liner?
| @@ -379,7 +382,9 @@ export abstract class ClientApplication { | |||
| const interactionHandler = new PopupHandler(authClient, this.browserStorage); | |||
|
|
|||
| // Show the UI once the url has been created. Get the window handle for the popup. | |||
| const popupWindow: Window = interactionHandler.initiateAuthRequest(navigateUrl, authCodeRequest, popup); | |||
| const popupWindow: Window = interactionHandler.initiateAuthRequest(navigateUrl, authCodeRequest, { | |||
This PR implements the instance_aware feature for msal-browser. Specifically, it adds the authority object to the response and handles all parameters which come back in the fragment.
It also adds TokenResponse to the browser exports (as per PR #1551).
Replaces PR #1584.