search

AzureAD / azure-activedirectory-library-for-js

The code for ADAL.js and ADAL Angular has been moved to the MSAL.js repo. Please open any issues or PRs at the link below.
https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/maintenance/adal-angular
Apache License 2.0
627 stars 374 forks source link

Unexpected SSO behaviour with acquireToken and ADFS #854

Closed h3rmanj closed 4 years ago

h3rmanj commented 5 years ago

I'm submitting a...


[ ] Regression (a behavior that used to work and stopped working in a new release)
[ ] Bug report  
[ ] Performance issue
[ ] Feature request
[ ] Documentation issue or request
[x] Other... Please describe: Chrome uses SSO over specified `id_token`

Browser:

Library Name

Library version

Library version: 1.0.17

Current behavior

Please note that we are using ADFS. In our environment, each employee can have multiple users in AD, with different permission levels. This means that we would like to disable SSO, and let the user them self log in with the correct user. Disabling SSO and asking for a prompt can be done by adding this to the config:

extraQueryParameter: 'prompt=login'

If the user click Sign on as current user, the user will be signed in as UserA (using SSO). However, if the user logs in with another user, such as username UserB, this works and the id_token returned is correct. When we try to acquire token for an API, SSO seems to take over, and fetches UserA's access_token. This does not occur in Firefox, where the access_token is correct, for UserB.

Expected behavior

If signed in as UserB, the access_token should also be from UserB and not UserA in Chrome.

Minimal reproduction of the problem with instructions

Add this to the config:

instance: 'YOUR_ADFS_INSTANCE',
tenant: 'adfs',
extraQueryParameter: 'prompt=login'

Try logging in with another user than your SSO user, then acquire an access token. Check the access_tokens winaccountname.

JonasKs commented 5 years ago

@manoj-rath / @rohitnarula7176 , could you review? Any solutions?

JonasKs commented 5 years ago

Workaround:

jmckennon commented 4 years ago

This bug is fixed in msal js, or you can use the workaround stated by JonasKs. Closing this as it looks like the problem is solved.

All current authentication work from Microsoft is delivered through the msal js library here. adal js is still supported only for security fixes. We recommend moving to msal js for any advanced feature requests and bugfixes.