[Bug] (maybe) Login error with external IDP

[AnthonyGiretti]

Library version used

8.0.0

.NET version

.NET 8

Scenario

ConfidentialClient - web site (AcquireTokenByAuthCode)

Is this a new or an existing app?

This is a new app or experiment

Issue description and reproduction steps

have an issue with my Blazor application which uses MSAL and Azure AD. When I use an external identity provider where Azure refers to for authentication, the redirection works fine, BUT, while redirecting, my Blazor apps says "User cancelled the flow" and the authentication fails, then I try to log again (Since i'm authenticated to my external provider, whatever the previous error), and I'm able to connect to my session and issue an ID token and Access Token. It happens whatever the login mode I use : Popup or redirect.

It does not happen when Azure AD is the Identity provider, everything is working fine.

Does somebody know what's going on?

Relevant code snippets

No response

Expected behavior

No response

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

[jmprieur]

@AnthonyGiretti : are you using Microsoft.Identity.web?

[neha-bhargava]

Are you using ConfidentialClient - web site (AcquireTokenByAuthCode) and ManagedIdentityClient - managed identity?

Can you share the code where you are using MSAL?

[AnthonyGiretti]

I'm using the Implicit flow with Blazor, so it's made via the website:, so I guess via ConfidentialClient - web site (AcquireTokenByAuthCode) For the rest of the code i'm using the Blazor template here: https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/blazor/security/webassembly/hosted-with-microsoft-entra-id.md

public class Program { public static async Task Main(string[] args) { var builder = WebAssemblyHostBuilder.CreateDefault(args); builder.RootComponents.Add("app");

    builder.Services.AddScoped(sp => new HttpClient { BaseAddress = new

Uri(builder.HostEnvironment.BaseAddress) });

    // Provides support for authenticating the users.
    builder.Services.AddMsalAuthentication(options =>
    {
        builder.Configuration.Bind("AzureAd",

options.ProviderOptions.Authentication); options.ProviderOptions.DefaultAccessTokenScopes.Add(" https://graph.microsoft.com/User.Read"); // This is in the Microsoft doc options.ProviderOptions.Cache.CacheLocation = "sessionStorage"; });

    await builder.Build().RunAsync();
}

}

[image: created with MySignature.io] https://mysignature.io/?utm_source=logo Anthony Giretti Blogger, Speaker MVP, MCSD mobile: +1 514 557 1380 <+1+514+557+1380> website: https://anthonygiretti.com email: @.***

Le lun. 8 janv. 2024 à 23:49, Neha Bhargava @.***> a écrit :

Are you using ConfidentialClient - web site (AcquireTokenByAuthCode) and ManagedIdentityClient - managed identity?

Can you share the code where you are using MSAL?

— Reply to this email directly, view it on GitHub https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4488#issuecomment-1882408915, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFBX2JYBO7M7CDL7DSGB3LLYNTD6NAVCNFSM6AAAAABBSBBJ2OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBSGQYDQOJRGU . You are receiving this because you were mentioned.Message ID: <AzureAD/microsoft-authentication-library-for-dotnet/issues/4488/1882408915 @github.com>

[AnthonyGiretti]

@jmprieur No. I'm using the default Blazor template (Microsoft example) which implements Implicit Flow, so I guess via ConfidentialClient - web

[neha-bhargava]

Looks like you are using the Authentication Package section of the tutorial. For some reason the link is broken for MSAL. Not sure if MSAL.Net is used here. Seems more like MSAL.js

[AnthonyGiretti]

@neha-bhargava What should I do if the Microsoft sample doesn't work? It used to work in previous version. I'm using the Microsoft.Authentication.WebAssembly.Msal package, the later bring automatically the JS file here: Authentication.js. Did I miss something?

[neha-bhargava]

I think you can open an issue on the github repo for Microsoft.Authentication.WebAssembly.Msal since you are referencing it directly and they might be able to suggest further.

Are there any specific logs that suggest the issue is on the MSAL's side? If there are then can you share those logs?

[AnthonyGiretti]

I'm confused. What's the difference between microsoft-authentication-library-for-dotnet https://github.com/AzureAD/microsoft-authentication-library-for-dotnet repo and MASL, isn't the same team? [image: created with MySignature.io] https://mysignature.io/?utm_source=logo Anthony Giretti Blogger, Speaker MVP, MCSD mobile: +1 514 557 1380 <+1+514+557+1380> website: https://anthonygiretti.com email: @.***

Le mar. 9 janv. 2024 à 17:41, Neha Bhargava @.***> a écrit :

I think you can open an issue on the github repo for Microsoft.Authentication.WebAssembly.Msal https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal since you are referencing it directly and they might be able to suggest further.

Are there any specific logs that suggest the issue is on the MSAL's side? If there are then can you share those logs?

— Reply to this email directly, view it on GitHub https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4488#issuecomment-1883914395, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFBX2JZDQEU4BCLNR4CY7TDYNXBSXAVCNFSM6AAAAABBSBBJ2OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBTHEYTIMZZGU . You are receiving this because you were mentioned.Message ID: <AzureAD/microsoft-authentication-library-for-dotnet/issues/4488/1883914395 @github.com>

[bgavrilMS]

@pmaytak - can you please help re-route this issue to the correct team? Afaik Blazor scenarios are implemented with MSAL JS.

[AnthonyGiretti]

Thanks

Anthony Giretti Blogger, Speaker MVP, MCSD mobile: +1 514 557 1380 website: https://anthonygiretti.com email: @.***

On Wed, Jan 10, 2024 at 06:50 Bogdan Gavril @.***> wrote:

@pmaytak https://github.com/pmaytak - can you please help re-route this issue to the correct team? Afaik Blazor scenarios are implemented with MSAL JS.

— Reply to this email directly, view it on GitHub https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4488#issuecomment-1884702969, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFBX2J25R7UMLPWWD5GKPR3YNZ6ABAVCNFSM6AAAAABBSBBJ2OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBUG4YDEOJWHE . You are receiving this because you were mentioned.Message ID: <AzureAD/microsoft-authentication-library-for-dotnet/issues/4488/1884702969 @github.com>

[jmprieur]

@jmprieur No. I'm using the default Blazor template (Microsoft example) which implements Implicit Flow, so I guess via ConfidentialClient - web

Hello @AnthonyGiretti Unless you are still on ASP.NET Core 3.1, Blazorwasm does no longer use the implicit flow but the auth code flow. This might be the problem. Your app registration should use a Web redirect URI (not a SPA one)

To give a bit of context, Blazorwasm is not using MSAL.NET, but MSAL.js called by the ASP.NET core libraries.

[AnthonyGiretti]

Thanks, I hear what you say but,

There is something I don’t understand: 1- I took the Microsoft example on GitHub which is in .NeT 8 2- it works fine when the IDP is Azure Entra ID, it does not when the IDP is external such as go daddy

Can you clarify on this please?

Anthony Giretti Blogger, Speaker MVP, MCSD mobile: +1 514 557 1380 website: https://anthonygiretti.com email: @.***

On Wed, Jan 10, 2024 at 12:56 Jean-Marc Prieur @.***> wrote:

@jmprieur https://github.com/jmprieur No. I'm using the default Blazor template (Microsoft example) which implements Implicit Flow, so I guess via ConfidentialClient - web

Hello @AnthonyGiretti https://github.com/AnthonyGiretti Unless you are still on ASP.NET Core 3.1, Blazorwasm does no longer use the implicit flow but the auth code flow. This might be the problem. Your app registration should use a Web redirect URI (not a SPA one)

To give a bit of context, Blazorwasm is not using MSAL.NET, but MSAL.js called by the ASP.NET core libraries.

— Reply to this email directly, view it on GitHub https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4488#issuecomment-1885347728, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFBX2JYSO7BL37G3GBMBKSTYN3I6FAVCNFSM6AAAAABBSBBJ2OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBVGM2DONZSHA . You are receiving this because you were mentioned.Message ID: <AzureAD/microsoft-authentication-library-for-dotnet/issues/4488/1885347728 @github.com>

[AnthonyGiretti]

@jmprieur

Does it help if I capture in video my scenario? It’s literally the Microsoft example

Anthony Giretti Blogger, Speaker MVP, MCSD mobile: +1 514 557 1380 website: https://anthonygiretti.com email: @.***

On Wed, Jan 10, 2024 at 18:25 Anthony Giretti @.***> wrote:

Thanks, I hear what you say but,

There is something I don’t understand: 1- I took the Microsoft example on GitHub which is in .NeT 8 2- it works fine when the IDP is Azure Entra ID, it does not when the IDP is external such as go daddy

Can you clarify on this please?

Anthony Giretti Blogger, Speaker MVP, MCSD mobile: +1 514 557 1380 website: https://anthonygiretti.com email: @.***

On Wed, Jan 10, 2024 at 12:56 Jean-Marc Prieur @.***> wrote:

@jmprieur https://github.com/jmprieur No. I'm using the default Blazor template (Microsoft example) which implements Implicit Flow, so I guess via ConfidentialClient - web

Hello @AnthonyGiretti https://github.com/AnthonyGiretti Unless you are still on ASP.NET Core 3.1, Blazorwasm does no longer use the implicit flow but the auth code flow. This might be the problem. Your app registration should use a Web redirect URI (not a SPA one)

To give a bit of context, Blazorwasm is not using MSAL.NET, but MSAL.js called by the ASP.NET core libraries.

— Reply to this email directly, view it on GitHub https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4488#issuecomment-1885347728, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFBX2JYSO7BL37G3GBMBKSTYN3I6FAVCNFSM6AAAAABBSBBJ2OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBVGM2DONZSHA . You are receiving this because you were mentioned.Message ID: <AzureAD/microsoft-authentication-library-for-dotnet/issues/4488/1885347728 @github.com>

[pmaytak]

@AnthonyGiretti Microsoft.Authentication.WebAssembly.Msal uses MSAL JavaScript. You can create an issue in their MSAL JS repo. They would know the details of the implementation.

[bgavrilMS]

I'm going to close this as moving issues between repos is not very helpful.