search

AzureAD / microsoft-authentication-library-for-dotnet

Microsoft Authentication Library (MSAL) for .NET
https://aka.ms/msal-net
MIT License
1.36k stars 330 forks source link

[Bug] "Back" button appears in MSAL.net (which was not appearing in ADAL.net) #4738

Open smohanty05 opened 2 months ago

smohanty05 commented 2 months ago

Library version used

Microsoft.Identity.Client 4.60.3

.NET version

.net framework 4.8

Scenario

PublicClient - desktop app

Is this a new or an existing app?

The app is in production, I haven't upgraded MSAL, but started seeing this issue

Issue description and reproduction steps

I am migrating from ADAL.net to MSAL.net From desktop app username is sent to the method which acquires token. publicClient = PublicClientApplicationBuilder.Create(clientId) .WithAuthority(authority) .WithRedirectUri(redirectUri.ToString()) .Build(); FileCache.EnableSerialization(publicClient.UserTokenCache); var accounts = await publicClient.GetAccountsAsync(); AuthenticationResult result = null; try { result = await publicClient.AcquireTokenSilent(scopes, accounts.FirstOrDefault()) .ExecuteAsync(); if (!string.IsNullOrEmpty(userName) && !result.Account.Username.Equals(userName + "@" + tenant, StringComparison.InvariantCultureIgnoreCase)) throw new MsalUiRequiredException(MsalError.MultipleTokensMatchedError, "Multiple tokens matched"); } catch (MsalUiRequiredException ex) { if (ex.ErrorCode == MsalError.MultipleTokensMatchedError) { // clear the cache ClearCache(); } if (string.IsNullOrEmpty(userName)) result = await publicClient.AcquireTokenInteractive(scopes) .WithPrompt(Prompt.ForceLogin) .ExecuteAsync(); else result = await publicClient.AcquireTokenInteractive(scopes) .WithPrompt(Prompt.ForceLogin) .WithLoginHint(userName + "@" + tenant) .ExecuteAsync(); AcquireTokenInteractive showing the dialog box with "Back" button when username provided to the method is an invalid user. But there is no use of Back button here. Clicking on it causes User Authentication Cancelled exception.

In ADAL.net, the old code was as below: authContext = new AuthenticationContext(authority, new FileCache()); AuthenticationResult result = null; try { result = await authContext.AcquireTokenSilentAsync(resourceId, clientId); if (!string.IsNullOrEmpty(userName) && !result.UserInfo.DisplayableId.Equals(userName + "@" + tenant, StringComparison.InvariantCultureIgnoreCase)) { throw new AdalException(AdalError.MultipleTokensMatched); } } catch (AdalException ex) { if (ex.ErrorCode == AdalError.UserInteractionRequired || ex.ErrorCode == AdalError.FailedToAcquireTokenSilently || ex.ErrorCode == AdalError.MultipleTokensMatched) { if(ex.ErrorCode == AdalError.MultipleTokensMatched) { if (authContext != null) authContext.TokenCache.Clear(); } if (string.IsNullOrEmpty(userName)) { result = await authContext.AcquireTokenAsync(resourceId, clientId, redirectUri, new PlatformParameters(PromptBehavior.Always)); } else { result = await authContext.AcquireTokenAsync(resourceId, clientId, redirectUri, new PlatformParameters(PromptBehavior.Always), new UserIdentifier(userName + "@" + tenant, UserIdentifierType.RequiredDisplayableId)); } } }

I have attached screenshots from both MSAL.net and ADAL.net below.

MSAL.net=> MSAL net

ADAL.net=> ADAL net

Users will consider this as regression after migration from ADAL.net to MSAL.net.

Is there a way to remove/hide the Back button?

Relevant code snippets

No response

Expected behavior

Back button should not be shown in this case as there is no use of it (in the scenario described).

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

bgavrilMS commented 1 month ago

This is a service problem, SDK does not control UI

localden commented 1 month ago

@bgavrilMS it does seem odd, however, that the behavior would be different between ADAL and MSAL in UI rendering (even if it's not the library that controls the UI). Let me reach out to service folks and see if we can get some clarity here.

rayluo commented 1 month ago

@bgavrilMS it does seem odd, however, that the behavior would be different between ADAL and MSAL in UI rendering (even if it's not the library that controls the UI). Let me reach out to service folks and see if we can get some clarity here.

ADAL talks to v1 endpoint and MSAL talks to v2. It could be the different out-of-the-box behaviors of the two endpoints. Just a hypothesis, though. I did not try it myself. :-)

localden commented 1 month ago

@smohanty05 - let's take a look at the HTTP requests that are issued by ADAL and one issued by MSAL. Can you please post those here (without authenticating/providing credentials). I want to see if there is a good way for us to see the delta between what ADAL does vs. what MSAL does.

You can use a tool like Fiddler on Windows to get this data.

smohanty05 commented 1 month ago

@localden , please find the Fiddler result for ADAL and MSAL. MSAL_ADAL.zip

localden commented 1 month ago

@smohanty05 I only see the CONNECT handshakes in there, but not the actual requests. Can you please enable HTTPS decryption and then re-capture the requests?

image

Same as last time - please don't enter any creds 😀

localden commented 1 month ago

@smohanty05 appreciate the context, we are investigating.