search

AzureAD / microsoft-authentication-library-for-go

The MSAL library for Go is part of the Microsoft identity platform for developers (formerly named Azure AD) v2.0. It enables you to acquire security tokens to call protected APIs. It uses industry standard OAuth2 and OpenID Connect.
MIT License
218 stars 87 forks source link

[Bug] Get #458

Open ericmort opened 9 months ago

ericmort commented 9 months ago

Which version of MSAL Go are you using? Note that to get help, you need to run the latest version. 1.2.0

Where is the issue?

Is this a new or an existing app? This is a new app or an experiment.

What version of Go are you using (go version)? Go vers

$ go version go1.21.1 darwin/amd64

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/Users/ericmortensen/Library/Caches/go-build'
GOENV='/Users/ericmortensen/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='darwin'
GOINSECURE='proxy.golang.org/*,github.com,github.com/*'
GOMODCACHE='/Users/ericmortensen/go/pkg/mod'
GONOPROXY='proxy.golang.org/*,github.com,github.com/*'
GONOSUMDB='proxy.golang.org/*,github.com,github.com/*'
GOOS='darwin'
GOPATH='/Users/ericmortensen/go'
GOPRIVATE='proxy.golang.org/*,github.com,github.com/*'
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/Cellar/go/1.21.1/libexec'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/Cellar/go/1.21.1/libexec/pkg/tool/darwin_amd64'
GOVCS=''
GOVERSION='go1.21.1'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='cc'
CXX='c++'
CGO_ENABLED='1'
GOMOD='/Users/ericmortensen/Projects/baas/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/s8/yss6gwtx5zv0qqlkd8h15xcc0000gn/T/go-build1961895256=/tmp/go-build -gno-record-gcc-switches -fno-common'

Repro

func AzureADAuthMiddleware() gin.HandlerFunc { return func(c *gin.Context) { client, err := public.New("", public.WithAuthority("https://login.microsoftonline.com/")) result, err := client.AcquireTokenInteractive(context.TODO(), []string{"openid"}, public.WithRedirectURI("http://localhost:8082")) if err != nil { c.String(http.StatusUnauthorized, "Unauthorized") c.Abort() return } c.Set("account", result) c.Next() }

}

Expected behavior Expect browser window to open, select user and be redirected to the Go app. Then expect the code exchange to work and be authenticated.

Actual behavior The code exchange does not work. I get the following error here: https://github.com/AzureAD/microsoft-authentication-library-for-go/blob/c3591af567c769d83becf8a8129fb2d5c8c752f4/apps/public/public.go#L677

AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests.

Possible solution Based on searching around I tried adding a "Origin": "localhost:8082" in the addStdHeaders() function here: https://github.com/AzureAD/microsoft-authentication-library-for-go/blob/c3591af567c769d83becf8a8129fb2d5c8c752f4/apps/internal/oauth/ops/internal/comm/comm.go#L319

ericmort commented 9 months ago

Forgot to add that adding the Origin header solved the issue and I was authenticated as expected.

ericmort commented 9 months ago

apologies, the code I used was:

func AzureADAuthMiddleware() gin.HandlerFunc {
    return func(c *gin.Context) {
        client, err := public.New("my-app-id", public.WithAuthority("https://login.microsoftonline.com/my-tenant-id"))
        result, err := client.AcquireTokenInteractive(context.TODO(), []string{"openid"}, public.WithRedirectURI("http://localhost:8082"))
        if err != nil {
            c.String(http.StatusUnauthorized, "Unauthorized")
            c.Abort()
            return
        }
        c.Set("account", result)
        c.Next()
    }

}
Github removed some characters