search

AzureAD / microsoft-authentication-library-for-java

Microsoft Authentication Library (MSAL) for Java http://aka.ms/aadv2
MIT License
286 stars 141 forks source link

InteractiveRequest does not work with some redirectURIs #636

Open siddhijain opened 1 year ago

siddhijain commented 1 year ago

As reported -

When the customer makes an interactive call with the redirect URI http://localhost:8000/login, this fails. The call with the redirect URIs: http://localhost/login, http://localhost:8000/ and http://localhost/ are working as expected.

To test - PublicClientApplication pca = PublicClientApplication.builder(clientId)                 .authority(authority)                 .build();

        IAuthenticationResult result; 

        InteractiveRequestParameters parameters = InteractiveRequestParameters                 .builder(new URI("http://localhost:8000/login"))))                 .scopes(scope)                 .build();

        result = pca.acquireToken(parameters).join();

bgavrilMS commented 1 year ago

As discussed, this is by design. On public client, MSAL starts listening on a specific port (if the port is not specified, a free one is randomly picked). It's using sockets as inter process communication. https://www.codejava.net/java-se/networking/java-socket-server-examples-tcp-ip

Suggestion: throw an exception in MSAL if redirect URI on public client is anything else other than http://localhost and http://localhost:port

siddhijain commented 1 year ago

That's a good suggestion. To add to the list, http://localhost/path works since it picks a random available port. The only format that does not work is when it contains both a port and a path (http://localhost:8000/path).

siddhijain commented 1 year ago

Quoting customer here - "Customer accepted the feedback, but came back with the following inputs: 

I think also it seems a very technical explanation that doesn’t really address the fundamental problem which is

Azure allows us to register a loopback url with an identity that your APIs don’t believe is valid.  If this url format really is invalid azure must prevent users from configuring it The azure-identity (and msal4j) apis happily accept the configured ‘bad’ url – again they need to reject this explicitly rather than give up with a timeout"

We plan to reach out to Azure app registration PM and propose rejecting invalid redirect_uris at the time of app registration. We will also add exception that will be thrown from msal4j in case of invalid redirect_uris .