search

AzureAD / microsoft-authentication-library-for-java

Microsoft Authentication Library (MSAL) for Java http://aka.ms/aadv2
MIT License
280 stars 137 forks source link

[Bug] Interactive flow with a JavaFX WebView based OpenBrowserAction incorrectly reports password as incorrect exactly once #805

Open NepNep21 opened 3 months ago

NepNep21 commented 3 months ago

Library version used

1.15.0

Java version

21.0.2

Scenario

PublicClient (AcquireTokenInteractive, AcquireTokenByUsernamePassword)

Is this a new or an existing app?

The app is in production, I haven't upgraded MSAL, but started seeing this issue

Issue description and reproduction steps

If the interactive authentication window is displayed in a JavaFX WebView, it always reports the first authentication attempt as incorrect, but then works if you simply paste the same password again, this is reproducible across multiple accounts and attempts on the same account. The issue does not occur using the system browser.

Relevant code snippets

public static CompletableFuture<IAuthenticationResult> interactiveFlow(MSALogInForm form) {
    try {
        InteractiveRequestParameters params = InteractiveRequestParameters.builder(new URI("http://localhost/"))
            .scopes(scopes) // ["XboxLive.signin"]
            .tenant(tenant) // "consumers"
            .systemBrowserOptions(SystemBrowserOptions.builder().openBrowserAction(form).build())
            .build();
        return app.acquireToken(params);
    } catch (URISyntaxException e) {
        throw new IllegalStateException(e);
    }
}
...
@Override
public void openBrowser(final URL url) {
    Platform.runLater(() -> MSALogInForm.this.browser.load(url.toString()));
}

Results in the issue, commenting out .systemBrowserOptions(SystemBrowserOptions.builder().openBrowserAction(form).build()) prevents it

Expected behavior

No response

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

Using the system browser instead of a WebView

Avery-Dunn commented 3 months ago

Hello @NepNep21 : Could you post the error message you're getting? What exactly is saying the password is incorrect? And do you get tokens the first time despite the error message, or only after the second time?

Also, you mention that you haven't upgraded MSAL but version 1.15.0 only came out last week. Does that mean it was working fine for a bit after you updated, and only started failing sometime after that?

In version 1.15.0 we changed how we bind localhost addresses in the interactive flow (https://github.com/AzureAD/microsoft-authentication-library-for-java/pull/797). We only test that scenario in a browser and not JavaFX so maybe there is something different with how loopback addresses and redirects work in JavaFX, but I'm not sure why it would suddenly stop working.

NepNep21 commented 3 months ago

The error is "The account or password is incorrect. Please try again." (see attachment) image

Also, you mention that you haven't upgraded MSAL but version 1.15.0 only came out last week. Does that mean it was working fine for a bit after you updated, and only started failing sometime after that?

This is why I dislike the new dropdown-based GitHub issue templates, they lead to vague answers that don't give enough information, I chose "The app is in production, I haven't upgraded MSAL, but started seeing this issue" due to seeming to be the closest. The more detailed answer is that the app is already in production but only using the device code flow, this is my attempt to add interactive flow support, which is not in production yet.