search

AzureAD / microsoft-authentication-library-for-js

Microsoft Authentication Library (MSAL) for JS
http://aka.ms/aadv2
MIT License
3.66k stars 2.65k forks source link

Impersonation flow with AAD B2C is not working #1608

Closed Bhargav-Narayan closed 4 years ago

Bhargav-Narayan commented 4 years ago

Library

Framework

React 16.8.4

Description

We have configured our AAD B2C tenant for impersonation flow by following github link ‘https://github.com/azure-ad-b2c/samples/tree/master/policies/impersonation’. We also tested this configuration and successfully generated the access token with impersonated user Sign In Name.

But when we configure our REACT JS application with MSAL library for impersonation flow, it is not working as expected.

We have tried with different access token method, below are the result -

Using aquireTokenSilent to get accesstoken. Both in Chrome and IE, it throws X-Frame-Options deny error after login and entering impersonated email id.

Using aquireTokenRedirect to get accesstoken Both in Chrome and IE, after successful login, it would repeatedly show the Impersonated user id Page and this would never go to our application Home Page

Using aquireTokenPopup to get accesstoken

Chrome

  1. After login, in impersonated user id Page, user needs to enter impersonated user’s email id.
  2. It navigates back to our app and it opens an impersonated user popup.
  3. Then after entering impersonated user’s email id, it will navigate to our homepage without any further prompt.   IMPORTANT: In this case the popup blocker should be accepted by the user before step no. 2, and the user gets hardly any time to accept the popup. If the user does not accept the popup it behaves like same as aquireTokenRedirect option

IE

  1. After login, in impersonated user id page, user needs to enter impersonated user’s email id.
  2. It navigates back to our app and it opens an impersonated user popup but, disappears immediately.
  3. Again it would redirect to the impersonated user id page.
  4. This continues to repeat. IMPORTANT: In this case the popup blocker should be disabled by the user.

Security

Is this issue security related? No

Regression

Did this behavior work before? Never tried

Configuration

scopes
authority
loginHint
redirectUri
extraQueryParameters: { domain_hint: "organizations" }

Reproduction steps

  1. Add a valid impersonation policy in the MSAL configuration options and try to login.

Expected behavior

Once the user login to our app, he/she should be prompted to enter the login ID of the user that he/she wants to impersonate. Once submitted, user should be able to access our app with the entered impersonated user account

Browsers

IE 11, Chrome, Firefox

github-actions[bot] commented 4 years ago

This issue has not seen activity in 14 days. It may be closed if it remains stale.

sriniambati commented 4 years ago

Can someone provide status of this issue?

github-actions[bot] commented 4 years ago

This issue has not seen activity in 14 days. It may be closed if it remains stale.

JasSuri commented 4 years ago

From what i can tell, this is not an MSAL issue. It is incorrect configuration in the policy for SSO. When SSO fails, MSAL throws x-frame-options: deny error. I'll need to review the sample.

github-actions[bot] commented 4 years ago

This issue has not seen activity in 14 days. It may be closed if it remains stale.

hectormmg commented 4 years ago

Closing due to inactivity. Please let us know if this is still an issue so we can reopen it.