McInnesIan
commented
3 years ago I have written our own guard to fix the issue, but MSALGuard should do this
import { Injectable, Inject } from '@angular/core'; import { CanActivate} from '@angular/router'; import { MsalService } from '@azure/msal-angular';
import { IClientConfig } from '../interfaces/client-config.interface';
@Injectable({ providedIn: 'root' }) export class AudianceGuard implements CanActivate {
constructor( private msalService: MsalService, @Inject('CLIENT_CONFIG') private clientConfig: IClientConfig ) { }
canActivate(): boolean {
let account = this.msalService.getAccount();
if (account == null || typeof account.idToken === "undefined") {
return false;
}
if (account.idToken.aud != this.clientConfig.clientId) {
this.msalService.loginRedirect();
return false;
}
return true;}
}
tnorling
Library
@azure/msal-angular 1.1.1
Framework
Angular 11
Description
We have multiple websites on the same domain running under Kuberneties with SSO, when we switch between websites the token is not refreshed and it tries to use the same token, probably as they are in the same domain, for example
test.xx.yy/webapp1 test.xx.yy/webapp2
The Azure clientids are different for both websites and MSAL Angular should check the audiance (aud) claim of the token against the clientid of the application and refresh the token if they are different. This is what we have done creating our own guard which compares the aud and clientid and if different call login which results in a silent refresh getting the appropriate token. We keep roles in the token and this causes an issue as without the correct token, the token does not hold the correct roles.
Error Message
None
MSAL Configuration
Reproduction steps
Create two websites under the same domain, switch between the websites and in the token check the aud matches the clientid of the website you have navigated to.