Closed clemlesne closed 1 year ago
Also created an issue to the doc, if this is a missing piece of doc: https://github.com/MicrosoftDocs/azure-docs/issues/112289.
This issue requires attention from the MSAL.js team and has not seen activity in 5 days. @konstantin-msft please follow up.
This issue requires attention from the MSAL.js team and has not seen activity in 5 days. @konstantin-msft please follow up.
@clemlesne SPAs only support only URLs that start with https:
for production apps and http://localhost
for local dev. The format you mentioned above can be supported only for mobile or web apps as they have a confidential component unlike browser apps. Hope this clarifies.
Well Tauri is a like Electron but without the Node.js backend. It’s, sort of, a web browser with a Rust backend handling communication with the host. Not having a HTTP server exposed lowers the risk of man in the middle attack and attacks: no server, no security issues. Enable the HTTP server is feasible but flawed.
Thus… why restricting the protocol name to “https://” only? Security is the same, integration is the same.
Am I missing something?
Yes, our verification of redirectUri
depends on the https
messaging to the service. Since it is a SPA and no secrets are exchanged, this is the only way we can confirm the app's validity to receive the tokens.
More docs can be found here.
What do you advise making this work? I'm still stuck with Tauri
and MSAL.js
.
This issue requires attention from the MSAL.js team and has not seen activity in 5 days. @sameerag please follow up.
This issue requires attention from the MSAL.js team and has not seen activity in 5 days. @sameerag please follow up.
This issue requires attention from the MSAL.js team and has not seen activity in 5 days. @sameerag please follow up.
This issue requires attention from the MSAL.js team and has not seen activity in 5 days. @sameerag please follow up.
This issue requires attention from the MSAL.js team and has not seen activity in 5 days. @sameerag please follow up.
This issue requires attention from the MSAL.js team and has not seen activity in 5 days. @sameerag please follow up.
This issue requires attention from the MSAL.js team and has not seen activity in 5 days. @sameerag please follow up.
What do you advise making this work? I'm still stuck with
Tauri
andMSAL.js
.
You cannot use msal js
without having a web URL as a redirectUri. It is not something MSAL JS controls, it is how SPAs backend is designed for AAD. Sorry we cannot be of much help here.
This is a joke, this could be theoretically done using msal-node
if it didn't rely on node-exclusive api like util.inherits
. I understand that supporting not-c-based native clients, especially browser-emulating ones is a daunting task. But as it stands the official advice of the authentication library is "well, we're only talking about security here. Theres no need to invest so much in security. Just use the node server impl and pkce. So what if the tokens are open to hijacking?"
The question here asks about the tauri://
protocol (as outlined and required by both the oauth2 spec, and the microsoft docs, btw.), I understand that the answer to that literal question is "we don't have the ability to allow that", but the actual question that was asked was "how do you perform auth in conditions such as tauri".
Working with azures oauth2 api is hard enough, really. I don't think that needing to find a hack around msal
s stated impossibility (despite it being entirely possible) should be another hurdle in the herculean task that is working with azure.
I have a working implementation for tauri. It's 100% possible. I wanted to swap over to msal because I started to need to juggle a few tokens around and I really didn't want to. Especially with the teeth-grinding experience that is implementing it myself.
Core Library
MSAL.js (@azure/msal-browser)
Core Library Version
2.38.0
Wrapper Library
MSAL React (@azure/msal-react)
Wrapper Library Version
1.5.9
Public or Confidential Client?
Public
Description
Cannot log in using a mobile and desktop applications redirect URL prefixed with
tauri://
. It works withhttp://localhost
but not fromtauri://localhost
.Error Message
MSAL Logs
MSAL Configuration
Relevant Code Snippets
The application is run from Tauri (embedded web app on desktop, no Node.js runtime).
AAD app manifest:
Expected Behavior
I would expect the logging to work the same it is working for the web version.
Identity Provider
Azure AD / MSA
Browsers Affected (Select all that apply)
Other
Related links (suggested)
Source
Internal (Microsoft)