search

AzureAD / microsoft-authentication-library-for-js

Microsoft Authentication Library (MSAL) for JS
http://aka.ms/aadv2
MIT License
3.64k stars 2.65k forks source link

MSAL Angular Application Redirect URL Marked as Dangerous Site After Microsoft Login #7020

Closed nithinpoulosek closed 6 months ago

nithinpoulosek commented 6 months ago

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

1.0.0

Wrapper Library

MSAL Angular (@azure/msal-angular)

Wrapper Library Version

1.0.0

Public or Confidential Client?

Confidential

Description

We are using MSAL Angular 1.0.0 (Angular 8) application for Azure AD login. The application has been working fine for the last four years without any issues. However, starting last week, after Microsoft login, the redirect URL (eg: https://site_url.com/authcallback#id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6InEtM...) is being marked as a dangerous site by the browser.

We noticed a Google update last week regarding browser URL policy. :- https://security.googleblog.com/2024/03/blog-post.html

image

Error Message

No response

MSAL Logs

No response

Network Trace (Preferrably Fiddler)

MSAL Configuration

{
        auth: {
          clientId: environment.config.identityConfig.clientId,
          authority: environment.config.identityConfig.authority,
          navigateToLoginRequestUrl: true,
          validateAuthority: true,
          redirectUri: environment.config.identityConfig.redirectUri,
          postLogoutRedirectUri:
            environment.config.identityConfig.postLogoutRedirectUri,
        },
        cache: {
          cacheLocation: "localStorage",
        },
      },
      {
        consentScopes: [],
        unprotectedResources: [],
        protectedResourceMap: [],
        extraQueryParameters: {},
      }

Relevant Code Snippets

login() {
this.msalService.loginRedirect();
}

checkAccount() {
this.userAccount = this.msalService.getAccount();
this.loggedIn = !!this.msalService.getAccount();
}

ngOnInit() {
this.setSubscriptions();
}

setSubscriptions() {
this.broadcastService.subscribe("msal:loginSuccess", () => {
  this.checkServerIsAlive();
  this.checkAccount();
});
this.broadcastService.subscribe("msal:loginFailure", (payload) => {
  console.log(payload);
});
this.msalService.handleRedirectCallback((authError, response) => {
  if (authError) {
    console.error("Redirect Error: ", authError.errorMessage);
    return;
  }
  this.router.navigate(["/authcallback"]);
  console.log("Redirect Success: ", response.accessToken);
});
this.msalService.setLogger(
  new Logger(
    (logLevel, message, piiEnabled) => {
      // console.log("MSAL Logging: ", message);
    },
    {
      correlationId: CryptoUtils.createNewGuid(),
      piiLoggingEnabled: false,
    }
  )
);
}

Reproduction Steps

  1. Log in with Microsoft
  2. Redirection URL from Microsoft login to Application "https://site_url.com/authcallback#id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6InEtM..." shows Dangerous site warning on the site. (All others URLs are working fine)

Expected Behavior

The application should be logged in without any warning.

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

Chrome

Regression

No response

Source

External (Customer)

gehringf commented 6 months ago

I've seen this too with one of our applications.

SolvejSkar commented 6 months ago

Does anybody have a solution or workaround?

tnorling commented 6 months ago

You should raise this issue with Chrome. This is not something we have any control over. If there's something the auth service is doing that is triggering this it would help to understand specifically what that is and you should report that by opening a ticket here

Also as a side note: v1 is deprecated and not receiving any further investments. Please upgrade to v3 at your earliest convenience so that we can offer you support for future needs.