search

AzureAD / microsoft-authentication-library-for-js

Microsoft Authentication Library (MSAL) for JS
http://aka.ms/aadv2
MIT License
3.61k stars 2.64k forks source link

Help needed: Bypass authority metadata resolution #7220

Open vella-nicholas opened 1 month ago

vella-nicholas commented 1 month ago

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

3.1.0

Wrapper Library

MSAL Angular (@azure/msal-angular)

Wrapper Library Version

3.1.0

Public or Confidential Client?

Public

Description

I would like some help in bypassing authority metadata resolution. The problem is we have two endpoints for resolution, one for b2c_1a_signup_signin and the other b2c_1a_signup and if we pass only one, one of the policies will not work.

The endpoints are: https://login.aposta1.com/aposta1prod.onmicrosoft.com/b2c_1a_signup_signin/v2.0/.well-known/openid-configuration and https://login.aposta1.com/aposta1prod.onmicrosoft.com/b2c_1a_signup/v2.0/.well-known/openid-configuration

Error Message

The aim is to avoid this error, possibly due to network latency Error message: ClientAuthError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientAuthError: openid_config_error: Could not retrieve endpoints. Check your authority and verify the .well-known/openid-configuration endpoint returns the required endpoints. Attempted to retrieve endpoints from: https://login.aposta1.com/aposta1prod.onmicrosoft.com/b2c_1a_signup_signin/v2.0/.well-known/openid-configuration

MSAL Logs

No response

Network Trace (Preferrably Fiddler)

MSAL Configuration

export function MSALInstanceFactory(): IPublicClientApplication {
    const isIE = window.navigator.userAgent.indexOf('MSIE ') > -1 || window.navigator.userAgent.indexOf('Trident/') > -1;
    const msalConfig: Configuration = {
        auth: {
            clientId: environment.activeDirectory.clientId,
            authority: `https://${environment.activeDirectory.loginDomain}/${environment.activeDirectory.domain}/B2C_1A_SIGNUP_SIGNIN`,
            knownAuthorities: [
                environment.activeDirectory.loginDomain,
                environment.activeDirectory.editDomain
            ],
            redirectUri: '/',
            navigateToLoginRequestUrl: false
        },
        cache: {
            cacheLocation: BrowserCacheLocation.LocalStorage,
            storeAuthStateInCookie: isIE
        },
        system: {
            loggerOptions: {
                loggerCallback(logLevel: LogLevel, message: string) { },
                logLevel: LogLevel.Error,
                piiLoggingEnabled: false,
            },
            allowNativeBroker: false
        }
    };

    return new PublicClientApplication(msalConfig);
}

Relevant Code Snippets

We would like something like this but with two authorities:
const msalInstance = new PublicClientApplication({
    auth: {
        authorityMetadata: '{"token_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/common/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/{tenantid}/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/authorize","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"tenant_region_scope":null,"cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net"}'
    }
});

Reproduction Steps

Two policies are used, one for registration and one for login. I need help in bypassing authority depending on which policy is used.

Expected Behavior

The ability to add more than one authorityMetadata depending on which policy is used.

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

Chrome, Firefox, Edge, Safari

Regression

No response

Source

External (Customer)

konstantin-msft commented 1 month ago

@vella-nicholas Unfortunately, MSAL.js does not support multiple instances of authority metadata at the moment. Please retry endpoints_resolution_error on your end.

cc @ejahja Please consider this as a feature request.

vella-nicholas commented 1 month ago

@konstantin-msft My question is, does this error cause users not to be able to login? We are not having complaints and yet we see this error like 500 times a day. Could it be network related? Is there a way I can investigate this further?

konstantin-msft commented 1 month ago

@vella-nicholas endpoints_resolution_error causes auth failure and should be re-tried. It indicates an issue with either a client network or an authority metadata endpoint.

tnorling commented 4 weeks ago

Please try upgrading to the latest version of MSAL.js and let us know if this is still an issue. There were bugs related to metadata resolution in the early v3 releases that have since been mitigated.