search

AzureAD / microsoft-authentication-library-for-js

Microsoft Authentication Library (MSAL) for JS
http://aka.ms/aadv2
MIT License
3.61k stars 2.64k forks source link

SSOSilient isn't working #7330

Open luke-nguyen-ams opened 2 days ago

luke-nguyen-ams commented 2 days ago

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

3.24.0

Wrapper Library

MSAL React (@azure/msal-react)

Wrapper Library Version

2.1.0

Public or Confidential Client?

Public

Description

image

While integrating my website into a parent website that uses Azure B2C, I encountered an issue when attempting Single Sign-On (SSO). After successfully logging into the parent website, I posted a message to an iframe containing the active account. However, when trying to authenticate using the SSOSilent method with loginHint and the active account, an error was thrown:

InteractionRequiredAuthError: interaction_required: AADB2C90077: User does not have an existing session and request prompt parameter has a value of 'None'

The error indicates that the user does not have an existing session, although they are already logged into the parent website. I expected the session to persist across iframes for seamless SSO, but this seems to require interaction despite the prompt parameter being set to 'None.'

With SID, i saw it is not available with B2C: https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/1935

Here is my code in Iframe website:

const ssoSilent = async (account: AccountInfo): Promise<string> => {
    try {
      await instance.acquireTokenRedirect({
        scopes: MicrosoftGraphAuth.GetLoginRequest().scopes,
        account: account,
      });
      const result = await instance.ssoSilent({
        scopes: ['client_id', 'offline_access', 'openid'],
        loginHint: account.username,
      });
      const {accessToken} = result;
      localStorage.setItem('accessToken', JSON.stringify(accessToken));
      return accessToken;
    } catch (error) {
      console.log('error acquire token silent', error);
      instance.clearCache();
    }
};

Docs: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/iframe-usage.md#single-sign-on

Error Message

InteractionRequiredAuthError: interaction_required: AADB2C90077: User does not have an existing session and request prompt parameter has a value of 'None'. Correlation ID: 2fc57a11-158f-476a-8ce4-18843fb12fe6

MSAL Logs

No response

Network Trace (Preferrably Fiddler)

MSAL Configuration

const msalConfig: Configuration = {
      auth: {
        clientId: 'eadcd102-392c-45a3-xxxxxx-xxxxxxxxxx',
        authority: 'https://xxxxxxx.b2clogin.com/amsb2cdera.onmicrosoft.com/B2C_1_signup',
        redirectUri: 'http://localhost:8080/oauth2/microsoft/callback',
        knownAuthorities: ['xxxxxxx.b2clogin.com'],
      },
      cache: {
        cacheLocation: 'localStorage', 
      },
    };

Relevant Code Snippets

const iframe: any = document.getElementById('child-iframe')
iframe?.contentWindow?.postMessage(accounts[0], '*')

Reproduction Steps

  1. Logged in Parent website
  2. Parent website call postMessage() send data to iframe (https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage)
  3. Got error when use instance.ssoSilent()

Expected Behavior

ssoSilent successfully

Identity Provider

Azure B2C Custom Policy

Browsers Affected (Select all that apply)

Chrome, Firefox, Edge, Safari, Other

Regression

"@azure/msal-browser": "3.24.0" and "@azure/msal-react": "2.1.0",

Source

External (Customer)

sameerag commented 13 hours ago

This is something the B2C team can answer, we do not yet custom brokering scenarios from MSAL JS. Please raise a ticket with B2C team here.