If a user sets a bookmark on AAD B2C login page, it leads to problems with the login.
The following scenario:
User A logs in: clicks the login button, is redirected to the login screen, enters his data and is successfully logged in und is redirected back to the application then closes the browser without logging out.
User B opens the browser and navigates directly via bookmark to the login screen, enters his data and is successfully logged in, is redirected back to the application and ends up in the session of user A.
It is not about protecting the session of user A, as you can also use the session of user A without logging in by simply opening the application, as user A has not logged out, but to prevent the error situation that user B accidentally and unknowingly uses the session of user A.
It would be helpful to be able to intercept and handle the unexpected redirect somehow.
Error Message
No response
MSAL Logs
No response
Network Trace (Preferrably Fiddler)
[ ] Sent
[ ] Pending
MSAL Configuration
https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/samples/msal-react-samples/b2c-sample/src/authConfig.js without any change
Relevant Code Snippets
https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-react-samples/b2c-sample/src without any change
Reproduction Steps
Start b2c-sample from msal-react-samples as described in readme.
Click Sign in using redirect
Set a bookmark
Log in with user A
Expected: Redirect to the application and claims from user A are displayed
Close the browser without logging out
Open the browser
Use bookmark from step 3 to get to the login screen
Log in with user B
Expected: Redirect to the application and claims from user B are displayed or there is an error
Actual: Redirect to the application and claims from user A are displayed
Expected Behavior
I would have expected there to be an event for the unexpected redirect (state and nonce unknown), like the login failed event.
Core Library
MSAL.js (@azure/msal-browser)
Core Library Version
3.1.0
Wrapper Library
MSAL React (@azure/msal-react)
Wrapper Library Version
2.0.3
Public or Confidential Client?
Public
Description
If a user sets a bookmark on AAD B2C login page, it leads to problems with the login. The following scenario:
User A logs in: clicks the login button, is redirected to the login screen, enters his data and is successfully logged in und is redirected back to the application then closes the browser without logging out.
User B opens the browser and navigates directly via bookmark to the login screen, enters his data and is successfully logged in, is redirected back to the application and ends up in the session of user A.
It is not about protecting the session of user A, as you can also use the session of user A without logging in by simply opening the application, as user A has not logged out, but to prevent the error situation that user B accidentally and unknowingly uses the session of user A.
It would be helpful to be able to intercept and handle the unexpected redirect somehow.
Error Message
No response
MSAL Logs
No response
Network Trace (Preferrably Fiddler)
MSAL Configuration
Relevant Code Snippets
Reproduction Steps
b2c-samplefrommsal-react-samplesas described in readme.Expected Behavior
I would have expected there to be an event for the unexpected redirect (state and nonce unknown), like the login failed event.
Identity Provider
Azure B2C Basic Policy
Browsers Affected (Select all that apply)
Chrome
Regression
No response
Source
External (Customer)