search

AzureAD / microsoft-authentication-library-for-js

Microsoft Authentication Library (MSAL) for JS
http://aka.ms/aadv2
MIT License
3.65k stars 2.65k forks source link

Refresh token silently with 3rd Party Cookies allowed - Error AADSTS50058 #7384

Open pr3d1ction opened 1 week ago

pr3d1ction commented 1 week ago

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

3.23.0

Wrapper Library

MSAL Angular (@azure/msal-angular)

Wrapper Library Version

None

Public or Confidential Client?

Public

Description

In our enterprise PWA App we try to make use of refreshing the token silently to avoid the users need to re-login after a certain period. For doing this we make sure, that the login.microsoftonline.com domain is added as per the documentation here: https://support.apple.com/en-euro/guide/deployment/depb4c146c2e/web

For just testing this, it's also enough to disable Prevent Cross-Site Tracking in the iPadOS Setting (Attention this is allowing all 3rd party Cookies).

After the user is logged in, we added a button to refresh the token silently to test it out. When trying to refresh silently we get: "errorCode": "login_required", "errorMessage": "AADSTS50058: A silent sign-in request was sent but no user is signed in.

Is there anything else we need to take action on or any other parameter to be set? The user is having a valid session at the moment we invoke the msal method.

Any hints?

Thanks!

Error Message

No response

MSAL Logs

main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - BrowserCacheManager.getActiveAccount: Active account filters schema found main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - BrowserCacheManager.getAccountKeys called main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - BrowserCacheManager.getAccount called main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - BrowserCacheManager.getTokenKeys called main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-common@14.14.2 : Trace - CacheManager - getIdToken called main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - BrowserCacheManager.getIdTokenCredential: cache hit main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-common@14.14.2 : Trace - getAliasesFromMetadata called with source: config main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-common@14.14.2 : Trace - getAliasesFromMetadata called with source: hardcoded_values main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-common@14.14.2 : Trace - getAliasesFromMetadata: found cloud discovery metadata in hardcoded_values, returning aliases main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-common@14.14.2 : Info - CacheManager:getIdToken - Returning ID token main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : @azure/msal-browser@3.23.0 : Verbose - acquireTokenSilent called main.a9d3d2ba3135d49e.js:2 MSAL 11:07:32 | SilentRequest { "scopes": [ "URL" ], "forceRefresh": false, "cacheLookupPolicy": 5, "account": { "homeAccountId": "homeAccountId", "environment": "login.windows.net", "tenantId": "tenantId", "username": "username", "localAccountId": "localAccountId", "name": "name", "authorityType": "MSSTS", "tenantProfiles": [ [ "tenantProfiles", { "tenantId": "tenantId", "localAccountId": "localAccountId", "name": "", "isHomeTenant": true } ] ], "idTokenClaims": { "aud": "...", "iss": "....", "iat": 1729162731, "nbf": 1729162731, "exp": 1729166631 }, "idToken": "idToken" }} main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : @azure/msal-browser@3.23.0 : Verbose - acquireTokenSilent called for the first time, storing active request main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - Executing function acquireTokenSilentAsync main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Info - Emitting event: msal:acquireTokenStart main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Verbose - Emitting event to callback XYZe: msal:acquireTokenStart main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - Executing function initializeSilentRequest main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - Executing function initializeBaseRequest main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Verbose - Authentication Scheme wasn't explicitly set in request, defaulting to "Bearer" request main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - Returning result from initializeBaseRequest main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - Returning result from initializeSilentRequest main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - isNativeAvailable called main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - isNativeAvailable: allowNativeBroker is not enabled, returning false main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Verbose - acquireTokenSilent - attempting to acquire token from web flow main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - Executing function acquireTokenFromCache main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - Error occurred in acquireTokenFromCache main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - {"errorCode":"token_refresh_required","errorMessage":"Cannot return token from cache because it must be refreshed. This may be due to one of the following reasons: forceRefresh parameter is set to true, claims have been requested, there is no cached access token or it is expired.","subError":"","name":"ClientAuthError"} main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Info - Emitting event: msal:acquireTokenFromNetworkStart main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Verbose - Emitting event to callback XYZe: msal:acquireTokenFromNetworkStart main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - Executing function acquireTokenByRefreshToken main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - Error occurred in acquireTokenByRefreshToken main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - {"errorCode":"token_refresh_required","errorMessage":"Cannot return token from cache because it must be refreshed. This may be due to one of the following reasons: forceRefresh parameter is set to true, claims have been requested, there is no cached access token or it is expired.","subError":"","name":"ClientAuthError"} main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : @azure/msal-browser@3.23.0 : Verbose - Refresh token expired/invalid or CacheLookupPolicy is set to Skip, attempting acquire token by iframe. main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - Executing function acquireTokenBySilentIframe main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - Executing function silentIframeClientAcquireToken main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Executing function standardInteractionClientInitializeAuthorizationRequest main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Verbose - getRedirectUri called main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Executing function initializeBaseRequest main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Verbose - Authentication Scheme set to "Bearer" as configured in Auth request main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Returning result from initializeBaseRequest main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Verbose - Setting validated request account main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Returning result from standardInteractionClientInitializeAuthorizationRequest main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Verbose - initializeServerTelemetryManager called main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Executing function standardInteractionClientCreateAuthCodeClient main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Executing function standardInteractionClientGetClientConfiguration main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Executing function standardInteractionClientGetDiscoveredAuthority main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Executing function authorityFactoryCreateDiscoveredInstance main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Executing function authorityResolveEndpointsAsync main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - BrowserCacheManager.getAuthorityMetadata: cache hit main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Executing function authorityUpdateCloudDiscoveryMetadata main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Verbose - Attempting to get cloud discovery metadata from authority configuration main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Verbose - Did not find cloud discovery metadata in the config... Attempting to get cloud discovery metadata from the hardcoded values. main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Verbose - Found cloud discovery metadata from hardcoded values. main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Returning result from authorityUpdateCloudDiscoveryMetadata main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Executing function authorityUpdateEndpointMetadata main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Verbose - Attempting to get endpoint metadata from authority configuration main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Verbose - Did not find endpoint metadata in the config... Attempting to get endpoint metadata from the hardcoded values. main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Returning result from authorityUpdateEndpointMetadata main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - BrowserCacheManager.setAuthorityMetadata called main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Returning result from authorityResolveEndpointsAsync main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Returning result from authorityFactoryCreateDiscoveredInstance main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Returning result from standardInteractionClientGetDiscoveredAuthority main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Returning result from standardInteractionClientGetClientConfiguration main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Returning result from standardInteractionClientCreateAuthCodeClient main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Executing function silentIframeClientTokenHelper main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Executing function standardInteractionClientInitializeAuthorizationCodeRequest main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Executing function generatePkceCodes main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Executing function generateCodeVerifier main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Executing function getRandomValues main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Returning result from getRandomValues main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Returning result from generateCodeVerifier main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Executing function generateCodeChallengeFromVerifier main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Executing function sha256Digest Successfully preconnected to https://login.microsoftonline.com/ main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Returning result from sha256Digest main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Returning result from generateCodeChallengeFromVerifier main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Returning result from generatePkceCodes main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Returning result from standardInteractionClientInitializeAuthorizationCodeRequest main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - isNativeAvailable called main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - isNativeAvailable: allowNativeBroker is not enabled, returning false main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Executing function getAuthCodeUrl main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : @azure/msal-common@14.14.2 : Trace - Executing function authClientCreateQueryString main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : @azure/msal-common@14.14.2 : Verbose - createAuthCodeUrlQueryString: Adding login_hint from account main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : @azure/msal-common@14.14.2 : Trace - Returning result from authClientCreateQueryString main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Verbose - Replacing tenant domain name 72e15514-5be9-46a8-8b0b-af9b1b77b3b8 with id {tenantid} main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Returning result from getAuthCodeUrl main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Executing function silentHandlerInitiateAuthRequest main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Executing function silentHandlerLoadFrameSync main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Returning result from silentHandlerLoadFrameSync main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Returning result from silentHandlerInitiateAuthRequest main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:32 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Executing function silentHandlerMonitorIframeForHash main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:33 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Executing function removeHiddenIframe main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:33 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Returning result from removeHiddenIframe main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:33 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Returning result from silentHandlerMonitorIframeForHash main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:33 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Executing function deserializeResponse main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:33 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Returning result from deserializeResponse main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:33 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Executing function handleCodeResponse main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:33 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Error occurred in handleCodeResponse main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:33 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - {"errorCode":"login_required","errorMessage":"AADSTS50058: A silent sign-in request was sent but no user is signed in. Trace ID: 1b21d5f3-0878-4f5a-ac34-5e1ad9a30a00 Correlation ID: xyzIDxyz Timestamp: 2024-10-17 11:07:33Z","subError":"","name":"InteractionRequiredAuthError","timestamp":"","traceId":"","correlationId":"","claims":"","errorNo":"50058"} main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:33 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - Error occurred in silentIframeClientTokenHelper main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:33 GMT] : [xyzIDxyz] : msal.js.browser@3.23.0 : Trace - {"errorCode":"login_required","errorMessage":"AADSTS50058: A silent sign-in request was sent but no user is signed in. Trace ID: 1b21d5f3-0878-4f5a-ac34-5e1ad9a30a00 Correlation ID: xyzIDxyz Timestamp: 2024-10-17 11:07:33Z","subError":"","name":"InteractionRequiredAuthError","timestamp":"","traceId":"","correlationId":"","claims":"","errorNo":"50058"} main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:33 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - BrowserCacheManager.getServerTelemetry: cache hit main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:33 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - BrowserCacheManager.setServerTelemetry called main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:33 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - Error occurred in silentIframeClientAcquireToken main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:33 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - {"errorCode":"login_required","errorMessage":"AADSTS50058: A silent sign-in request was sent but no user is signed in. Trace ID: 1b21d5f3-0878-4f5a-ac34-5e1ad9a30a00 Correlation ID: xyzIDxyz Timestamp: 2024-10-17 11:07:33Z","subError":"","name":"InteractionRequiredAuthError","timestamp":"","traceId":"","correlationId":"xyzIDxyz","claims":"","errorNo":"50058"} main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:33 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - Error occurred in acquireTokenBySilentIframe main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:33 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - {"errorCode":"login_required","errorMessage":"AADSTS50058: A silent sign-in request was sent but no user is signed in. Trace ID: 1b21d5f3-0878-4f5a-ac34-5e1ad9a30a00 Correlation ID: xyzIDxyz Timestamp: 2024-10-17 11:07:33Z","subError":"","name":"InteractionRequiredAuthError","timestamp":"","traceId":"","correlationId":"xyzIDxyz","claims":"","errorNo":"50058"} main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:33 GMT] : [] : @azure/msal-browser@3.23.0 : Info - Emitting event: msal:acquireTokenFailure main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:33 GMT] : [] : @azure/msal-browser@3.23.0 : Verbose - Emitting event to callback XYZe: msal:acquireTokenFailure main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:33 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - Error occurred in acquireTokenSilentAsync main.a9d3d2ba3135d49e.js:2 [Thu, 17 Oct 2024 11:07:33 GMT] : [] : @azure/msal-browser@3.23.0 : Trace - {"errorCode":"login_required","errorMessage":"AADSTS50058: A silent sign-in request was sent but no user is signed in. Trace ID: 1b21d5f3-0878-4f5a-ac34-5e1ad9a30a00 Correlation ID: xyzIDxyz Timestamp: 2024-10-17 11:07:33Z","subError":"","name":"InteractionRequiredAuthError","timestamp":"","traceId":"","correlationId":"xyzIDxyz","claims":"","errorNo":"50058"} main.a9d3d2ba3135d49e.js:2 MSAL 11:07:33 | Error 3rd party cookies { "errorCode": "login_required", "errorMessage": "AADSTS50058: A silent sign-in request was sent but no user is signed in. Trace ID: 1b21d5f3-0878-4f5a-ac34-5e1ad9a30a00 Correlation ID: xyzIDxyz Timestamp: 2024-10-17 11:07:33Z", "subError": "", "name": "InteractionRequiredAuthError", "timestamp": "", "traceId": "", "correlationId": "xyzIDxyz", "claims": "", "errorNo": "50058"} writeToConsole @ main.a9d3d2ba3135d49e.js:2 error @ main.a9d3d2ba3135d49e.js:2 (anonymous) @ main.a9d3d2ba3135d49e.js:2 (anonymous) @ main.a9d3d2ba3135d49e.js:2 (anonymous) @ main.a9d3d2ba3135d49e.js:2 error @ main.a9d3d2ba3135d49e.js:2 _error @ main.a9d3d2ba3135d49e.js:2 error @ main.a9d3d2ba3135d49e.js:2 onInvoke @ main.a9d3d2ba3135d49e.js:2 run @ polyfills.d75bcda12191eee1.js:2 (anonymous) @ polyfills.d75bcda12191eee1.js:2 onInvokeTask @ main.a9d3d2ba3135d49e.js:2 runTask @ polyfills.d75bcda12191eee1.js:2 K @ polyfills.d75bcda12191eee1.js:2 invokeTask @ polyfills.d75bcda12191eee1.js:2

Network Trace (Preferrably Fiddler)

MSAL Configuration

const request: SilentRequest = {
      scopes: this.environmentService.getEnvironment().auth.scopes,
      forceRefresh,
      cacheLookupPolicy,
      account: this.msalService.instance.getActiveAccount() || undefined
    };

test3rdPartyCookies(): Observable<ThirdPartyCookieTestResult> {
    return this.msalService.acquireTokenSilent(this.getSilentRequest(false, CacheLookupPolicy.Skip)).pipe(
      map(authResult => ({ result: true, data: this.logService.cleanObjectAndStringify(authResult) })),
      catchError(error => {
        this.logService.error('Error 3rd party cookies', LogCategory.MSAL, [error]);
        return of({ result: false, data: this.logService.cleanObjectAndStringify(error) });
      })
    );

Relevant Code Snippets

const request: SilentRequest = {
      scopes: this.environmentService.getEnvironment().auth.scopes,
      forceRefresh,
      cacheLookupPolicy,
      account: this.msalService.instance.getActiveAccount() || undefined
    };

test3rdPartyCookies(): Observable<ThirdPartyCookieTestResult> {
    return this.msalService.acquireTokenSilent(this.getSilentRequest(false, CacheLookupPolicy.Skip)).pipe(
      map(authResult => ({ result: true, data: this.logService.cleanObjectAndStringify(authResult) })),
      catchError(error => {
        this.logService.error('Error 3rd party cookies', LogCategory.MSAL, [error]);
        return of({ result: false, data: this.logService.cleanObjectAndStringify(error) });
      })
    );

Reproduction Steps

  1. On iPadOS Safari setting allow 3rd party cookies. Disable Prevent Cross-Site Tracking (In an enterprise environment this can be done specifially for some domains (i.e. login.microsoftonline.com).
  2. Login into your PWA app
  3. Try to invoke acquireTokenSilent by setting the Cachepolicy to CacheLookupPolicy.Skip (Making sure it's skipping the cache).

Expected Behavior

We would expect the token to be refresehd without any user interaction

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

Safari

Regression

No response

pr3d1ction commented 2 days ago

One more addition from our side. When testing the app on iOS 18 inside Chrome - the token acquireTokenSilent works. On Safari (Our default Browser) I see there are no Cookies stored in this regards, this could answer the question why the error message points out that there is no user logged in. Is there any way to make sure the needed Cookies are stored?

We enabled storeAuthStateInCookie, but still no Cookies stored in Safari.