search

CommunityToolkit / Graph-Controls

Set of Helpers and Controls for Windows development using the Microsoft Graph.
https://docs.microsoft.com/en-us/windows/communitytoolkit/graph/overview
Other
154 stars 39 forks source link

MsalProvider uses unknown redirect URI, authentication fails #188

Open jasonjoh opened 2 years ago

jasonjoh commented 2 years ago

Describe the bug

When using the MsalProvider as documented and as in the sample, auth fails with AADSTS50011.

Request Id: 5e464c00-92a4-4a14-a5e6-f6c807527900 
Correlation Id: 70fa290d-da9e-4a48-ac59-98da60a73410 
Timestamp: 2022-04-29T14:51:55Z 
Message: AADSTS50011: The redirect URI 'ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-3827128064-569582487-4294593430-3382639814-4294318972-3676523608-2734131615' specified in the request does not match the redirect URIs configured for the application '3892d014-2554-4df7-a10b-9f1e5c0742e7'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.

Steps to Reproduce

Steps to reproduce the behavior:

  1. Register an app in Azure AD using the redirect URI https://login.microsoftonline.com/common/oauth2/nativeclient.

  2. Configure your provider.

    string[] scopes = new string[] { "User.Read" };
ProviderManager.Instance.GlobalProvider = 
    new MsalProvider("CLIENT_ID", scopes);
  3. Try to login with the LoginButton.

Expected behavior

Should login

Environment

NuGet Package(s): 
CommunityToolkit.Authentication.Msal 7.1.1
CommunityToolkit.Graph.Uwp 7.1.1

Windows 11 Build Number: (10.0; Build 22000)

App min and target version: Windows 10, version 2104 (10.0; Build 20348), Target Windows 11 (10.0; Build 22000)

Device form factor:
- [x] Desktop
- [ ] Xbox
- [ ] Surface Hub
- [ ] IoT

Visual Studio 
- [ ] 2017 (version: )
- [ ] 2019 (version: ) 
- [ ] 2019 Preview (version: )
- [x] 2022 (version: 17.1.6)
ghost commented 2 years ago

Hello jasonjoh, thank you for opening an issue with us!

I have automatically added a "needs triage" label to help get things started. Our team will analyze and investigate the issue, and escalate it to the relevant team if possible. Other community members may also look into the issue and provide feedback 🙌

michael-hawker commented 2 years ago

@jasonjoh this isn't an undocumented url, it's generated from calling this public API in the web authentication broker.

As used here:

https://github.com/CommunityToolkit/Graph-Controls/blob/15513b1861d6fa016165e61867c08ec05c0a70a0/CommunityToolkit.Authentication.Uwp/WindowsProvider.cs#L49

Did you try the steps in the url provided by the error message? https://aka.ms/redirectUriMismatchError

@shweaver-MSFT is this something we should call out in the docs, this url just needs to be registered in Azure right? As the default one is only recommended for embedded browsers?

shweaver-MSFT commented 2 years ago

If you don't mind, @jasonjoh, try out what @michael-hawker suggested. I'm curious if that works for you. The guidance in the README/docs certainly doesn't tell you to do this for the MsalProvider, so I can see why you are confused. When I wrote the docs it didn't seem to be a requirement to use that custom redirect URI, only for the WindowsProvider. But perhaps something has changed since then.

shweaver-MSFT commented 2 years ago

Oh actually... looking at this closer, I can see that you aren't specifying a redirect uri when you create the MsalProvider instance:

string[] scopes = new string[] { "User.Read" };
ProviderManager.Instance.GlobalProvider = 
    new MsalProvider("CLIENT_ID", scopes);

Somewhere in MsalProvider, if you don't provide a redirect uri it will attempt to figure it out for you. I think the part you missed is actually passing that redirect uri into the constructor:

string[] scopes = new string[] { "User.Read" };
string redirectUri = "https://login.microsoftonline.com/common/oauth2/nativeclient";
ProviderManager.Instance.GlobalProvider = 
    new MsalProvider("CLIENT_ID", scopes, redirectUri);

I didn't think this was necessary, but I can tell by the error message you showed that Msal is picking a very different redirect uri than what the docs recommend. The other option is to go the other way, and add the url it listed in the error message back into your azure config.

jasonjoh commented 2 years ago

Yeah, it worked. That was the first thing I did to resolve the error, but opened this issue as it's not a great experience to have to run the app to get an error so you then know what redirect to add to your app registration. :D

I did try passing the static redirect to the constructor for MsalProvider, but that didn't work for me. I had to do this:

// Configure MSAL provider
var msalClient = PublicClientApplicationBuilder.Create(appId)
    .WithRedirectUri("https://login.microsoftonline.com/common/oauth2/nativeclient")
    .Build();
ProviderManager.Instance.GlobalProvider = new MsalProvider(msalClient, scopes.Split(' '));
jasonjoh commented 2 years ago

Just tried passing the redirect to the MsalProvider constructor again to verify. It seems to ignore the value and still use the ms-appx-web URL.