search

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.29k stars 21.48k forks source link

Incomplete documentation about single tenant apps #71140

Closed Ubus99 closed 3 years ago

Ubus99 commented 3 years ago

Page doesn't describe how to set up single tenant desktop applications, redirect URLs using common are invalid for that purpose.

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

shashishailaj commented 3 years ago

@Ubus99 Thank you for your feedback . We will investigate and update the thread.

jmprieur commented 3 years ago

@Ubus99: I don't understand. This is clearly explained in the link in the paragraph https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-app-registration#audience-for-interactive-token-acquisition ?

cc: @mmacy

mmacy commented 3 years ago

@jmprieur This looks like both a content clarity and a content completeness issue.

@Ubus99 please chime in if any of the below is incorrect, or if you have anything to add to help us clear things up.

Clarity

The clarity issue is two-fold.

First, this IF-THEN statement in the first bullet appears prominently under a Redirect URIs heading and presents only the common and the not-recommended urn forms of redirect URI. If I were looking for redirect URIs for my desktop app and landed on this article, I'd assume those two forms are the only two available.

image

Second, the link you refer to in "This is clearly explained in the link in the paragraph" appears in a section under a heading entitled Audience for interactive token acquisition - it doesn't mention redirect URIs in either the heading or the section text. Thus, if I were looking for redirect URI information for my desktop app and landed on this page, I'd skip over that section, especially because there's a more relevant section just below entitled Redirect URIs.

Completeness

Neither this article nor the app registration quickstart that's linked-to in the Audience for interactive token acquisition section of this article specifies whether all desktop apps, regardless of sign-in audience, should use https://login.microsoftonline.com/common/oauth2/nativeclient, or if that's just "recommended" as we say in the quickstart:

image

Remediation (proposed)

Short term:

Long term:

Each application type (SPA, web app, desktop, etc.) should have an app registration tutorial dedicated only to that app type. These app type-specific tutorials would walk developers step-by-step through the registering an app of that type, clearly explaining the redirect URI formats and other settings that are applicable to that app type. The current all-in-one quickstart doesn't cover any one app type in enough depth to give 100% clarity to developers on the settings they should using for that app type, nor do the scenario articles on app registration.

Ubus99 commented 3 years ago

Thanks, @mmacy, that is exactly what I meant. When I wrote the issue I was quite confused and frustrated because even after looking in the documentation for hours, I still couldn't figure out which RedirectURL to use.

I am trying to write a single-tenant public client application in Java, using the Interactive sign in method here https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-acquire-token?tabs=java

To me, it is not quite clear if this counts as a web application, because this page and some others call it a desktop app, but others refer to the Java library as web-only

As for the RedirectURI:

All in all, the same topics are repeated so many times on different pages that I sometimes question if the information is outdated or from the old ADAL service, it would be nice to have it more centralized.

That being said, I am completely new to MSAL, so I might be misunderstanding something important.

jmprieur commented 3 years ago

Thanks for the explanation @mmacy and @Ubus99 Adding @navyasric for Java. We need to better explain the Java scenarios here as well, across the board. cc; @kalyankrishna1 as well.

Imho, the AADSTS50194 error you see @Ubus99 is not due to the redirect URI, but to the authority. Apparently there is a recent change in Azure AD (which I was not aware of), where the authority of you app needs to be tenanted if the app registration is tenanted. So far my understanding was that the resulting authority was the minimum of the app registration and the application.

mmacy commented 3 years ago

@jmprieur @navyasric @kalyankrishna1 What are the necessary changes to accommodate @jmprieur's https://github.com/MicrosoftDocs/azure-docs/issues/71140#issuecomment-789717350:

Apparently there is a recent change in Azure AD (which I was not aware of), where the authority of you app needs to be tenanted if the app registration is tenanted.

Does @jmprieur's statement mean that we go with the second bullet in my https://github.com/MicrosoftDocs/azure-docs/issues/71140#issuecomment-789289206 above?

Remediation (proposed)

Short term:

  • Clarify in both articles whether https://login.microsoftonline.com/common/oauth2/nativeclient is indeed the recommended redirect URI to use, even if it's a single-tenant "LOB" application or app that supports MSA users only.
  • If, however, https://login.microsoftonline.com/common/oauth2/nativeclient is recommended only for multi-tenant apps (Any org and Any org + MSA), add details to both articles on which redirect URI format(s) are supported and/or recommended for single-tenant (This org only) LOB-style and MSA-only desktop apps.

If the second bullet is the correct one, what is the recommended redirect URI format for a tenanted desktop app?

mmacy commented 3 years ago

@Ubus99 I'm moving this issue over to our internal Azure DevOps instance for triage/scheduling in upcoming sprint planning. Thanks again for bring this up! #please-close

Microsoft-internal tracking information:

ID Title
1349205 [ISSUE][71140] Incomplete documentation about single tenant apps