search

syncweek-react-aad / react-aad

A React wrapper for Azure AD using the Microsoft Authentication Library (MSAL). The easiest way to integrate AzureAD with your React for authentication.
MIT License
344 stars 94 forks source link

bug: Login Loop when user is unauthorised #211

Open zsid opened 4 years ago

zsid commented 4 years ago

Library versions

Describe the bug We are using the implicit login flow, using redirect for the user to authenticate. When a user with valid credentials in our organisation tries to authenticate they get into an indefinite loop from our app back to Microsoft authentication page and back again when they are not in the App user pool that we have specified in Azure AD.

I can see in the url that we get back from authenticating with Microsoft having an error in there. I have seen similar issue somewhere before where msal was not checking if we have failed to authenticate before sending us back again to the authenticated page

Expected behaviour

To Reproduce Steps to reproduce the behaviour: let's set up the context context as you having two environments - QA and Dev. In dev env, you have user credentials that are not valid in QA and vice versa.

  1. Log into Dev
  2. Go to your app in QA that is forcing authentication with a redirect
  3. You can see the constant redirect loop

Desktop (please complete the following information):

zsid commented 4 years ago

I have also mentioned the issue on msal one. Github is very helpful to link it above šŸ˜„ Not sure what the error was though šŸ¤”

zsid commented 4 years ago

This is the error I get in the url

http://localhost:3000/login#error=interaction_required&error_description=AADSTS50105%3a+The+signed+in+user+%27%7bEmailHidden%7d%27+is+not+assigned+to+a+role+for+the+application

andrewjmaguire commented 4 years ago

I am experiencing the same issue for accounts that do not have sufficient roles. I am using Chromium on Ubuntu.

GraemeF commented 4 years ago

I'm seeing a similar loop with error=interaction_required but in my case a different cause (an admin hasn't authorised the app on the users' behalf, so the user should be prompted to do so themselves). It seems to happen about once a day for users. When the refresh times out the looping stops, they sign in again and everything is fine again.

This is with Chrome on everything.

GraemeF commented 4 years ago

We have captured MSAL logs of the loop (starting at monitorWindowForHash, but could be anywhere as it loops...)

[MSAL] 1.3.2-Verbose monitorWindowForHash found url in hash
[MSAL] 1.3.2-Info Processing the callback from redirect response
[MSAL] 1.3.2-Info State status:true; Request type:LOGIN
[MSAL] 1.3.2-Info-pii Error :consent_required; Error description:AADSTS65001: The user or administrator has not consented to use the application with ID '[client-appreg-id]' named '[client-appreg-name]'. Send an interactive authorization request for this user and resource.
[MSAL] 1.3.2-Verbose Telemetry Event stopped: 243cf152-4e3c-4e4b-ad91-96dcf5bab086_673c3cf3-031a-4181-a922-07d87e478733-msal.api_event
[MSAL] 1.3.2-Verbose Flushing telemetry events: 243cf152-4e3c-4e4b-ad91-96dcf5bab086
[MSAL] 1.3.2-Verbose Telemetry Event stopped: 1386d347-d9b1-4ce9-ac5e-31a068f657e6_714cfde3-63e6-4749-8f62-0d62076216d1-msal.api_event
[MSAL] 1.3.2-Verbose Flushing telemetry events: 1386d347-d9b1-4ce9-ac5e-31a068f657e6
[MSAL] 1.3.2-Verbose AcquireTokenInteractive has been called
[MSAL] 1.3.2-Verbose Account set from MSAL Cache
[MSAL] 1.3.2-Verbose User session exists, login not required
[MSAL] 1.3.2-Verbose No cached metadata for authority
[MSAL] 1.3.2-Verbose AcquireTokenInteractive has been called
[MSAL] 1.3.2-Verbose Telemetry Event started: [client-request-guid-1]_0f075bca-8b27-4048-b15a-09301561a9de-msal.http_event
[MSAL] 1.3.2-Verbose Telemetry Event stopped: [client-request-guid-1]_0f075bca-8b27-4048-b15a-09301561a9de-msal.http_event
[MSAL] 1.3.2-Verbose Navigating window to urlNavigate
[MSAL] 1.3.2-Info-pii Navigate to:https://login.microsoftonline.com/[app-tenant-id]/oauth2/v2.0/authorize?response_type=token&scope=https%3A%2F%2F[tenantname].onmicrosoft.com%2Fwfm%2F[api-name]%2Fdev%2F[api-scope-id]%2Fuser_impersonation%20openid%20profile&client_id=[client-appreg-id]&redirect_uri=https%3A%2F%2F[app-hostname].[ourdomain.co.uk]%2Fleak-detection%2Fdashboard%2Faad-callback&state=[encoded-state-1]%3D&nonce=[nonce-guid-1]&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=1.3.2&login_hint=[username]%40[tenantname].onmicrosoft.com&client-request-id=[client-request-guid-1]&response_mode=fragment
[MSAL] 1.3.2-Info Returned from redirect url
[MSAL] 1.3.2-Verbose AcquireTokenSilent has been called
[MSAL] 1.3.2-Verbose Telemetry Event started: f3f4e31f-efbb-41bf-afcb-6136a7603d78_e99b8df7-e61a-40c4-8322-6205080ce01a-msal.api_event
[MSAL] 1.3.2-Verbose-pii Serialized scopes: [client-appreg-id]
[MSAL] 1.3.2-Verbose Account set from MSAL Cache
[MSAL] 1.3.2-Verbose Response type: id_token
[MSAL] 1.3.2-Verbose Finished building server authentication request
[MSAL] 1.3.2-Verbose Query parameters populated from existing SSO or account
[MSAL] 1.3.2-Verbose Token is not in cache for scope: [client-appreg-id]
[MSAL] 1.3.2-Verbose-pii Authority instance: https://login.microsoftonline.com/[app-tenant-id]/
[MSAL] 1.3.2-Verbose No cached metadata for authority
[MSAL] 1.3.2-Verbose Telemetry Event started: f3f4e31f-efbb-41bf-afcb-6136a7603d78_c90b670d-f8fb-4a67-a343-2f7a1feaba09-msal.http_event
[MSAL] 1.3.2-Info Returned from redirect url
[MSAL] 1.3.2-Info Processing the callback from redirect response
[MSAL] 1.3.2-Info State status:true; Request type:RENEW_TOKEN
[MSAL] 1.3.2-Info State is right
[MSAL] 1.3.2-Info Fragment has access token
[MSAL] 1.3.2-Info The user object received in the response is the same as the one passed in the acquireToken request
[MSAL] 1.3.2-Verbose acquiring token interactive in progress
[MSAL] 1.3.2-Verbose AcquireTokenSilent has been called
[MSAL] 1.3.2-Verbose Telemetry Event started: [client-request-guid-2]_3ce5be72-e5bd-4b54-a700-d22318d79c76-msal.api_event
[MSAL] 1.3.2-Verbose-pii Serialized scopes: [client-appreg-id]
[MSAL] 1.3.2-Verbose Account set from MSAL Cache
[MSAL] 1.3.2-Verbose Response type: id_token
[MSAL] 1.3.2-Verbose Finished building server authentication request
[MSAL] 1.3.2-Verbose Query parameters populated from existing SSO or account
[MSAL] 1.3.2-Verbose Token is not in cache for scope: [client-appreg-id]
[MSAL] 1.3.2-Verbose-pii Authority instance: https://login.microsoftonline.com/[app-tenant-id]/
[MSAL] 1.3.2-Verbose No cached metadata for authority
[MSAL] 1.3.2-Verbose AcquireTokenSilent has been called
[MSAL] 1.3.2-Verbose Telemetry Event started: 4841b91c-29be-419d-9167-0a1821e849cb_c552353c-e876-4303-b03f-98b9d232affc-msal.api_event
[MSAL] 1.3.2-Verbose-pii Serialized scopes: [client-appreg-id]
[MSAL] 1.3.2-Verbose Account set from MSAL Cache
[MSAL] 1.3.2-Verbose Response type: id_token
[MSAL] 1.3.2-Verbose Finished building server authentication request
[MSAL] 1.3.2-Verbose Query parameters populated from existing SSO or account
[MSAL] 1.3.2-Verbose Token is not in cache for scope: [client-appreg-id]
[MSAL] 1.3.2-Verbose-pii Authority instance: https://login.microsoftonline.com/[app-tenant-id]/
[MSAL] 1.3.2-Verbose No cached metadata for authority
[MSAL] 1.3.2-Verbose Telemetry Event started: [client-request-guid-2]_1fe131b5-c60b-418b-8509-77be7965127c-msal.http_event
[MSAL] 1.3.2-Verbose Telemetry Event started: 4841b91c-29be-419d-9167-0a1821e849cb_2ebc7237-d7aa-4f3e-9f4e-d9f18f51152d-msal.http_event
[MSAL] 1.3.2-Verbose Telemetry Event stopped: [client-request-guid-2]_1fe131b5-c60b-418b-8509-77be7965127c-msal.http_event
[MSAL] 1.3.2-Verbose Authority has been updated with endpoint discovery response
[MSAL] 1.3.2-Verbose Renewing idToken
[MSAL] 1.3.2-Info renewidToken is called
[MSAL] 1.3.2-Info-pii Add msal frame to document:msalIdTokenFrame|[client-appreg-id]|undefined
[MSAL] 1.3.2-Verbose Renew Idtoken Expected state: [encoded-state-2]
[MSAL] 1.3.2-Info-pii Navigate to:https://login.microsoftonline.com/[app-tenant-id]/oauth2/v2.0/authorize?response_type=id_token&scope=openid%20profile&client_id=[client-appreg-id]&redirect_uri=https%3A%2F%2F[app-hostname].[ourdomain.co.uk]%2Fleak-detection%2Fdashboard%2Fauth.html&state=[encoded-state-2]&nonce=[nonce-guid-2]&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=1.3.2&login_hint=[username]%40[tenantname].onmicrosoft.com&client-request-id=[client-request-guid-2]&prompt=none&response_mode=fragment
[MSAL] 1.3.2-Verbose-pii Set loading state to pending for: [client-appreg-id]|undefined:[encoded-state-2]
[MSAL] 1.3.2-Info-pii LoadFrame: msalIdTokenFrame|[client-appreg-id]|undefined
[MSAL] 1.3.2-Verbose Telemetry Event stopped: 4841b91c-29be-419d-9167-0a1821e849cb_2ebc7237-d7aa-4f3e-9f4e-d9f18f51152d-msal.http_event
[MSAL] 1.3.2-Verbose Authority has been updated with endpoint discovery response
[MSAL] 1.3.2-Verbose Renew token for scope and authority: [client-appreg-id]|undefined is in progress. Registering callback
[MSAL] 1.3.2-Info-pii Add msal frame to document:msalIdTokenFrame|[client-appreg-id]|undefined
[MSAL] 1.3.2-Info-pii Frame Name : msalIdTokenFrame|[client-appreg-id]|undefined Navigated to: https://login.microsoftonline.com/[app-tenant-id]/oauth2/v2.0/authorize?response_type=id_token&scope=openid%20profile&client_id=[client-appreg-id]&redirect_uri=https%3A%2F%2F[app-hostname].[ourdomain.co.uk]%2Fleak-detection%2Fdashboard%2Fauth.html&state=[encoded-state-2]&nonce=[nonce-guid-2]&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=1.3.2&login_hint=[username]%40[tenantname].onmicrosoft.com&client-request-id=[client-request-guid-2]&prompt=none&response_mode=fragment
[MSAL] 1.3.2-Verbose monitorWindowForHash polling started