search

unoplatform / uno.extensions

Libraries to ease common developer tasks associated with building multi-platform mobile, desktop and web applications using Uno Platform or WinAppSDK.
https://platform.uno/
Other
73 stars 45 forks source link

[Authentication] After Uno.Sdk update, MSAL login on Windows using msal redirect url gives Microsoft.Identity.Client.MsalClientException #2443

Open VincentH-Net opened 1 month ago

VincentH-Net commented 1 month ago

Current behavior

After updating Uno.Sdk from 5.2.139 to 5.2.175, IAuthenticationService.LoginAsync gives this exception on Windows:

Microsoft.Identity.Client.MsalClientException: 'Only loopback redirect uri is supported, but msal<Application (client) ID guid>://auth/ was found. Configure http://localhost or http://localhost:port both during app registration and when you create the PublicClientApplication object. See https://aka.ms/msal-net-os-browser for details'

When downgrading Uno.Sdk back to 5.2.139, there is no exception and the native Windows account picker appears. However, NuGet reports a security vulnerability that is fixed by updating Uno.Sdk, so downgrading is not an acceptable workaround.

MSAL configuration and code: appsettings.json

  "MsalAuthentication": {
    "ClientId": "<Application (client) ID guid>",
    "Scopes": [ "User.Read" ],
    "RedirectUri": "msal<Application (client) ID guid>://auth"
  }

App.xaml.cs

.UseAuthentication(auth => auth.AddMsal(name: "MsalAuthentication"))

LoginViewModel.cs

public partial class LoginViewModel(
    IDispatcher dispatcher,
    IAuthenticationService authentication,
   // ...
) : BaseViewModel
{
    [RelayCommand]
    async Task Login()
    {
        bool success = await authentication.LoginAsync(dispatcher);
        // ...
    }
}

Workaround

Do what the exception message says: 1) Register an additional desktop application redirect url in Entra Id 2) In code for Windows only, set that URL: 

    .UseAuthentication(auth =>
      auth.AddMsal(
    #if WINDOWS
        c => c.Builder(b => b.WithRedirectUri("http://localhost:5001")),
    #endif
        name: "MsalAuthentication"
      )
    )

However, this workaround will open the account picker in the web browser instead of use the native Windows account picker.

Expected behavior

I can update to the latest stable Uno Sdk and continue to use the native account picker on Windows with the Uno Auth Extensions.

How to reproduce it (as minimally and precisely as possible)

1) Register an Entra Id application with the msal redirect url 2) Create a new Uno Platform solution with authentication and Windows platform selected 3) Update the solution as shown in the code snippets under "Current Behavior" above 4) Run the app and click on Login

Environment

Nuget Package (s): Uno.Sdk packages for:

    <UnoFeatures>
      CSharpMarkup;
      Material;
      Dsp;
      Hosting;
      Toolkit;
      Logging;
      LoggingSerilog;
      Mvvm;
      Configuration;
      Http;
      Serialization;
      Localization;
      AuthenticationMsal;
      Navigation;
      ThemeService;
    </UnoFeatures>

Package Version(s):

{
  "sdk": {
    "version": "8.0.300"
  },
  "msbuild-sdks": {
    "Uno.Sdk": "5.2.175"
  }
}

Affected platform(s):

Visual Studio:

VincentH-Net commented 1 month ago

Update: the issue still exists in "Uno.Sdk": "5.3.96"