search

unoplatform / uno.extensions

Libraries to ease common developer tasks associated with building multi-platform mobile, desktop and web applications using Uno Platform or WinAppSDK.
https://platform.uno/
Other
73 stars 47 forks source link

[Authentication] After Uno.Sdk update, MSAL login on Windows using msal redirect url gives Microsoft.Identity.Client.MsalClientException #2443

Open VincentH-Net opened 4 months ago

VincentH-Net commented 4 months ago

Current behavior

After updating Uno.Sdk from 5.2.139 to 5.2.175, IAuthenticationService.LoginAsync gives this exception on Windows:

Microsoft.Identity.Client.MsalClientException: 'Only loopback redirect uri is supported, but msal<Application (client) ID guid>://auth/ was found. Configure http://localhost or http://localhost:port both during app registration and when you create the PublicClientApplication object. See https://aka.ms/msal-net-os-browser for details'

When downgrading Uno.Sdk back to 5.2.139, there is no exception and the native Windows account picker appears. However, NuGet reports a security vulnerability that is fixed by updating Uno.Sdk, so downgrading is not an acceptable workaround.

MSAL configuration and code: appsettings.json

  "MsalAuthentication": {
    "ClientId": "<Application (client) ID guid>",
    "Scopes": [ "User.Read" ],
    "RedirectUri": "msal<Application (client) ID guid>://auth"
  }

App.xaml.cs

.UseAuthentication(auth => auth.AddMsal(name: "MsalAuthentication"))

LoginViewModel.cs

public partial class LoginViewModel(
    IDispatcher dispatcher,
    IAuthenticationService authentication,
   // ...
) : BaseViewModel
{
    [RelayCommand]
    async Task Login()
    {
        bool success = await authentication.LoginAsync(dispatcher);
        // ...
    }
}

Workaround

Do what the exception message says: 1) Register an additional desktop application redirect url in Entra Id 2) In code for Windows only, set that URL: 

    .UseAuthentication(auth =>
      auth.AddMsal(
    #if WINDOWS
        c => c.Builder(b => b.WithRedirectUri("http://localhost:5001")),
    #endif
        name: "MsalAuthentication"
      )
    )

However, this workaround will open the account picker in the web browser instead of use the native Windows account picker.

Expected behavior

I can update to the latest stable Uno Sdk and continue to use the native account picker on Windows with the Uno Auth Extensions.

How to reproduce it (as minimally and precisely as possible)

1) Register an Entra Id application with the msal redirect url 2) Create a new Uno Platform solution with authentication and Windows platform selected 3) Update the solution as shown in the code snippets under "Current Behavior" above 4) Run the app and click on Login

Environment

Nuget Package (s): Uno.Sdk packages for:

    <UnoFeatures>
      CSharpMarkup;
      Material;
      Dsp;
      Hosting;
      Toolkit;
      Logging;
      LoggingSerilog;
      Mvvm;
      Configuration;
      Http;
      Serialization;
      Localization;
      AuthenticationMsal;
      Navigation;
      ThemeService;
    </UnoFeatures>

Package Version(s):

{
  "sdk": {
    "version": "8.0.300"
  },
  "msbuild-sdks": {
    "Uno.Sdk": "5.2.175"
  }
}

Affected platform(s):

Visual Studio:

VincentH-Net commented 3 months ago

Update: the issue still exists in "Uno.Sdk": "5.3.96"

agneszitte commented 1 month ago

Hi @VincentH-Net are you still able to reproduce this issue with latest stable Uno.Sdk 5.4.8 please?

VincentH-Net commented 1 month ago

Thanks for following up @agneszitte , I will recheck this Monday and update here.

In case the issue still exists, this may help to track it down:

As far as I can see the issue was introduced when a vulnerability in the underlying MS lib forced Uno to update. So to get rid of that vulnerability build warning it is necessary to update the Uno lib and then the issue is that you lose the native UX on Windows.

VincentH-Net commented 1 month ago

@agneszitte I rechecked with latest stable "Uno.Sdk": "5.4.8" - the issue still exists

VincentH-Net commented 1 month ago

@agneszitte It seems to be this MSAL issue

This comment points to this PR as the example to follow how to use the native Windows broker.

That PR uses both .WithWindowsEmbeddedBrowserSupport() and .WithBroker(new BrokerOptions(BrokerOptions.OperatingSystems.Windows)) for Windows.

If that does restore the native Windows UX you may need to implement it in the Uno wrapper for MSAL

agneszitte commented 1 month ago

@agneszitte It seems to be this MSAL issue

This comment points to this PR as the example to follow how to use the native Windows broker.

That PR uses both .WithWindowsEmbeddedBrowserSupport() and .WithBroker(new BrokerOptions(BrokerOptions.OperatingSystems.Windows)) for Windows.

If that does restore the native Windows UX you may need to implement it in the Uno wrapper for MSAL

@VincentH-Net thanks a lot for the test and all the details, really appreciated ! We will look at the details (cc @jeromelaban, @nickrandolph, @kazo0, @eriklimakc for info)