Redirect back to app not working

[harishreddypothula1993]

Hello, I am running my application locally and testing it on a emulator. I am running into an issue where after the authentication I am not able to redirect back to my application. I have added http://localhost to replyURL's on the azure portal. Your quick response would be much appreciated . Thanks

[egrendonDev]

To add additional information to the issue @harishreddypothula1993 is trying to solve.

1) This is an Ionic 4 with Angular 8. 2) The Android Emulator to -> Azure AD login works fine

     -  (login on MS is successful) 

3) Azure AD Redirect back to Android Emulator is not working.

Error that is shown by the Azure AD

AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application

The AzureAD instance has the following reply urls in attempt to redirect from AZURE -to- Android instance

"replyUrlsWithType": [ { "url": "http://localhost:4400", "type": "InstalledClient" }, { "url": "http://llocalhost/tabs/tab1", "type": "InstalledClient" }, { "url": "http://localhost/", "type": "InstalledClient" }, { "url": "http://localhost", "type": "InstalledClient" }, { "url": "http://localhost:4200/", "type": "InstalledClient" }, { "url": "https://companyNameHere.com", "type": "InstalledClient" }, { "url": "http://localhost:44321/", "type": "InstalledClient" }, { "url": "https://localhost:44320", "type": "InstalledClient" }, { "url": "http://localhost:44320", "type": "InstalledClient" }, { "url": "http://localhost:8100/index.html", "type": "InstalledClient" }, { "url": "http://localhost:8000/index.html", "type": "InstalledClient" }, { "url": "http://localhost:8100/", "type": "InstalledClient" }, { "url": "http://localhost:8000/", "type": "InstalledClient" }, { "url": "https://login.microsoftonline.com/common/oauth2/nativeclient", "type": "InstalledClient" } ],

Also i've included the "cordova-plugin-msal" init options object below

const options = { authorities: [ { type: 'AAD', audience: 'AzureADMultipleOrgs', authorityUrl: 'http://localhost/tabs/tab1', // authorityUrl: 'https://companyName.com/.auth/login/aad/callback', // authorityUrl: 'http://localhost:8100', // authorityUrl: 'https://companyName.com', cloudInstance: 'MSALAzurePublicCloudInstance', default: true, } ], authorizationUserAgent: 'WEBVIEW', multipleCloudsSupported: false, brokerRedirectUri: false, accountMode: 'SINGLE', scopes: ['User.Read'] };

(aWindow as any).cordova.plugins.msalPlugin.msalInit(() => { debugger; // Success logic goes here console.log('***DEBUGGGGGGGGG* Finished msalPlugin.msalInit'); }, (err: any) => { // err has your exception message console.log(*****************DEBUGGGGGGGGG*********** MOBILE msalPlugin.msalInit FAILED!!! ${err}); debugger; }, options);

[wrobins]

Hello and thanks for your questions!

To do your callback to android, you only need to add one URL to your reply URLs and it's a little bit different from your localhost URLs. I'll show you three ways to do this to get the same result, and for all three I'm going to give you two placeholders to fill in. One is your app's package name of com.whatever.whatever. The second is that android key hash that I described in this repo's README. You'll probably need to do this twice: one for your debug key, and one for your release key. But for simplicity's sake I'll just have you do it once for your debug key to get you going.

Option 1:

In your manifest, edit your replyUrlsWithType array to have one single object: "replyUrlsWithType": [ { "url": "msauth://com.your.package.name/y0Urk3yH4ShURLFri3ndLy%3D", "type": "InstalledClient" } ] Note that you take your hash value that you got following the README and make it URL-friendly, which probably just means replacing the '=' at the end with '%3D' but put it through some URL sanitizer to be sure.

Option 2:

Using the regular/old experience of the Azure Portal, under app registrations>Your App>Authentication, under Redirect URIs, add an entry of type "Public client/native (mobile & desktop)" and a value of "msauth://com.your.package.name/y0Urk3yH4ShURLFri3ndLy%3D"

Option 3:

Using the NEW azure portal experience, under app registrations>Your App>Authentication, under Platform configurations, click + Add a Platform, choose Android, and follow the instructions. That will generate an entry identical to Options 1 and 2. It will also give you some helpful configuration hints to pass to MSAL.

Let me know if those instructions made sense and if you're able to authenticate!

[harishreddypothula1993]

That helped thanks

[egrendonDev]

@wrobins - Perfect thats what we needed option 1 worked for us.

[harishreddypothula1993]

Hello Wrobins,

When we are doing login, it initially takes us to Microsoft Login page after providing email and click next button taking us to Organization(tenant) login page and then authenticates, we want to go to Organization(tenant) login page as the user clicks login, do we need to add anything in specific to make this happen on the config?

[wrobins]

Hello! When you call msalInit() and pass in your options object, in your authorities array, specify your default authority as something like

authorities: [
    {
        type: 'AAD',
        audience: 'AzureADMyOrg',
        authorityUrl: '',
        cloudInstance: 'MSALAzurePublicCloudInstance',
        default: true
    }
]

The audience by default is 'AzureADandPersonalMicrosoftAccount' which doesn't redirect people to a tenant's org page until it sees they have an org account. If you want to support outside accounts too, you could maybe try something like:

authorities: [
    {
        type: 'AAD',
        audience: 'AzureADMyOrg',
        authorityUrl: '',
        cloudInstance: 'MSALAzurePublicCloudInstance',
        default: true
    },
    {
        type: 'AAD',
        audience: 'AzureADandPersonalMicrosoftAccount',
        authorityUrl: '',
        cloudInstance: 'MSALAzurePublicCloudInstance',
        default: false
    }
]

Let me know if this gives you the behavior you want.

[harishreddypothula1993]

Hi WRobins,

we have the same config , but we are still seeing the same behaviour of navigating to Microsoft and then to Tenant login. authorities: [ { type: 'AAD', audience: 'AzureADMyOrg', authorityUrl: '', cloudInstance: 'MSALAzurePublicCloudInstance', default: true } ]

[wrobins]

Hmm, have you passed your TENANT_ID variable when you installed the plugin? If not, make sure you supplied it. If you already did, another thing to try is setting brokerRedirectUri to true in your msalInit options.

[harishreddypothula1993]

Yes, I did passed the TENANT_ID variable while installing the plugin. But still it doesn't solve our problem, if i change the brokerRedirectUri to true as soon as I open the app it closes the app and I see app stopped working error

[wrobins]

Hello! There's one more thing I can think of to check: back in your Azure portal, in your manifest, there is probably a JSON property near the bottom that is set by default to

"signInAudience": "AzureADandPersonalMicrosoftAccount",

If it's still set to that, change the value to "AzureADMyOrg" and see if that fixes it for you.

[harishreddypothula1993]

Hello, we have no luck doing all the changes suggested by you, just to give you a clarification we had the same problem on desktop as well , we solved it by passing extraQueryParameters: {domain_hint: tenant_id}; is there a way we can send the domain_hint with this plugin?

[wrobins]

Hello! I will look into implementing this either today or tomorrow. If I run into any issues preventing me from doing this I'll let you know, but otherwise look out for it when version 2.1.0 comes out. I'll set it to close this issue when that happens as well.

Have a good one and thanks for your research! It helps make this plugin better.

[harishreddypothula1993]

Hello, Any update on this?

[wrobins]

Hi again,

I apologize for the delay in getting this next release out - my day job has been using up most of my coding brain power! XD

I just released @v2.1.0 which should give you that capability. You can read the full list of new options for calling signInInteractive() near the bottom of the README, but the short version is, you should be able to do something like this now when signing someone in:

window.cordova.plugins.msalPlugin.signInInteractive(mycbfunction(msg), myerrorfunction(errmsg), {
        authorizationQueryStringParameters: [{param: 'domain_hint', value: 'your-tenant-guid'}];
    }
);

Please let me know if this solves your issue. Thanks!

[harishreddypothula1993]

Hi Wrobins,

I have upgraded the version to 2.1.0 and now my app fails with error message(Uncaught module cordova-plugin-msal.msalPlugin already defined) in the console.All I did was remove and re add the plugin. If I go back to 2.0.1 app works fine withe routing me to Microsoft login page first and then to my tenant. Uploading the error message for reference .

[imamdev]

Hi Wrobins,

I have upgraded the version to 2.1.0 and now my app fails with error message(Uncaught module cordova-plugin-msal.msalPlugin already defined) in the console.All I did was remove and re add the plugin. If I go back to 2.0.1 app works fine withe routing me to Microsoft login page first and then to my tenant. Uploading the error message for reference .

I have seen the same error with iOS and switching back to 2.0.1.

[wrobins]

Hello, This is an issue that unfortunately seems to crop up in all Cordova apps sometimes. I think it sometimes duplicates imports when you upgrade plugins. Try following some of the tips from this post and let me know if this fixes it.

[harishreddypothula1993]

Hello, I did try to safely remove and re add the plugin and also created a brand new application and added this plugin as recommended, but still I see the same error in both the cases. Here is the test repo where I am trying to use this plugin https://github.com/harishreddypothula1993/TestMsalPlugin

[johnathon101]

I am able to reproduce this as well under Ionic 4, Ng8. When the cordova.define wrapper is removed from the javascript adapter(msalplugin.js), the duplication error is not presented and the plugin loads fine. There is still a fatal error when the brokerRedirectUri flag is set to true and signInInteractive is called. Targeting Android@8. I will continue looking into this but wanted to update.

[wrobins]

Thanks @imamdev @harishreddypothula1993 and @johnathon101 for your work and feedback identifying this! I just released v2.1.2 that fixes this. Please let me know if it is indeed fixed when you upgrade the plugin.

[johnathon101]

This can be closed, it is fixed.