Attempting ssoSilent with specified redirectUri different from Web Server

Question

Attempting ssoSilent with specified redirectUri different from Web Server

Closed this issue 4 years ago · 4 comments

JJHakiLe commented 4 years ago

Please follow the issue template below. Failure to do so will result in a delay in answering your question.

Library

msal@1.4.0

Description

When running the sample with just the base configuration such as below:

const msalConfig = {
auth: {
clientId: "<---my_application's-client-id-here--->",
authority: "<---my-user-flow-authority-here->>",
validateAuthority: false
},
cache: {
cacheLocation: "sessionStorage", // This configures where your cache will be stored
storeAuthStateInCookie: false // Set this to "true" to save cache in cookies to address trusted zones limitations in IE
}
};

Everything runs fine, and attempting to use ssoSilent with a a login hint of just an arbitrary string returns an

InteractionRequiredAuthError: AADB2C90077: User does not have an existing session and request prompt parameter has a value of 'None'.

as Expected.

However, placing a redirectUri property inside the msalConfig such as

redirectUri: "<--uri-registered-under-application-authentication-blade-->" //Such as https://jwt.ms

results in the same ssoSilent call returning another error

Uncaught (in promise) ClientAuthError: Token renewal operation failed due to timeout.

I am wondering if this is a bug or is this expected behavior, and if it is expected, what would be the recommended configuration for ssoSilent to function as before redirectUri is specified?

Thank you very much!

Answer 1 · 2021-01-13T17:29:31.000Z

@JJHakiLe This is expected behavior, as redirect URIs for silent request must be on the same domain as your application (MSAL will use the current page, by default). A redirect URI for a different domain can also be used for testing purposes with the redirect APIs (loginRedirect, acquireTokenRedirect).

Answer 2 · 2021-01-13T17:51:59.000Z

@jasonnutter Right, I understand. I was just wondering if that was expected behavior. thank you. So does that mean that silent requests can support different pages on the same domain? And that for a redirect URI on a different domain, a redirect API must be used? Thanks in advance.

Answer 3 · 2021-01-13T20:45:30.000Z

So does that mean that silent requests can support different pages on the same domain?

@JJHakiLe Yes, MSAL.js supports setting the redirect URI on a per-request basis. This means you can use different redirect URIs for different token/login calls.

And that for a redirect URI on a different domain, a redirect API must be used?

The redirect URI used for a given operation must be on the same domain as your application, otherwise the operation will not complete successfully (for silent, popup, and redirect requests). A redirect URI for a different domain (e.g. jwt.ms) can be used only for testing purposes with login requests, but cannot be used for your deployed application.

Answer 4 · 2021-01-13T21:01:11.000Z

I see, thank you very much for the information @jasonnutter . It has been very helpful to me :)