Primary refresh token missing in WebView2, unable to authenticate
Snaddr opened this issue · 4 comments
I have an enterprise app reg in Azure that is used as authentication to another enterprise app reg that exposes an API. I have been using MSAL.PS with Windows PowerShell 5.1 for a long time as a means of reaching this API directly from PowerShell, which works flawlessly (even with SSO). This produces the following WebView, which allows me to one-click sign-in;
If I try the exact same flow in PowerShell Core (any version), the primary refresh token seems to be completely missing inside Edge's WebView2, as it shows the Device State is "unregistered" and I have to manually type in my details.
Because the PRT is somehow missing, typing in your credentials manually is not gonna get you anywhere. Our conditional access policies require an AAD managed device, which blocks me from signing in as the request thinks my device is "unregistered" (hence why I think the PRT is missing). dsregcmd /status shows that my AzureAdPrt is fine.
I'm definately in over my head with this one, any feedback and/or attempts to help is greatly appreciated!
This is a bug in MSAL, where we shouldn't be using WebView2 because it cannot get SSO with Windows and cannot prove that the device is managed by your organization. We were not able to fix this issue, so we had MSAL use to Webview1 when talking to AAD.
I ended up switching out MSAL.PS for this module, which works well: https://www.powershellgallery.com/packages/graph.auth.lite/1.0.1
I would love to see some sort of fix for this in MSAL.PS as well, but unfortunately I lack the knowledge for a pull request myself.
@Snaddr - I agree that using another module is the best path forward, but I would suggest that you use - https://learn.microsoft.com/en-us/powershell/microsoftgraph/get-started?view=graph-powershell-1.0 - mainly because it's officially supported by Microsoft and signed by Microsoft.
For anyone running into this, you can also set UseEmbeddedWebView to false, it'll open a browser window instead of a popup.
Unfortunately it does mean you'll have to reauth on every token request.
I'm still on the lookout for a solution for that last part, be it using this module or a different solution.