Appreciate your clarification with regard to my below question.

Aassume I have a chain of downstream API calls to be made.
e.g
From client-spa application a request made to access api-A,
then api-A calls api-B, api-B needs to call api-C to satisfy api-A request.

How do you configure them in Azure? Any recommended best practice to manage these sort of integrations?

Describe the bug
the following code is raising an exception:

// OID is represented in id_token as a 32 digit number, while in MS Graph API, the
// preceeding 0s are omitted. The following operation adds the omitted 0s back.
int x = 32 - profile.Id.Length;
string graphID = new string('0', x) + profile.Id;

To Reproduce
I have tested the sample with Azure Active Directory set properly for API & SPA.
After being logged in, I clicked on the button Accepted on the SPA :

The PostProfileItem endpoint has been reached & profile.Id is filled with a GUID ("00000000-0000-0000-0000-000000000000").
var x = -4 which is not supported by the method new string('0', x)

Expected behavior
Not raise any exception on this subtraction

Many of the existing examples of SPA projects are either out of date, or not update to date.

Reactjs is a very popular front-end lib and I think it deserves some love. I did see Angular, but Reactjs is more popular then Angular, so if there is one example for Angular, I think there should also be one example for Reactjs.

Also, just wondering, when will this project be available?

Library

• [email protected] or @azure/[email protected]
• @azure/[email protected]

Important: Please fill in your exact version number above, e.g. [email protected].

Framework

azure/msal-browser: "^2.13.1"
.NET Core 3.1

Description

1. Cloned this git repository.
2. Followed the steps from readme in Azure AD.
3. Launched the server and the SPA, and successfully logged in.
4. Presented with "Welcome Onboard! You will now be asked to update your profile information." and the "Accept" button. Before clicking "Accept", the browser console output the following message:

GET https://localhost:44351/api/profile/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 404 serviceActions.js:9

Logging in with a "work" account I believe. This is my M365 business account, with custom domain name. This account was used for the Azure admin/tenant. Not sure if the user id is in a different format. I also invited a personal account as a guest user into the AAD tenant, but same error.

Not sure how to get the user profile information after logging in because of this error.

Error Message

GET https://localhost:44351/api/profile/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 404 serviceActions.js:9

Security

• Is this issue security related?

Regression

• Did this behavior work before?

Version:

MSAL Configuration

export const msalConfig = {
    auth: {
        clientId: "[Profile SPA AAD Client ID]",
        authority: "https://login.microsoftonline.com/[AAD Tenant ID]",
        redirectUri: "http://localhost:3000"
    },
    cache: {
        cacheLocation: "localStorage", // This configures where your cache will be stored
        storeAuthStateInCookie: false // Set this to "true" if you are having issues on IE11 or Edge
    },
}

Reproduction steps

Followed the same code in the repo, and steps within the readme.

Expected behavior

Browsers/Environment

• Chrome
• Firefox
• Edge
• Safari
• IE
• Other (Please add browser name here)

I was not able to get it working until I did these extra steps:

1. App registrations > ProfileAPI > API permissions > Delegated permissions, allow openid and profile as well. It seems that in the authConfig.js loginRequest scopes, you need them.
2. App registrations > ProfileAPI > Expose an API > Authorized client applications > Add a client application. In Client ID paste the app Id of ProfileSPA and make sure you check mark the scope of ProfileAPI Application ID URI.
3. App registrations > ProfileSPA > Authentication > select the "Access tokens" and "ID tokens" checkboxes.
4. When connecting it to enterprise account instead of personal accounts, App Registration > Authentication, select "Accounts in this organizational directory only (Single tenant)". Then change the authority to your tenant-id instead of the word "common". Change this on both the apps (ProfileSPA authConfig.js and ProfileAPI appSettings.json)

Library

@azure/msal-browser": "^2.1.0

Description

Trying to do OAuth with react SPA as the sample project demonstrated, but getting the following error message.

The react SPA project in the sample mentions no client secret, and only client ID is required. I registered my SPA APP and fulfilled the authConfig.js with info provided in AAD, and logged in via the following code:

    signIn = async(redirect) => {
        if (redirect) {
            return msalApp.loginRedirect(loginRequest);
        }

        return msalApp.loginPopup(loginRequest)
            .then(res => {
                console.info(res)
                return this.handleResponse
            })
            .catch(err => {
                console.info(err)
                this.setState({error: err.errorMessage});
            });
    }

The popup window displayed correct stuff and asked me if I agree to allow my APP to access my data. But after my confirmation, the login progress failed with the following error message.

Wondering Is there something I missed or doing wrongly in configuring the sample project?

Error Message

ServerError: invalid_client: 70002 - [2020-09-15 05:42:02Z]: AADSTS70002: The provided request must include a 'client_secret' input parameter.
Trace ID: e4cd2ef4-dd68-48fe-b61f-269d4ca30500
Correlation ID: 87b76c67-1b1b-4b88-b489-05c690f52498
Timestamp: 2020-09-15 05:42:02Z - Correlation ID: 87b76c67-1b1b-4b88-b489-05c690f52498 - Trace ID: e4cd2ef4-dd68-48fe-b61f-269d4ca30500
    at ServerError.AuthError [as constructor] (http://localhost:3000/static/js/1.chunk.js:450:20)
    at new ServerError (http://localhost:3000/static/js/1.chunk.js:3905:24)
    at ResponseHandler.validateTokenResponse (http://localhost:3000/static/js/1.chunk.js:4418:13)
    at AuthorizationCodeClient.<anonymous> (http://localhost:3000/static/js/1.chunk.js:4652:29)
    at step (http://localhost:3000/static/js/1.chunk.js:398:17)
    at Object.next (http://localhost:3000/static/js/1.chunk.js:329:14)
    at fulfilled (http://localhost:3000/static/js/1.chunk.js:281:24)

Please follow the issue template below. Failure to do so will result in a delay in answering your question.

Library

• [email protected] or @azure/[email protected]
• @azure/[email protected]

Description

I'm using React. Is there a flag which is set on MSAL after redirect back to Application side and before handleRedirectPromise() ?

handleRedirectPromise() need few seconds to get the response users can still see Login page on App side.
I checked a lot of examples with React and MSAL 2.x and all of them have this issue :)

So basically the steps:

User clicks Login on App side.
User is redirected to MS page for Pass/MFA
User is redirected to App side.
User is seeing Login page again
After few seconds needed for handleRedirectPromise() to get response.
User is authenticated and redirected to Welcome page.

I read few articles and some people recommend to use new empty page before send user to Login page. But as I'm using React is there a cleaver way to achieve that?

Nuget packages should be updated to align with last breaking changes in all APIs :

Microsoft.AspNetCore.Mvc.NewtonsoftJson 3.1.3 => 3.1.6
Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation 3.1.3 => 3.1.6
Microsoft.EntityFrameworkCore 3.1.3 => 3.1.6
Microsoft.EntityFrameworkCore.InMemory 3.1.3 => 3.1.6

Microsoft.Graph 3.3.0 => 3.9.0
Microsoft.Graph.Core 1.20.1 => 1.21.1
Microsoft.Identity.Web 0.1.0-preview => 0.2.3-preview

& update deprecated Microsoft.Identity.Web API :
https://github.com/AzureAD/microsoft-identity-web/wiki/Migrating-from-0.1.x-to-0.2.x

I was not able to get it working until I did these extra steps:

1. App registrations > ProfileAPI > API permissions > Delegated permissions, allow openid and profile as well. It seems that in the authConfig.js loginRequest scopes, you need them.
2. App registrations > ProfileAPI > Expose an API > Authorized client applications > Add a client application. In Client ID paste the app Id of ProfileSPA and make sure you allow the scope of ProfileAPI Application ID URI.
3. App registrations > ProfileSPA > Authentication > select the "Access tokens" and "ID tokens" checkboxes.
4. When connecting it to enterprise account instead of personal accounts, App Registration > Authentication, select "Accounts in this organizational directory only (Single tenant)". Then change the authority to your tenant-id instead of the word "common". Change this on both the apps (ProfileSPA authConfig.js and ProfileAPI appSettings.json)

I have followed this guide and others showcasing the same scenario. I kept getting the "Insufficient privileges to complete the operation" error when calling var profile = await _graphServiceClient.Me.Request().GetAsync();.

I added extra permission (Directory.AccessAsUser.All) in my API registration section in Azure AD and I got it working. I didn't touch anything else.

Is this permission missing from the readme file in this repo, in particular in STEP 4 > ProfileAPI > item 6?

Library

• [email protected] or @azure/[email protected]
• @azure/[email protected]

Description

Please provide your question here, including as much relevant details as possible.

Examples:

"How do I use MSAL with Vue.js"
"How do I SSO between tabs?"
"How do I use MSAL to protect my custom Web API?"
"How can my app support multiple AAD tenants?"
"When will my scenario be supported?"
"When will this framework be supported"

Library

• @azure/[email protected]
• @azure/[email protected]

Description

scenario:
I have 2 applications. They are structured as follows

App1

• tra-spa-dev
• tra-api-dev

App2

• mr-spa-dev
• mr-api-dev

I have registered SPA and API applications in the Azure portal as stated in this tutorial.
With a successfully logged in user, the SPA application can access secured endpoints of the respective API.

Now I need to access "mr-api-dev" from "tra-api-dev", basically I need to access the down streem API.
So I added, mr-api-dev in to the API permissions list of tra-api-dev

I have added the following configuration in the tra-api-dev startup.cs class

`

 services.AddMicrosoftIdentityWebApiAuthentication(Configuration)
            .EnableTokenAcquisitionToCallDownstreamApi()
            .AddDownstreamWebApi("mr", o => {
                o.BaseUrl = "http://localhost:5010/graphql";
                o.Scopes = "access_as_user";
            })
            .AddInMemoryTokenCaches();

`

AzureAD configuration settings are as follows:

`

AzureAd": {
   "Domain": "msaltestingjs.onmicrosoft.com",
   "ClientId": "api-clientid",
   "ClientSecret": "secret",
   "Instance": "https://login.microsoftonline.com/",
   "TenantId": "tenant-id"
}

`

From my "tra-api-dev" service class, I called the "mr-api-dev" API as follows:

Please note that I'm using GraphQLClient, hence I need to get a token explicitly to be added as a bearer token in the header.
So I used, ITokenAcquisition implementation to obtain a valid token.

`

var scopesToAccessDownstreamApi = new string[] { "api://[tra-api-dev application id]/access_as_user" };
var token = await _tokenAcquisition.GetAccessTokenForUserAsync(scopesToAccessDownstreamApi);
var query = MasterRecordQueries.FilterMasterRecords(filter);
_graphQLClient.HttpClient.DefaultRequestHeaders.Add("Authorization", $"Bearer {token}");
var response = await _graphQLClient.SendQueryAsync<FilterMasterRecordResponse>(query);
return response.Data;

`

However, the request didn't succeed. I get the following error in response headers.

`

{Date: Fri, 14 May 2021 05:55:05 GMT
Server: Kestrel
WWW-Authenticate: Bearer error="invalid_token", error_description="The audience 'api://[tra-api-dev application id]' is invalid"

}

`

Appreciate it if someone could provide me with an insight into what's wrong with my implementation or configurations.

Please feel free to contact me if you require further information.

Library

• @azure/msal-browser": "^2.1.0

Description

I followed the example and get Bearer error="invalid_token", error_description="The signature key was not found" error in response when SPA request profile info from backend API, and I have no idea on how to resolve this because I checked everything and all looks good

What I Have Done

I modified backend's port number to 5001 (https, dev-cert installed), and I can confirm everything bellow is correct

The backend API route path is /api/profile/

• SPA application
  • registered in AAD
  • client ID acquired
  • redirect URL for oauth added to AAD
  • API permission added (Backend API's "access_as_user")
  • authConfig.js fully configured, as followed:

export const msalConfig = {
    auth: {
        clientId: "SPA'sclient ID",
        authority: "https://login.microsoftonline.com/consumers",
        redirectUri: "http://localhost:3000"
    }
}
export const apiConfig = {
    resourceUri: "https://localhost:5001/api/profile",
    resourceScope: "api://Backend API's client ID/access_as_user"
}

• Backend API application
  • registered in AAD
  • client ID acquired
  • client secret acquired
  • API permission added (for graph API) to AAD
  • API exposed for SPA, named "access_as_user", in AAD
  • Manifest file added SPA's client ID into list of KnownClientApplications
  • appsettings.json fully configured, as followed:

"AzureAd": {
    "Domain": "my account domain in AAD",
    "ClientId": "Backend API's client ID",
    "ClientSecret": "Backend API's secret",
    "Instance": "https://login.microsoftonline.com/",
    "TenantId": "my tenant ID"
  },

Error Info

The error occurs after a successful login, that when react SPA tries to call backend API to get profile info, the frontend logging is like this (I added logging info myself):

App.js:18 CLICK LOGIN
authProvider.js:116 DO SIGN IN
authProvider.js:78 HANDLE RESPONSE
authProvider.js:91 ACQUIRING TOKEN
App.js:21 SIGN IN FINISHED
ProfileContainer.jsx:25 TOKEN ACQUIRED
serviceActions.js:9 TRY TO GET PROFILE, SENDING ACCESS TOKEN TO BE
serviceActions.js:10 GET https://localhost:5001/api/profile/XXXX (401 Unauthorized)

I can see the token Bearer XXXX in the request header when SPA tries to GET profile info from backend, and the failed request's response is:

www-authenticate: Bearer error="invalid_token", error_description="The signature key was not found"

The Token I Acquired in SPA

Here is a sample parsed token info that I acquired (after the successful login) and sent to backend API:

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "XXXX"
}
{
  "ver": "2.0",
  "iss": "https://login.microsoftonline.com/XXXX/v2.0",
  "sub": "XXXX",
  "aud": "I can confirm the audience here is backend API's client ID",
  "exp": 1601190191,
  "iat": 1601186291,
  "nbf": 1601186291,
  "name": "my name",
  "preferred_username": "my email",
  "oid": "my profile ID",
  "tid": "XXXX",
  "azp": "XXXX",
  "scp": "access_as_user",
  "azpacr": "0",
  "aio": "XXXX"
}

Any help would be really appreciated! I have been stuck on this for too long :(

Please follow the issue template below. Failure to do so will result in a delay in answering your question.

Library

• @azure/[email protected]

Description

Context: msalApp = PublicClientApplication

I'm just trying to figure out the flow of using the accessToken when calling my API from my SPA. The flow I have is to

• User opens the SPA, msalApp.Signin() is called and I store the account, username, accessToken, etc in the context
• User then clicks to go to the next screen which calls the API with the accessToken which was obtained during the login process

However, I get a 401 response. If I call msalApp.acquireTokenSilent() and use the accessToken from this response, it works fine.

So my question is am I supposed to call the msalApp.acquireTokenSilent() method before I make any API calls and just use the token directly the response and not worry about any local caching? I'm assuming this msalApp will handle all the token refreshing/caching for me and only get a new one if its expired?

In the past I've had to handle all this myself when I did some work with B2C.

Hi,

Anyone know why this sample has a note that says it won't work with an Azure work account? I'm struggling really hard on trying to get a React SPA to call a .NET Core Web API with Azure authentication. I'm wondering if I'm missing something fundamental with OAuth and single-tenant accounts. I was able to change the config files to use my tenant ID and my azure app domain to login successfully. I believe I also enabled Access Tokens as well. However, it fails when trying to access the graph user profile on this line:

line 85: ProfileController.cs
It's receiving a GUID as the profile.Id, but it's trying to modify it with 0s and the ID string is longer than expected and is trying to use a -4 to append 0s and fails.

I'm still trying to figure out the details, but is this possible with a work account?

Note talking about:
[!NOTE] This sample is configured to allow sign-ins with personal Microsoft accounts ONLY using the /consumers endpoint. Learn more about supported account types and validation differences between them.

Thank you guys very much for making this sample. This is helping me learn Azure Identity at lot. Any help or direction on where to go from here would be greatly appreciated!

Is it possible to make this app works with work/school MS accounts?
Now I'm getting error while trying to auth under my work account:

How can I get an OBO access token in a callback like:

[HttpPost]
public IActionResult ProcessData(string data)
{
    var processor = new Processor();

    processor.Finished += async (s, e) =>
    {
        var accessToken = await this
            ._tokenAcquisition
            .GetAccessTokenForUserAsync(new[] { "Files.ReadWrite" }, user: this.User);

        await WriteToOneDrive(accessToken, e.Data);
    };

    processor.processAsync(data); // Run async without awaiting

    return NoContent();
}

In this case the this.User is already disposed, and even without it, GetAccessTokenForUserAsync crashes with NullObjectException.

My process takes a very long time (hours).

How can I get the token inside a callback when I need it?

Logs:

Creating the AAD application (ProfileAPI)
Done creating the service application (ProfileAPI)
Getting access from 'service' to 'Microsoft Graph'
Set-AzureADApplication : Error occurred while executing SetApplication
Code: Request_BadRequest
Message: Invalid value specified for property 'resourceAppId' of resource 'RequiredResourceAccess'.
RequestId: 96a0308b-f89a-4cdd-a37e-63d6448c875c
DateTimeStamp: Sat, 13 Jun 2020 02:16:04 GMT
Details: PropertyName  - resourceAppId, PropertyErrorCode  - InvalidValue
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At C:\Users\v-alfila\ms-identity-javascript-react-spa-dotnetcore-webapi-obo\AppCreationScripts\Configure.ps1:336 char:4
+    Set-AzureADApplication -ObjectId $serviceAadApplication.ObjectId - ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Set-AzureADApplication], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.SetApplication

Describe the bug
Its in Fact a Question:
i have implemented this but in TypeScript and when implementing a component i connect this to the auth hook... state.. and then i see on my component repeated info. the state from the auth hook and same time the properties passed from the WrappedComponent.

... Is the Auth reducer really necesary? isAuthenticated property could also be passed on the WrappedComponent or not?

I did not Find a way to contact you sorry for the Issue...
thanks for your project it helped me to start on MSAL with React :)

Will this sample use Azure B2C? I'm looking for a B2C React wrapper library like the following project:
https://github.com/JamesRandall/react-azure-adb2c

This project is no longer maintained but needed...

Hi!
I followed the example and everything was just fine, but then I tried to implement the same approach in my existing application and got the following error: Bearer error="invalid_token", error_description="The signature is invalid". This is caused by the fact that the access token I get from AzureAD is intended for Microsoft Graph and not for my application (its headers are ["aud": "00000003-0000-0000-c000-000000000000",
"iss": "https://sts.windows.net/5bb4edc8-7c6e-4911-97b0-06a9ef95dd6a/"], whereas the ones I get when following the example are ["aud": "3ef2f30b-0668-4aa1-868c-70b61e786299",
"iss": "https://login.microsoftonline.com/5bb4edc8-7c6e-4911-97b0-06a9ef95dd6a/v2.0"]).
The only difference I've made to the readme configuration was concerned with redirectUri (set to "https://localhost:44307/") and resourceUri (set to "http://localhost:5001/api/profile").
Could this be a reason for such a behavior? If not then what am I doing wrong?
Thanks in advance!

Library

• [email protected] or @azure/[email protected]
• @azure/[email protected]

Description

Please provide your question here, including as much relevant details as possible.

Examples:

"How do I use MSAL with Vue.js"
"How do I SSO between tabs?"
"How do I use MSAL to protect my custom Web API?"
"How can my app support multiple AAD tenants?"
"When will my scenario be supported?"
"When will this framework be supported"

Describe the bug
CallGraphApiOnBehalfOfUser could be awaited

Current behavior

var profile = CallGraphApiOnBehalfOfUser().GetAwaiter().GetResult();

Expected behavior

var profile = await CallGraphApiOnBehalfOfUser();

Please follow the issue template below. Failure to do so will result in a delay in answering your question.

Library

• [email protected] or @azure/[email protected]
• @azure/[email protected]

Important: Please fill in your exact version number above, e.g. [email protected].

Framework

.NET Core 3.1

Description

API Won't build

Error Message

'AuthenticationBuilder' does not contain a definition for 'AddMicrosoftIdentityWebApi' and no accessible extension method 'AddMicrosoftIdentityWebApi' accepting a first argument of type 'AuthenticationBuilder' could be found (are you missing a using directive or an assembly reference?)

Security

• Is this issue security related?

Regression

• Did this behavior work before?

Yes

Version:

MSAL Configuration

// Provide configuration values here.
// For Azure B2C issues, please include your policies.

Reproduction steps

// Provide relevant code snippets here.
// For Azure B2C issues, please include your policies.

Expected behavior

Browsers/Environment

• Chrome
• Firefox
• Edge
• Safari
• IE
• Other (Please add browser name here)

Please follow the issue template below. Failure to do so will result in a delay in answering your question.

Library

• @azure/[email protected]
• @azure/[email protected]

Description

When adding scope it is requred (mandatory fields) to provide:
Admin consent display name:
Admin consent description:

But in the document it says we require to provide only the user consent fields.
Since it's mandatory, should we provide values to the above fields.

Please advise.

You are trying to copy the id field as id instead of Id and several exceptions are been thrown.

Library

• @azure/[email protected]

Description

The sample documentation says:

Submit your changes. When you sign-in next time, the application will recognize you and show you the profile associated with your Id in the database.

However, when I login the second time I get the Accept button again and clicking it throws a 500 from the backend because it's trying to create the user again.

Error Message

System.ArgumentException: An item with the same key has already been added.

Reproduction steps

• Follow the steps to create your profile in the system
• Refresh the page and Login again

Please follow the issue template below. Failure to do so will result in a delay in answering your question.

Library

• [email protected] or @azure/[email protected]
• @azure/[email protected]
• @azure/[email protected]
• @azure/[email protected]
• @azure/[email protected]

Description

Originally I used loginPopup to login a user if there were no tokens present but I've now moved to using loginRedirect and have setup the handleRedirectPromise to deal with this. My app calls the login part automatically when you hit it, so there is no button to press and what I am finding is the following cycle:

• User goes to app and hits loginRedirect
• Browser goes to MS to get token and comes back to the RedirectUrl which is the same app
• User still not authenticated so hits loginRedirect again but this throws an error
  • BrowserAuthError: interaction_in_progress: Interaction is currently in progress. Please ensure that this interaction has been completed before calling an interactive API.
• Promise from MS is returned and handleRedirectPromise is hit, user is authenticated

A colleague of mine is using the older version of msal-browser 1.3 and has the same scenario but he does not receive this error and he has found that there is code that actually handles this within the script of msal-browser.

Am I doing something wrong here or is this a bug? I can easily manage this scenario by setting a sessionStorage entry to indicate login in already in progress.