Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

about:blank popup intermittently stays on on acquireTokenSilent/acquireTokenPopup

See original GitHub issue

Library

msal@1.x.x or @azure/msal@1.x.x
@azure/msal-browser@2.x.x
@azure/msal-node@1.x.x
@azure/msal-react@1.x.x
@azure/msal-angular@0.x.x
@azure/msal-angular@1.x.x
@azure/msal-angular@2.x.x
@azure/msal-angularjs@1.x.x

Framework

React 16.4

Angular
React
Other

Description

Hi Folks,

I’m using the libraries with the following versions:

    "@azure/msal-browser": "^2.12.0",
    "@azure/msal-react": "^1.0.0-beta.0"

Post logout redirect URL is ${window.location.origin}/ and redirectUrl is redirectUri The as you can see seems to be failing intermittently. See the attached recording where all is working fine for several times until around the 50th second mark of the video the about:blank window stays hanging. Video clip recreating the issue Any idea what I’m might be doing wrong? Thank you for the otherwise rock solid library.

FYI: @tnorling , @jo-arroyo , @jasonnutter , @pkanher617 _Originally posted by @gabriel-kohen-by in https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/2842#issuecomment-792864888_

Error Message

MSAL Configuration

// Provide configuration values here.
// For Azure B2C issues, please include your policies.
const msalProviderConfig = {
  type: 'popup',
  msalConfig: {
    auth: {
      clientId,
      authority,
      knownAuthorities: [authority],
      redirectUri,
      postLogoutRedirectUri,
    },
    system: {
      loggerOptions: {
        loggerCallback: getLoggerCallback(),
      },
    },
  },
  silentRequestConfig: {
    scopes: [scopes, 'offline_access'],
  },
  endSessionRequestConfig: {},
  loginRequestConfig: {
    scopes: [scopes, 'offline_access'],
  },
};

Reproduction steps

Open a SPA page triggering getting of a token with

Expected behavior

Close any popup if we resolved the promise coming back from asking for an access token.

Identity Provider

Azure AD
Azure B2C Basic Policy
Azure B2C Custom Policy
ADFS
Other

Browsers/Environment

Chrome
Firefox
Edge
Safari
IE
Other (Please add browser name here)

Regression

[X ] Did this behavior work before? Version: MSAL 1.X

Security

Is this issue security related?

Source

Internal (Microsoft)
Customer request

Issue Analytics

State:
Created 3 years ago
Comments:12

Top GitHub Comments

1reaction

tnorlingcommented, Mar 19, 2021

@gabriel-kohen-by I was able to confirm my theory and reproduce this issue on my end. This is definitely unintended behavior and I’ll try to get a fix up soon. In the meantime the mitigation is to set your redirectUri to a page that does not open a popup on page load.

0reactions

tnorlingcommented, Mar 11, 2021

Sorry I misspoke about the SSO. I meant that in the second (and on) tab there is no interactive login anymore which seems because MSAL already know it’s already logged in.

The server already knows you’re logged in. If you’re using session storage MSAL does not know you are logged in until you ask the server, which is what the popup is doing and why it doesnt ask for creds.

I thought that’s what I’ve seen the the dev samples. Is that incorrect?

The redirectUri can be whatever you like, it’s not for me to say it’s correct or incorrect.

It may be useful to understand how the auth flow works:

Call loginPopup
Popup navigates to AAD server to request an auth code
Server prompts for credentials, or not if already signed in
Server redirects to your redirectUri with the auth code in the hash of the url
MSAL running in the top frame reads the hash from the popup and closes the popup
MSAL makes a POST request to server to exchange the auth code from the hash for tokens

Again, it seems all of this is working correctly even in the bad case being discussed here. But what I suggested previously is that it’s possible that the page you use as a redirectUri is automatically invoking loginPopup, resulting in a 2nd popup that never resolves. To confirm this theory you should try setting your redirectUri to a blank page that does not do this so that when the page is opened in the popup it merely serves up the hash for the top frame. You can do this on a per request basis:

const request = {
    scopes: ["openid", "profile"],
    redirectUri: "/blank.html"
}
loginPopup(request)

I will note that if this is indeed what’s happening, it’s a regression. We should have code in place that blocks popups from opening more popups.

Top Results From Across the Web

What is About Blank? Should You Remove It? - Alphr

Remaining safe in a digital world means staying informed. How to Stop Those About Blank Popups. Stopping about:blank pages depends on why they ......

Troubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.

Start Free

Top Related Reddit Thread

No results found

Top Related Tweet

No results found

Top Related Dev.to Post

No results found

about:blank popup intermittently stays on on acquireTokenSilent/acquireTokenPopup

Library

Framework

Description

Error Message

MSAL Configuration

Reproduction steps

Expected behavior

Identity Provider

Browsers/Environment

Regression

Security

Source

Issue Analytics

Top GitHub Comments

Top Results From Across the Web

Top Related Medium Post

Top Related StackOverflow Question

Troubleshoot Live Code

Top Related Reddit Thread

Top Related Hackernoon Post

Top Related Tweet

Top Related Dev.to Post

Top Related Hashnode Post

Logging in with a live account fails when requesting consent with invalid_request: The provided request must include a 'client_id' input parameter.

HTTP interceptor for localhost api