Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Authentication redirect exposes Id token

See original GitHub issue

Library

  • msal@1.x.x or @azure/msal@1.x.x
  • @azure/msal-browser@2.x.x
  • @azure/msal-node@1.x.x
  • @azure/msal-react@1.x.x
  • @azure/msal-angular@0.x.x
  • @azure/msal-angular@1.x.x
  • @azure/msal-angular@2.x.x
  • @azure/msal-angularjs@1.x.x

Description

I’m using the Angular MSAL library and Azure AD implicit flow to authorize users.

After signing in through the Microsoft page, I first get a redirect url that exposes the id token and other response information in it before being redirected to the provided redirect uri. This url with the token hash is then saved in the browser history, which is an obvious security risk.

So far I had no luck finding a solution to the issue anywhere.

Source

  • Internal (Microsoft)
  • Customer request

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:12 (7 by maintainers)

github_iconTop GitHub Comments

1reaction
msftbot[bot]commented, May 12, 2021

🎉This issue was addressed in #3587, which has now been successfully released as msal@v1.4.11.🎉

Handy links:

0reactions
Gyalomalomcommented, May 10, 2021

@hectormmg Sorry, I didn’t see your comment. So the fix was merged into the main branch?

Read more comments on GitHub >

github_iconTop Results From Across the Web

Stealing OAuth Tokens With Open Redirects
The user obtains an identity assertion from the identity provider and uses that to authenticate to the service provider.
Read more >
Redirect user with id_token as a parameter in redirect URL ...
I have been working with AADB2C Authentication and struggling over redirecting the user to home page with id_token as fragment in redirect ......
Read more >
OpenID Connect (OIDC) authorization code flow mechanism
The Authorization Code Flow mechanism authenticates users of your web application by redirecting them to an OIDC provider, such as Keycloak, to log...
Read more >
OAuth redirect after getting access token - Support
Registered a client ID with redirect_uri set to the landing ... The OAuth Login Redirect only works for grant types that include a...
Read more >
Redirect with Actions
Learn how to use post-login Actions to redirect users before an authentication transaction is complete.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

postLogoutRedirectUri not working in Angular 11 sample app running in Chrome

Next page

Multiple scopes for different apis