Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Getting 'monitor_window_timeout' and 'X-Frame-Options set to deny' error when login with facebook account

See original GitHub issue

Core Library

MSAL.js v2 (@azure/msal-browser)

Core Library Version

2.22.0

Wrapper Library

MSAL React (@azure/msal-react)

Wrapper Library Version

1.3.0

Description

We’re getting an error sometimes when login with facebook. It’s hard to say how this error is triggered, it looks like when we change between our applications or environments the error occurs but I don’t know the real trigger. Apparently this error is prompted only with facebook accounts and if I clear all the application cache storage and refresh the page then I am able to login correctly with facebook account.

Error Message

Refused to display 'https://www.facebook.com/' in a frame because it set 'X-Frame-Options' to 'deny'.

Uncaught (in promise) Error: BrowserAuthError: monitor_window_timeout: Token acquisition in iframe failed due to timeout. For more visit: aka.ms/msaljs/browser-errors.

Msal Logs

sso-facebook-error

MSAL Configuration

{
  auth: {
    clientId: process.env.REACT_APP_AZURE_B2C_CLIENT_ID,
    authority: b2cPolicies.authorities.signUpSignIn.authority,
    knownAuthorities: [
      b2cPolicies.authorityDomain,
      b2cPolicies.authorities.signUpSignIn.authority,
      b2cPolicies.authorities.changePassword.authority,
      b2cPolicies.authorities.editProfile.authority,
    ],
    redirectUri: process.env.REACT_APP_AZURE_B2C_REDIRECT_URI,
    postLogoutRedirectUri: process.env.REACT_APP_AZURE_B2C_POST_LOGOUT_URI,
  },
  cache: {
    cacheLocation: 'localStorage',
  },
  system: {
    loggerOptions: {
      loggerCallback: (level, message, containsPii) => {
        if (containsPii) {
          return;
        }
        switch (level) {
          case LogLevel.Error:
            console.error(message);
            return;
          case LogLevel.Info:
            console.info(message);
            return;
          case LogLevel.Verbose:
            console.debug(message);
            return;
          case LogLevel.Warning:
            console.warn(message);
        }
      },
    },
  },
}

Relevant Code Snippets

Here is how we get the token silently


instance
          .acquireTokenSilent({
            authority: b2cPolicies.authorities.signUpSignIn.authority,
            scopes: ['openid', process.env.REACT_APP_AZURE_B2C_SCOPES],
            account,
            forceRefresh: true,
          })
          .then(response => {
            if (response) {
              setUser({
                ...account.idTokenClaims,
                token: response.accessToken,
              });
            }
          })
          .catch(err => {
            if (err instanceof InteractionRequiredAuthError) {
              const request = {
                authority: b2cPolicies.authorities.signUpSignIn.authority,
                scopes: loginRequest.scopes,
                prompt: 'login',
              };
              return instance.acquireTokenRedirect(request);
            }
            throw Error(err);
          });

Reproduction Steps

Go to the application url and get redirected to SSO login page
Login with facebook account
SSO redirects back to the application with the error prompted in console

Expected Behavior

Go to the application url and get redirected to SSO login page
Login with facebook account
SSO redirects back to the application and retrieve the token correctly

Identity Provider

Azure B2C Custom Policy

Browsers Affected (Select all that apply)

Chrome, Firefox

Regression

No response

Source

External (Customer)

Issue Analytics

State:
Created 2 years ago
Reactions:2
Comments:11 (7 by maintainers)

Top GitHub Comments

1reaction

msftbot[bot]commented, Mar 16, 2022

This issue requires attention from the MSAL.js team and has not seen activity in 5 days. @pkanher617 please follow up.

0reactions

msftbot[bot]commented, Mar 27, 2022

@ranzolinrafa This issue has been automatically marked as stale because it is marked as requiring author feedback but has not had any activity for 5 days. If your issue has been resolved please let us know by closing the issue. If your issue has not been resolved please leave a comment to keep this open. It will be closed automatically in 7 days if it remains stale.

Top Results From Across the Web

x-frame-options Deny Error in Facebook login when iframed ...

The browser throws a X-Frame-Options DENY error for my website when iframed as a Facebook App during the Login With Facebook Authentication Process....

Refused to display in a frame because it set 'X-Frame-Options ...

I got my solution from this post: Loading Iframe Facebook (Load denied by X-Frame-Options). I got the same issue, and it got fixed, ......

X-Frame-Options set to deny - WordPress.org

The plugin doesn't load a lot of the time on every page and i get the error: Refused to display 'https://www.facebook.com/' in a...

Cannot connect facebook page due to x-frame header restriction

it says I have to login; iframe goes white; console reports that the connection was blocked due to x-frame-options "deny" restriction. How to ......

X-Frame-Options - HTTP - MDN Web Docs

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in...