Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Hashchange seemingly not getting handled in auth code flow, and thus no access token is requested (Safari)

See original GitHub issue

Core Library

MSAL.js v2 (@azure/msal-browser)

Core Library Version

2.21.0

Wrapper Library

MSAL React (@azure/msal-react)

Wrapper Library Version

1.2.0

Description

Somehow the seamless SSO in Safari does not perform an actual redirect for the auth code flow when using InteractionType.Redirect, but seemingly just adds the hash code directly to the URL.

(I’m not familiar with how seamless SSO works or any specifics of our seamless SSO configuration, so i cannot provide further details related to that.)

msal-browser/msal-react does not react to this hash change, and thus the user is left hanging with #code=XXX in the URL without requesting an access token.

The hacky fix below either reloads the page or creates a new instance when a hashchange containing “#code” is detected. That this works confirms that it is a problem of msal-browser/msal-react not reacting to an auth code provided this way.

Error Message

None

Msal Logs

No response

MSAL Configuration

const msalConfig: Configuration = {
  auth: {
    clientId: config.clientId,
    authority: "https://login.microsoftonline.com/" + config.tenantId,
    redirectUri: window.location.origin,
  },
  cache: {
    cacheLocation: "localStorage",
    storeAuthStateInCookie: false,
  },
};

Relevant Code Snippets

// Including this serves as a temporary fix: 

window.addEventListener('hashchange', () => {
  if (window.location.hash.startsWith('#code')) window.location.reload();
});

// The library is used in the following way:

<MsalProvider instance={publicClientApplication}>
  <MsalAuthenticationTemplate
    interactionType={InteractionType.Redirect}
    authenticationRequest={authRequest}
    loadingComponent={LoginLoading}
    errorComponent={LoginError}
  >
    <BrowserRouter>
      <App />
    </BrowserRouter>
  </MsalAuthenticationTemplate>
</MsalProvider>

// It's also possible to fix it without reloading by creating 
// a new PublicClientApplication instance like so:

const HackyFix = () => {
  const getNewInstance = () =>
    // Our own custom function
    getMsalPublicClientApplication({
      clientId: environment.CLIENT_ID,
      tenantId: environment.TENANT_ID,
    });

  const [instance, setInstance] = useState(getNewInstance);

  useEffect(() => {
    window.addEventListener('hashchange', () => {
      if (window.location.hash.startsWith('#code')) setInstance(getNewInstance);
    });
  }, []);

  return (
    <MsalProvider instance={instance}>
      <MsalAuthenticationTemplate
        interactionType={InteractionType.Redirect}
        authenticationRequest={authRequest}
        loadingComponent={LoginLoading}
        errorComponent={LoginError}
      >
        <BrowserRouter>
          <App />
        </BrowserRouter>
      </MsalAuthenticationTemplate>
    </MsalProvider>
  );
};

Reproduction Steps

  1. I assume using seamless SSO is needed to reproduce the bug
  2. Clear localStorage or use a private window
  3. Access site in Safari
  4. Be left hanging with #code=XXX in the URL 😦

Expected Behavior

The library should request an access token when provided an auth code in the URL

Identity Provider

Azure AD / MSA

Browsers Affected (Select all that apply)

Safari

Regression

No response

Source

External (Customer)

Issue Analytics

  • State:open
  • Created 2 years ago
  • Reactions:1
  • Comments:9 (4 by maintainers)

github_iconTop GitHub Comments

2reactions
jasonnuttercommented, Feb 1, 2022

@mikkelmk @MagnusHJensen Thank you for the information, I’ll look to see if we can properly handle this in the library, thanks!

1reaction
davecarlilecommented, May 26, 2022

I solved this by adding a trailing slash to redirectUri. It turns out Safari was stripping the hash because it was not preceeded by a slash.

This works everywhere but safari and for certain users IOS Chrome: https://app.foo.com/auth/return#code=0.AVcAeMaRO0JAkE… This works everywhere I have tested: https://app.foo.com/auth/return/#code=0.AVcAeMaRO0JAkE

Read more comments on GitHub >

github_iconTop Results From Across the Web

Hashchange seemingly not getting handled in auth code flow, and ...
Hashchange seemingly not getting handled in auth code flow, and thus no access token is requested (Safari) #1275. Sign in to view logs....
Read more >
Code Not Exchanged For Tokens in iOS Auth Code Flow
The Authorization Code that follows from an authorize request is not exchanged for tokens as no subsequent request to the token end-point is...
Read more >
javascript - jQuery - hashchange event - Stack Overflow
For these browsers, I want to disable my JavaScript code that uses the hash and hashchange event. Is there a way with jQuery...
Read more >
BIG-IP 13.1.0.6 Fixes and Known Issues - AskF5 - F5 Networks
Workaround: There is no workaround other than to remove the HTTP/2 profile from the virtual server. 703171-1 : High CPU usage for apmd,...
Read more >
441: Nuxt, Auth, OAuth, M1 Updates, and Truths About Digital ...
Follow up on Chris' desk adventures, trying to work out Auth and OAuth with Nuxt, fixing a fixed header issue, more on Apple's...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Getting Token issued by V1 instead of V2

Next page

MSAL Angular w/ B2C SPA client code flow w/ pkce