Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

MSAL JS 2.16.0 - 2.27.0 Getting 400 error from discovery URL and knowAuthority ClientConfigurationError when using a custom domain in Azure AD b2c

See original GitHub issue

Core Library

MSAL.js v2 (@azure/msal-browser)

Core Library Version

2.27.0

Wrapper Library

MSAL Angular (@azure/msal-angular)

Wrapper Library Version

2.3.3

Description

when using the Angular 12 sample I am getting error’s regarding the known authority and discovery URL:

I have the spa application warning but the first error comes into that sign-on as well. To note, when using the default common that will work fine. I’ve added the knownauthority but it seems like it isn’t picking it up.

Also, is there a specific way to debug this in Angular?

Error Message

GET https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=<redact>/<redact>/b2c_1a_signup_signin/oauth2/v2.0/authorize 400 (

and this error:

ERROR Error: Uncaught (in promise): ClientAuthError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientConfigurationError: untrusted_authority: The provided authority is not a trusted authority. Please include this authority in the knownAuthorities config parameter.
ClientAuthError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientConfigurationError: untrusted_authority: The provided authority is not a trusted authority. Please include this authority in the knownAuthorities config parameter.

Msal Logs

How can I turn this on?

MSAL Configuration

Here is my configuration:

auth: {
      // clientId: '6226576d-37e9-49eb-b201-ec1eeb0029b6', // Prod enviroment. Uncomment to use. 
      clientId: '<redact>', // PPE testing environment
      // authority: 'https://login.microsoftonline.com/common', // Prod environment. Uncomment to use.
      // authority: 'https://login.windows-ppe.net/common', // PPE testing environment.
      authority: 'https://<redact>/<redact>/<redact>',
      knownAuthorities: ['<redact>.b2clogin.com'],
      redirectUri: 'http://localhost:4200',
      postLogoutRedirectUri: 'http://localhost:4200'
    },
    cache: {
      cacheLocation: BrowserCacheLocation.LocalStorage,
      storeAuthStateInCookie: isIE, // set to true for IE 11. Remove this line to use Angular Universal
    },



### Relevant Code Snippets

```javascript
Listed above

Reproduction Steps

using the app to login by clicking login and either redirect or popup

Expected Behavior

For it to go to my login policy

Identity Provider

Azure B2C Custom Policy

Browsers Affected (Select all that apply)

Chrome, Edge

Regression

No response

Source

Internal (Microsoft)

Issue Analytics

State:
Created a year ago
Comments:6 (4 by maintainers)

Top GitHub Comments

1reaction

xtianus79commented, Jul 8, 2022

Hi @mpminayo I found the issue. I can’t call it a bug because I don’t know if that accurate but to me it’s a bug because it broke the login.

So how did we get here. In msal-browser.js v 2.13.1 (which is the initial vanilla spa application implementation I used) worked fine. No issues. When I moved to the Angular v2 sample to test it out the error described above occurred. In my redact ie., <redact> I failed to explain that I am using a custom domain through a front-door policy.

So, the cadence being this https://<your-tenant-name>.b2clogin.com/your-tenant-name.onmicrosoft.com/your-signup-signin-policy also, then requires you to add in a known authority i.e., knownAuthorities. Which, I did add that after I got an error about it.

However, when I got the error the first time without the known authority the message was this.

core.js:6498 ERROR Error: Uncaught (in promise): ClientAuthError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientConfigurationError: untrusted_authority: The provided authority is not a trusted authority. Please include this authority in the knownAuthorities config parameter.
ClientAuthError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientConfigurationError: untrusted_authority: The provided authority is not a trusted authority. Please include this authority in the knownAuthorities config parameter.

when I added the knownAuthorities in I got this error message. Which as you can see, is the same error message.

core.js:6498 ERROR Error: Uncaught (in promise): ClientAuthError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientConfigurationError: untrusted_authority: The provided authority is not a trusted authority. Please include this authority in the knownAuthorities config parameter.
ClientAuthError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientConfigurationError: untrusted_authority: The provided authority is not a trusted authority. Please include this authority in the knownAuthorities config parameter.

To summarize, I used this configuration:

https://<login.customdomain.com>/your-tenant-name.onmicrosoft.com/your-signup-signin-policy knownAuthority: ['<your-tenant-name>.b2clogin.com']

ERROR core.js:6498...

Then, I went on a wild bug hunt (for days) and I went back to msal-broswer: 2.13.1 code base and tried to figure out why that was working but new upgrade wasn’t.

I then reverted the package.json to go from msal-broswer: 2.27.0 to msal-broswer: 2.13.1. Made a few code comment outs so that it would run and boom it was working with my previously mentioned setup.

It then dawned on me how this probably is working and should be working. I figure through updates code integrity is improved.

First (went back to msal-browser: 2.27.0) and I reverted this: **https://<login.customdomain.com>/your-tenant-name.onmicrosoft.com/your-signup-signin-policy** knownAuthorities: ['<your-tenant-name>.b2clogin.com']

to this: **https://<your-tenant-name.b2clogin.com>/your-tenant-name.onmicrosoft.com/your-signup-signin-policy** knownAuthorities: ['<your-tenant-name.b2clogin.com>']

Now, it worked! FML

Then, I thought why does it not work when I use my custom domain and my base level knownAuthorities? What if I put a knownAuthorities with my custom domain ie., knownAuthorities: login.customdomain.com.

And now (with a custom domain in the knownAuthorities), this worked too 😐 **https://<login.customdomain.com>/your-tenant-name.onmicrosoft.com/your-signup-signin-policy** **knownAuthorities: ['<login.customdomain.com>']**

SMH

What’s odd to me is why does knownAuthorities take in an array when they are, in function, a 1 to 1 match? Meaning, I can only use 1 authority at a time, apparently, so what’s the point of having multiple knownAuthorties? Would be interested in learning how I could get into such a scenario.

So, either this is a bug and or perhaps a feature. I’ll let you explain that to me.

0reactions

msftbot[bot]commented, Jul 24, 2022

@xtianus79 This issue has been automatically marked as stale because it is marked as requiring author feedback but has not had any activity for 5 days. If your issue has been resolved please let us know by closing the issue. If your issue has not been resolved please leave a comment to keep this open. It will be closed automatically in 7 days if it remains stale.