Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

MsalInterceptor do not set IdToken to Authorization header when I pass 'openid' scope

See original GitHub issue

Core Library

MSAL.js v2 (@azure/msal-browser)

Core Library Version

2.14.1

Wrapper Library

MSAL Angular (@azure/msal-angular)

Wrapper Library Version

2.0.0-beta.0

Description

As you mention in this comment I just need to set openid scope to intercept IdToken But it’s not working. Maybe I don’t understand something. Can you help my with this ?

Error Message

No response

Msal Logs

No response

MSAL Configuration

auth: {
        clientId: '440c91c9-8c58-42b0-b88f-f3284c583859',
        authority: `https://login.microsoftonline.com/${tenantId}/`,
        redirectUri: `${url}/ui-signin-oidc`,
        postLogoutRedirectUri: `${url}/`,
    },

Relevant Code Snippets

import { HTTP_INTERCEPTORS } from '@angular/common/http';
import { NgModule } from '@angular/core';
import { RouterModule } from '@angular/router';

import { environment } from '@app/env';
import { IconModule } from '@shared/icon';

import { DxLoadIndicatorModule } from 'devextreme-angular/ui/load-indicator';

import { AccessDeniedPageComponent } from './403/access-denied.page';
import { AuthGuard } from './auth.guard';
import { AuthInterceptor } from './auth.interceptor';
import { AuthService } from './auth.service';

import {
    MsalGuardConfiguration,
    MsalInterceptor,
    MsalInterceptorConfiguration,
    MsalModule,
    MsalService,
    MSAL_GUARD_CONFIG,
    MSAL_INSTANCE,
    MSAL_INTERCEPTOR_CONFIG,
} from '@azure/msal-angular';
import { BrowserCacheLocation, InteractionType, IPublicClientApplication, PublicClientApplication } from '@azure/msal-browser';
import { CodeInputModule } from 'angular-code-input';
import { CountdownModule } from 'ngx-countdown';

function MsalInstanceFactory(): IPublicClientApplication {
    return new PublicClientApplication({
        auth: {
            clientId: environment.auth.clientId,
            authority: environment.auth.authority,
            knownAuthorities: [environment.auth.authority],
            redirectUri: environment.auth.redirectUri,
            postLogoutRedirectUri: environment.auth.postLogoutRedirectUri,
            navigateToLoginRequestUrl: true,
        },
        cache: {
            cacheLocation: BrowserCacheLocation.LocalStorage,
            storeAuthStateInCookie: true,
        },
    });
}

function MSALGuardConfigFactory(): MsalGuardConfiguration {
    return {
        interactionType: InteractionType.Redirect,
    };
}

function MSALInterceptorConfigFactory(): MsalInterceptorConfiguration {
    const protectedResourceMap = new Map<string, Array<string>>();
    // example how to use protected map in case we adapt backend to use access tokens
    protectedResourceMap.set('/api/*', ['openid']);

    return {
        interactionType: InteractionType.Redirect,
        protectedResourceMap,
    };
}

@NgModule({
    imports: [
        DxLoadIndicatorModule,
        MsalModule,
        CountdownModule,
        CodeInputModule,
        IconModule,
        RouterModule.forChild([
            {
                path: 'access-denied',
                component: AccessDeniedPageComponent,
            },
        ]),
    ],
    declarations: [AccessDeniedPageComponent],
    providers: [
        AuthService,
        AuthGuard,
        {
            provide: HTTP_INTERCEPTORS,
            useClass: MsalInterceptor,
            multi: true,
        },
        {
            provide: MSAL_INSTANCE,
            useFactory: MsalInstanceFactory,
        },
        {
            provide: MSAL_GUARD_CONFIG,
            useFactory: MSALGuardConfigFactory,
        },
        {
            provide: MSAL_INTERCEPTOR_CONFIG,
            useFactory: MSALInterceptorConfigFactory,
        },
        MsalService,
    ],
})
export class AuthModule {}

Reproduction Steps

  1. Configure app by this tutorial
  2. Set openid scope to protected resource map(protectedResourceMap.set('/api/*', ['openid']);)
  3. Try to get IdToken in Authorization header

Expected Behavior

If I set ‘openid’ scope, the MsalInterceptor will set IdToken to Authorization header

Identity Provider

Azure AD / MSA

Browsers Affected (Select all that apply)

Chrome, Firefox

Regression

No response

Source

Internal (Microsoft)

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:5

github_iconTop GitHub Comments

1reaction
tnorlingcommented, Jan 11, 2022

@var1ap-WA That should support access tokens. The openid scope will return an access token for MS Graph so audience validation in your middleware will fail. Without more information about what exactly is failing that would be my first guess as to why it’s not working with your current config. You should create a custom scope for your API on your app registration and then request this new scope instead of openid. Try that out and let me know how it goes.

0reactions
tnorlingcommented, Jan 12, 2022

@var1ap-WA This would be something you have to configure in your middleware. I’d suggest reaching out to the folks who maintain that to get some guidance on the correct configuration.

Read more comments on GitHub >

github_iconTop Results From Across the Web

MsalInterceptor renews token but Authorization header is ...
This can occur when the clientId of your application is set as the scope for a resource, which results in an ID token...
Read more >
Single-page application: Acquire a token to call an API
The pattern for acquiring tokens for APIs with MSAL.js is to first attempt a silent token request by using the acquireTokenSilent method. When ......
Read more >
Azure AD Msal Interceptor Access Token - angular
If I'm using access token that I get after login then error occur Invalid signature and if If used IdToken then 401 how...
Read more >
Microsoft Authentication Library for JavaScript (MSAL.js)
When the user makes a login request, you can pass in multiple resources and their corresponding scopes because AAD issues an idToken pre...
Read more >
angular msal refresh token | The AI Search Engine You Control
BlockI don't want to see this, for any search ... return next.handle(request); } const req = request.clone({ headers: request.headers.set('Authorization', ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

ProfileEdit no logout

Next page

(Cancel button) Error - Guard - error while logging in, unable to activate