Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
MsalInterceptor not acquiring tokens when endpoint contains query parameters
See original GitHub issueLibrary
-
msal@1.x.xor@azure/msal@1.x.x -
@azure/msal-browser@2.x.x -
@azure/msal-node@1.x.x -
@azure/msal-react@1.x.x -
@azure/msal-angular@0.x.x -
@azure/msal-angular@1.x.x -
@azure/msal-angular@2.0.0-beta.0 -
@azure/msal-angularjs@1.x.x
Framework
- Angular 11
- React
- Other
Description
Some web API endpoints contain query parameters. MsalInterceptor does not seem to acquire tokens for such endpoints (e.g. Azure Resource Manager API)
Error Message
API response:
zone.js:3324 GET https://management.azure.com/tenants?api-version=2020-01-01 401
core.js:5980 ERROR
HttpErrorResponse {headers: HttpHeaders, status: 401, statusText: "OK", url: "https://management.azure.com/tenants?api-version=2020-01-01", ok: false, …}
error:
error:
code: "AuthenticationFailed"
message: "Authentication failed. The 'Authorization' header is missing."
__proto__: Object
__proto__: Object
headers: HttpHeaders {normalizedNames: Map(0), lazyUpdate: null, lazyInit: ƒ}
message: "Http failure response for https://management.azure.com/tenants?api-version=2020-01-01: 401 OK"
name: "HttpErrorResponse"
ok: false
status: 401
statusText: "OK"
url: "https://management.azure.com/tenants?api-version=2020-01-01"
__proto__: HttpResponseBase
msal-angular logs:
[Thu, 11 Mar 2021 02:58:43 GMT] : : @azure/msal-browser@2.12.0 : Verbose - Emitting event to callback 80777888-4672-4c37-a974-70e698762e80: msal:handleRedirectEnd
auth-config.ts:30 [Thu, 11 Mar 2021 02:58:43 GMT] : : @azure/msal-angular@2.0.0-beta.0 : Verbose - BroadcastService - msal:handleRedirectEnd results in setting inProgress to none
auth-config.ts:30 [Thu, 11 Mar 2021 02:58:43 GMT] : : @azure/msal-browser@2.12.0 : Verbose - getAllAccounts called
auth-config.ts:30 [Thu, 11 Mar 2021 02:58:43 GMT] : : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getIdTokenCredential called
auth-config.ts:30 [Thu, 11 Mar 2021 02:58:43 GMT] : : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getIdTokenCredential: cache hit
auth-config.ts:30 [Thu, 11 Mar 2021 02:58:43 GMT] : : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAccessTokenCredential called
auth-config.ts:30 [Thu, 11 Mar 2021 02:58:43 GMT] : : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAccessTokenCredential: cache hit
auth-config.ts:30 [Thu, 11 Mar 2021 02:58:43 GMT] : : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getRefreshTokenCredential called
auth-config.ts:30 [Thu, 11 Mar 2021 02:58:43 GMT] : : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getRefreshTokenCredential: cache hit
MSAL Configuration
export function MSALInstanceFactory(): IPublicClientApplication {
return new PublicClientApplication({
auth: {
clientId: 'CLIENT_ID',
authority: 'https://login.microsoftonline.com/TENANT_ID',
redirectUri: '/',
},
cache: {
cacheLocation: BrowserCacheLocation.LocalStorage,
storeAuthStateInCookie: isIE,
}
});
}
export function MSALInterceptorConfigFactory(): MsalInterceptorConfiguration {
const protectedResourceMap = new Map<string, Array<string>>();
protectedResourceMap.set("https://management.azure.com/tenants?api-version=2020-01-01", ["https://management.azure.com/user_impersonation"]);
return {
interactionType: InteractionType.Redirect,
protectedResourceMap
};
}
Reproduction steps
Attempt calling an endpoint with query params:
this.http.get("https://management.azure.com/tenants?api-version=2020-01-01")
.subscribe((response: any) => {
// ...
})
Expected behavior
Tokens for such endpoints should be acquired as usual.
Identity Provider
- [ x ] Azure AD
- Azure B2C Basic Policy
- Azure B2C Custom Policy
- ADFS
- Other
Browsers/Environment
- [ x ] Chrome
- Firefox
- Edge
- Safari
- IE
- Other (Please add browser name here)
Regression
- Did this behavior work before? Version:
Security
- Is this issue security related?
Source
- Internal (Microsoft)
- [ x ] Customer request
Issue Analytics
- State:
- Created 3 years ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
Single-page application: Acquire a token to call an API
The pattern for acquiring tokens for APIs with MSAL.js is to first attempt a silent token request by using the acquireTokenSilent method.
Read more >Error in using MSAL library to authenticate users in azure b2c ...
It works when the unprotected resources array contains list of all the end points including ... Just adding the following Url does not...
Read more >@azure/msal-angular - GitHub Pages
MsalInterceptor will obtain tokens and add them to all your Http requests in API calls based on the protectedResourceMap . @NgModule({ imports: [...
Read more >Using MSAL Interceptor to Call APIs with User Access Token
Github: https://github.com/tamani-coding/angular- msal-interceptor -exampleSee Part 1: https://youtu.be/TkCKqeYjpv0(00:00): Intro and ...
Read more >Microsoft Authentication Library for Angular - npm
Include and initialize the MSAL module in your app module. ... Alternatively, you can also explicitly acquire tokens using the acquireToken ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@derisen @ozkoidi Thanks for your feedback! Changes have been made to the interceptor fix these issues, and will be available in the next msal-angular release.
This is a good change, cc: @jo-arroyo