Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Silent authentication is denied after a redirect
See original GitHub issueLibrary
msal@1.4.6
Framework
React 16
Description
When I use the redirect flow , the accessToken in the response I receive from handleRedirectCallback is set to null (from #1688 I gather that this is expected).
As suggested in https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/1688#issuecomment-637669135 I called acquireTokenSilent from within handleRedirectCallback to obtain the actual accessToken. When I do this, however, I get the following error:
InteractionRequiredAuthError: Silent authentication was denied. The user must first sign in and if needed grant the client application access to the scope 'files.read.all openid profile'.
Error Message
AuthError.ts:25 Uncaught (in promise) InteractionRequiredAuthError: Silent authentication was denied. The user must first sign in and if needed grant the client application access to the scope 'files.read.all openid profile'.
at InteractionRequiredAuthError.AuthError [as constructor] (http://localhost:3000/plaain/static/js/vendors~main.chunk.js:12066:24)
at InteractionRequiredAuthError.ServerError [as constructor] (http://localhost:3000/plaain/static/js/vendors~main.chunk.js:12640:24)
at new InteractionRequiredAuthError (http://localhost:3000/plaain/static/js/vendors~main.chunk.js:12571:24)
at UserAgentApplication.saveTokenFromHash (http://localhost:3000/plaain/static/js/vendors~main.chunk.js:10110:17)
at UserAgentApplication.processCallBack (http://localhost:3000/plaain/static/js/vendors~main.chunk.js:9482:23)
at UserAgentApplication.handleAuthenticationResponse (http://localhost:3000/plaain/static/js/vendors~main.chunk.js:9543:10)
at UserAgentApplication.<anonymous> (http://localhost:3000/plaain/static/js/vendors~main.chunk.js:9201:20)
at step (http://localhost:3000/plaain/static/js/vendors~main.chunk.js:15670:17)
at Object.next (http://localhost:3000/plaain/static/js/vendors~main.chunk.js:15601:14)
at fulfilled (http://localhost:3000/plaain/static/js/vendors~main.chunk.js:15556:24)
MSAL Configuration
{
auth: {
clientId: CLIENT_ID,
},
}
My scopes are ['user.read', 'files.read.all'].
Reproduction steps
My redirect handler:
userAgentApplication.handleRedirectCallback((_, response) => {
if (response === undefined)
throw new AuthenticationFailure(ProviderKind.OneDrive)
resolve(silentLogIn(userAgentApplication))
})
with
const silentLogIn = async (
userAgentApplication: UserAgentApplication,
): Promise<OneDriveAuthResponse> => {
const {
accessToken,
account,
expiresOn,
} = await userAgentApplication.acquireTokenSilent({
scopes: SCOPES,
})
return buildAuthResponse(accessToken, account.userName, expiresOn)
}
Expected behavior
Identity Provider
- Azure AD
- Azure B2C Basic Policy
- Azure B2C Custom Policy
- ADFS
- Other
Browsers/Environment
- Chrome
- Firefox
- Edge
- Safari
- IE
- Other (Please add browser name here) Probably happens in the other browsers too
Source
- Internal (Microsoft)
- Customer request
Issue Analytics
- State:
- Created 3 years ago
- Comments:6
Top Results From Across the Web
Unable to acquire token silently or via redirect using msal ...
Once a user is logged in, you have to acquire a token and there are two ways of doing this: silently (and if...
Read more >Configure Silent Authentication - Auth0
If any of these errors are returned, the user must be redirected to the Auth0 login page without the prompt=none parameter to authenticate....
Read more >Token refresh problems / after session ends not redirected to ...
Silent re-authentication means your resource server redirects your user to the OP and this one redirects you back to your resource sever.
Read more >Authenticating app users - Teams - Microsoft Learn
Learn about authentication methods that you can enable in Teams app, ... After the app user has given consent, they can access the...
Read more >Customize EAA Access Denied Page - Akamai TechDocs
In Settings > Advanced set On Authorization Failure to Access Denied Page. This will allow an authenticated end-user to be redirected to EAA...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@jonhue You can look through the fiddler docs or use any network traffic capture software you’re more familiar with.
3rd party cookies are required for silent token acquisition in msal.js 1.x. If you need to support Safari I would highly recommend moving to msal-browser v2 as it uses the Auth Code flow with PKCE and does not rely on 3rd party cookies in most scenarios. If you have an existing app on 1.x that you’re not ready to migrate, the only solution is to use an interactive flow instead of silent.
v1 to v2 Migration Guide
@tnorling sorry for the late response! I just got around migrating to v2 and as far as I can see, all works well! Thank you for helping out!