Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

unprotectedResources comming from router unprotect api endpoints

See original GitHub issue

Please follow the issue template below. Failure to do so will result in a delay in answering your question.

Library

msal@1.x.x or @azure/msal@1.x.x
@azure/msal-browser@2.x.x
@azure/msal-angular@0.x.x
@azure/msal-angular@1.0.0
@azure/msal-angularjs@1.x.x

Important: Please fill in your exact version number above, e.g. msal@1.1.3.

Framework

Angular 9

Description

Currently, in class MsalService constructor, if unprotectedResources are given, routes comming from Router are added to unprotectedResources. In most of our proyects we have a correlation between app routes and rest api endpoints, for example: https://myApp/profile -> https://myApi/api/profile

Taking into account routes were added to unprotected resources, lately, on isUnprotectedResource method, the validation that checks id an endpoint is on the unprotectedResources returns true, althought endpoint wasn’t added to them.

Security

Is this issue security related?

Regression

Did this behavior work before? Don’t Know

Configuration

Please provide your MSAL configuration options.

{
...
unprotectedResources: ['assets/i18n']
...
}

Reproduction steps

See description above

Expected behavior

Routes comming from router don’t unprotect api endpoints

Browsers

Is this issue browser-specific? no

Issue Analytics

State:
Created 3 years ago
Reactions:1
Comments:5 (3 by maintainers)

Top GitHub Comments

1reaction

jasonnuttercommented, Jun 17, 2020

@MisterPhilip Does not providing unprotectedResources work as a mitigation?

0reactions

mbendtsencommented, Aug 5, 2020

This took me 1½ day to figure this out 😦 I can confirm that setting unprotectedResources to null fixes my issue.

function MSALAngularConfigFactory(config: ConfigService): MsalAngularConfiguration {
  return {
    popUp: true,
    consentScopes: [
      config.getSettings('resourceScope'),
      ...config.getSettings('loginRequest')
    ],
    unprotectedResources: null,
    protectedResourceMap: [
      [
        config.getSettings('baseUrl'),
        [config.getSettings('resourceScope')]
      ]
    ],
    extraQueryParameters: {}
  };

NOTE: Setting unprotectedResources to empty array [] does not work.

Top Results From Across the Web

APIkit Anatomy Reference - MuleSoft Documentation

APIkit Router tasks include routing messages, serializing responses, ... The interface defines the API, designating resources that contain or access data ...

Troubleshoot Secure Endpoint Stuck in Isolation with ... - Cisco

This document describes the process to recover an endpoint with the Secure Endpoint connector installed from isolation mode.

c# - IdentityServer4 Introspection Endpoint API uses invalid ...

What am I missing? Why am I getting "MyAPI API uses invalid hashing algorithm"? If it's invalid, what is a valid hashing algorithm?...

Authentication and Protected Routes in VueJS - Chris Roberts

How to protect routes in Vue so that only logged in users can access them. We'll also walk through authenticating a user and...

Securing a REST API - MarkLogic

But what happens if you decide to secure an API endpoint so that only users who have ... router.route('/api/characters').get(characters); ...