Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

bug: Login Loop when user is unauthorised

See original GitHub issue

Library versions

  • react-aad-msal: 2.3.4
  • msal: 1.2.1

Describe the bug We are using the implicit login flow, using redirect for the user to authenticate. When a user with valid credentials in our organisation tries to authenticate they get into an indefinite loop from our app back to Microsoft authentication page and back again when they are not in the App user pool that we have specified in Azure AD.

I can see in the url that we get back from authenticating with Microsoft having an error in there. I have seen similar issue somewhere before where msal was not checking if we have failed to authenticate before sending us back again to the authenticated page

Expected behaviour

  • I would expect if we have a failed authentication attempt because the user hasn’t got permissions to have an error and not be stuck in a loop.

To Reproduce Steps to reproduce the behaviour: let’s set up the context context as you having two environments - QA and Dev. In dev env, you have user credentials that are not valid in QA and vice versa.

  1. Log into Dev
  2. Go to your app in QA that is forcing authentication with a redirect
  3. You can see the constant redirect loop

Desktop (please complete the following information):

  • OS: Mojave 10.14.6
  • Browser Chrome
  • Version 80.0.3987.122

Issue Analytics

  • State:open
  • Created 4 years ago
  • Comments:5

github_iconTop GitHub Comments

3reactions
zsidcommented, Feb 27, 2020

This is the error I get in the url

http://localhost:3000/login#error=interaction_required&error_description=AADSTS50105%3a+The+signed+in+user+%27%7bEmailHidden%7d%27+is+not+assigned+to+a+role+for+the+application

0reactions
GraemeFcommented, Jul 15, 2020

We have captured MSAL logs of the loop (starting at monitorWindowForHash, but could be anywhere as it loops…)

[MSAL] 1.3.2-Verbose monitorWindowForHash found url in hash
[MSAL] 1.3.2-Info Processing the callback from redirect response
[MSAL] 1.3.2-Info State status:true; Request type:LOGIN
[MSAL] 1.3.2-Info-pii Error :consent_required; Error description:AADSTS65001: The user or administrator has not consented to use the application with ID '[client-appreg-id]' named '[client-appreg-name]'. Send an interactive authorization request for this user and resource.
[MSAL] 1.3.2-Verbose Telemetry Event stopped: 243cf152-4e3c-4e4b-ad91-96dcf5bab086_673c3cf3-031a-4181-a922-07d87e478733-msal.api_event
[MSAL] 1.3.2-Verbose Flushing telemetry events: 243cf152-4e3c-4e4b-ad91-96dcf5bab086
[MSAL] 1.3.2-Verbose Telemetry Event stopped: 1386d347-d9b1-4ce9-ac5e-31a068f657e6_714cfde3-63e6-4749-8f62-0d62076216d1-msal.api_event
[MSAL] 1.3.2-Verbose Flushing telemetry events: 1386d347-d9b1-4ce9-ac5e-31a068f657e6
[MSAL] 1.3.2-Verbose AcquireTokenInteractive has been called
[MSAL] 1.3.2-Verbose Account set from MSAL Cache
[MSAL] 1.3.2-Verbose User session exists, login not required
[MSAL] 1.3.2-Verbose No cached metadata for authority
[MSAL] 1.3.2-Verbose AcquireTokenInteractive has been called
[MSAL] 1.3.2-Verbose Telemetry Event started: [client-request-guid-1]_0f075bca-8b27-4048-b15a-09301561a9de-msal.http_event
[MSAL] 1.3.2-Verbose Telemetry Event stopped: [client-request-guid-1]_0f075bca-8b27-4048-b15a-09301561a9de-msal.http_event
[MSAL] 1.3.2-Verbose Navigating window to urlNavigate
[MSAL] 1.3.2-Info-pii Navigate to:https://login.microsoftonline.com/[app-tenant-id]/oauth2/v2.0/authorize?response_type=token&scope=https%3A%2F%2F[tenantname].onmicrosoft.com%2Fwfm%2F[api-name]%2Fdev%2F[api-scope-id]%2Fuser_impersonation%20openid%20profile&client_id=[client-appreg-id]&redirect_uri=https%3A%2F%2F[app-hostname].[ourdomain.co.uk]%2Fleak-detection%2Fdashboard%2Faad-callback&state=[encoded-state-1]%3D&nonce=[nonce-guid-1]&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=1.3.2&login_hint=[username]%40[tenantname].onmicrosoft.com&client-request-id=[client-request-guid-1]&response_mode=fragment
[MSAL] 1.3.2-Info Returned from redirect url
[MSAL] 1.3.2-Verbose AcquireTokenSilent has been called
[MSAL] 1.3.2-Verbose Telemetry Event started: f3f4e31f-efbb-41bf-afcb-6136a7603d78_e99b8df7-e61a-40c4-8322-6205080ce01a-msal.api_event
[MSAL] 1.3.2-Verbose-pii Serialized scopes: [client-appreg-id]
[MSAL] 1.3.2-Verbose Account set from MSAL Cache
[MSAL] 1.3.2-Verbose Response type: id_token
[MSAL] 1.3.2-Verbose Finished building server authentication request
[MSAL] 1.3.2-Verbose Query parameters populated from existing SSO or account
[MSAL] 1.3.2-Verbose Token is not in cache for scope: [client-appreg-id]
[MSAL] 1.3.2-Verbose-pii Authority instance: https://login.microsoftonline.com/[app-tenant-id]/
[MSAL] 1.3.2-Verbose No cached metadata for authority
[MSAL] 1.3.2-Verbose Telemetry Event started: f3f4e31f-efbb-41bf-afcb-6136a7603d78_c90b670d-f8fb-4a67-a343-2f7a1feaba09-msal.http_event
[MSAL] 1.3.2-Info Returned from redirect url
[MSAL] 1.3.2-Info Processing the callback from redirect response
[MSAL] 1.3.2-Info State status:true; Request type:RENEW_TOKEN
[MSAL] 1.3.2-Info State is right
[MSAL] 1.3.2-Info Fragment has access token
[MSAL] 1.3.2-Info The user object received in the response is the same as the one passed in the acquireToken request
[MSAL] 1.3.2-Verbose acquiring token interactive in progress
[MSAL] 1.3.2-Verbose AcquireTokenSilent has been called
[MSAL] 1.3.2-Verbose Telemetry Event started: [client-request-guid-2]_3ce5be72-e5bd-4b54-a700-d22318d79c76-msal.api_event
[MSAL] 1.3.2-Verbose-pii Serialized scopes: [client-appreg-id]
[MSAL] 1.3.2-Verbose Account set from MSAL Cache
[MSAL] 1.3.2-Verbose Response type: id_token
[MSAL] 1.3.2-Verbose Finished building server authentication request
[MSAL] 1.3.2-Verbose Query parameters populated from existing SSO or account
[MSAL] 1.3.2-Verbose Token is not in cache for scope: [client-appreg-id]
[MSAL] 1.3.2-Verbose-pii Authority instance: https://login.microsoftonline.com/[app-tenant-id]/
[MSAL] 1.3.2-Verbose No cached metadata for authority
[MSAL] 1.3.2-Verbose AcquireTokenSilent has been called
[MSAL] 1.3.2-Verbose Telemetry Event started: 4841b91c-29be-419d-9167-0a1821e849cb_c552353c-e876-4303-b03f-98b9d232affc-msal.api_event
[MSAL] 1.3.2-Verbose-pii Serialized scopes: [client-appreg-id]
[MSAL] 1.3.2-Verbose Account set from MSAL Cache
[MSAL] 1.3.2-Verbose Response type: id_token
[MSAL] 1.3.2-Verbose Finished building server authentication request
[MSAL] 1.3.2-Verbose Query parameters populated from existing SSO or account
[MSAL] 1.3.2-Verbose Token is not in cache for scope: [client-appreg-id]
[MSAL] 1.3.2-Verbose-pii Authority instance: https://login.microsoftonline.com/[app-tenant-id]/
[MSAL] 1.3.2-Verbose No cached metadata for authority
[MSAL] 1.3.2-Verbose Telemetry Event started: [client-request-guid-2]_1fe131b5-c60b-418b-8509-77be7965127c-msal.http_event
[MSAL] 1.3.2-Verbose Telemetry Event started: 4841b91c-29be-419d-9167-0a1821e849cb_2ebc7237-d7aa-4f3e-9f4e-d9f18f51152d-msal.http_event
[MSAL] 1.3.2-Verbose Telemetry Event stopped: [client-request-guid-2]_1fe131b5-c60b-418b-8509-77be7965127c-msal.http_event
[MSAL] 1.3.2-Verbose Authority has been updated with endpoint discovery response
[MSAL] 1.3.2-Verbose Renewing idToken
[MSAL] 1.3.2-Info renewidToken is called
[MSAL] 1.3.2-Info-pii Add msal frame to document:msalIdTokenFrame|[client-appreg-id]|undefined
[MSAL] 1.3.2-Verbose Renew Idtoken Expected state: [encoded-state-2]
[MSAL] 1.3.2-Info-pii Navigate to:https://login.microsoftonline.com/[app-tenant-id]/oauth2/v2.0/authorize?response_type=id_token&scope=openid%20profile&client_id=[client-appreg-id]&redirect_uri=https%3A%2F%2F[app-hostname].[ourdomain.co.uk]%2Fleak-detection%2Fdashboard%2Fauth.html&state=[encoded-state-2]&nonce=[nonce-guid-2]&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=1.3.2&login_hint=[username]%40[tenantname].onmicrosoft.com&client-request-id=[client-request-guid-2]&prompt=none&response_mode=fragment
[MSAL] 1.3.2-Verbose-pii Set loading state to pending for: [client-appreg-id]|undefined:[encoded-state-2]
[MSAL] 1.3.2-Info-pii LoadFrame: msalIdTokenFrame|[client-appreg-id]|undefined
[MSAL] 1.3.2-Verbose Telemetry Event stopped: 4841b91c-29be-419d-9167-0a1821e849cb_2ebc7237-d7aa-4f3e-9f4e-d9f18f51152d-msal.http_event
[MSAL] 1.3.2-Verbose Authority has been updated with endpoint discovery response
[MSAL] 1.3.2-Verbose Renew token for scope and authority: [client-appreg-id]|undefined is in progress. Registering callback
[MSAL] 1.3.2-Info-pii Add msal frame to document:msalIdTokenFrame|[client-appreg-id]|undefined
[MSAL] 1.3.2-Info-pii Frame Name : msalIdTokenFrame|[client-appreg-id]|undefined Navigated to: https://login.microsoftonline.com/[app-tenant-id]/oauth2/v2.0/authorize?response_type=id_token&scope=openid%20profile&client_id=[client-appreg-id]&redirect_uri=https%3A%2F%2F[app-hostname].[ourdomain.co.uk]%2Fleak-detection%2Fdashboard%2Fauth.html&state=[encoded-state-2]&nonce=[nonce-guid-2]&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=1.3.2&login_hint=[username]%40[tenantname].onmicrosoft.com&client-request-id=[client-request-guid-2]&prompt=none&response_mode=fragment
[MSAL] 1.3.2-Verbose monitorWindowForHash polling started
Read more comments on GitHub >

github_iconTop Results From Across the Web

Infinite login loop caused by Auth0 Rule error (Next.js - SPA ...
We have a custom rule setup that throws an unauthorized error if the user does not belong to a specific email domain (code...
Read more >
Diagnosing login redirect loop - Stack Overflow
Usually that is the problem, that Login page does not allow unauthorized users: you get endless loop - unauthorized user is not allowed...
Read more >
How to Fix Epic Games Launcher Login Loop Error (2022)
How to Fix Epic Games Launcher Login Loop Error (2022) | Can't Log InThis quick video will help you to fix below related...
Read more >
DisableLoopbackCheck - 401 Unauthorized / Repeated Login ...
So I created a Host record in DNS. Once I get the URL in the browser, it was asking me the password again...
Read more >
Unifi custom portal loop. instant "has become unauthorized"
I use a script that is earlier posted on this site, with some modification for logging purposes, because it does not work for...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Uncaught ReferenceError: regeneratorRuntime is not defined

Next page

Test suite failed to run