microsoft-authentication-library-for-js: AADSTS50058 - Unable authenticate on MS Teams Desktop App

Core Library

MSAL.js v2 (@azure/msal-browser)

Core Library Version

2.26.0

Wrapper Library

Not Applicable

Wrapper Library Version

0

Description

Using template tab-aad-msal2

And upgrade

"@azure/msal-browser": "^2.26.0",
"@microsoft/teams-js": "^2.0.0",

this.msalClient.loginRedirect(this.request) working on Teams Web, but not working on Teams Desktop App

Error Message

InteractionRequiredAuthError: AADSTS50058: A silent sign-in request was sent but no user is signed in. The cookies used to represent the user's session were not sent in the request to Azure AD. This can happen if the user is using Internet Explorer or Edge, and the web app sending the silent sign-in request is in a different IE security zone than the Azure AD endpoint (login.microsoftonline.com). Trace ID: f6450045-e435-4fa7-8dcb-b1e7da7f2300 Correlation ID: b88afb3e-7b95-48fc-a68e-5875238dd1d3 Timestamp: 2021-01-28 08:56:59Z

Msal Logs

image

MSAL Configuration

const msalConfig = {
            auth: {
                clientId,
                authority,
                redirectUri
            },
            cache: {
                cacheLocation: "localStorage",
                storeAuthStateInCookie: false
            }
};

Relevant Code Snippets

this.msalClient.loginRedirect(this.request);

Reproduction Steps

  1. Login in Microsoft Teams Desktop App
  2. Select Tab
  3. Click Login
  4. Open devTool in Iframe Auth
  5. Observe

Expected Behavior

loginRedirect successfully.

Identity Provider

Azure AD / MSA

Browsers Affected (Select all that apply)

Chrome

Regression

No response

Source

External (Customer)

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 27 (11 by maintainers)

Most upvoted comments

Many thanks team !!!

+1
tiennguyen1293 on Aug 24, 2022

Hi @derisen @jasonnutter

I’m understanding you are not sure about silently acquiring tokens will work on Teams Desktop App? For some reason, we still have to display a prompt to re-login again in the Teams Tab app.

I’m meaning Teams App => login => Tab App => get Token => re-login?

If you are not able to perform the OBO flow using the Teams SSO token (as shown in the sample) you can try invoking ssoSilent on page load to attempt to silently sign in. If that fails, you will need to invoke an interactive prompt.

So … Do we help update the DOC on this?

Just to clearly and for others to have the same question as me.

Yes, those docs should probably be updated. cc @EmLauber

+1
jasonnutter on Aug 18, 2022

@derisen For now, that is correct. If you are unable to perform the OBO flow on your own server to silently acquire tokens (demonstrated in the sample), you can try what you describe, otherwise, you will need to show a prompt (via the Teams SDK, as also shown in the sample).

+1
jasonnutter on Aug 17, 2022

@tiennguyen1293 Does this issue persist only for Chrome or any other browsers as well? Are you using incognito mode? Can you please try enabling storeAuthStateInCookie and issuing the redirect call , and let us know. Thanks!

+1
bmahall on Jun 20, 2022
Read more comments on GitHub
← microsoft-authentication-library-for-js: AAD errors are masked by misleading "network_error" from MSAL node
microsoft-authentication-library-for-js: acquireTokenFailure ClientAuthError invalid key the cached token key is not a valid JSON and cannot be parsed →