microsoft-authentication-library-for-js: 'monitor_window_timeout' when performing ssoSilent

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

3.7.1

Wrapper Library

MSAL Angular (@azure/msal-angular)

Wrapper Library Version

3.0.11

Public or Confidential Client?

Public

Description

I inherited an Angular Ionic application, designed to run on Android. Originally, this application used MSADAL to authenticate.

After this was deprecated, I switched to MSAL. The problem we are facing now, since the application is developed as a web application, is that the users (sometimes) have to log in multiple times a day (because the application needs to be registered as an SPA, and SPA refresh tokens are only valid for 24h).

This is not an ideal scenario. So, I’m currently trying to renew the tokens in the background if possible. At first I tried this with aqcuireTokenSilent, but I kept getting the following error: ‘monitor_window_timeout: Token acquisition in iframe failed due to timeout.’

I’ve tried switching to ssoSilent, but I het the same error (‘monitor_window_timeout: Token acquisition in iframe failed due to timeout.’)

A regular login via redirect does work.

I’ve tried debugging via Devtools on Edge, and I can see the following request (if needed I can provide a screenshot):

Request URL = https://login.microsoftoneline.com/… --> This request has a status code 302 Found
Response header [Location]: http://localhost/auth#code=… --> http://localhost/auth is my redirect URL

So, based on this, It seems I am getting a response, but it’s not processing.

Error Message

‘monitor_window_timeout: Token acquisition in iframe failed due to timeout. For more visit: aka.ms/msaljs/browser-errors’

MSAL Logs

[Thu, 01 Feb 2024 13:28:28 GMT] : [] : @azure/msal-browser @3.7.1 : Trace - BrowserCacheManager.getActiveAccount: Active account filters schema found [Thu, 01 Feb 2024 13:28:28 GMT] : [] : @azure/msal-browser @3.7.1 : Trace - BrowserCacheManager.getAccountKeys called [Thu, 01 Feb 2024 13:28:28 GMT] : [] : @azure/msal-browser @3.7.1 : Trace - BrowserCacheManager.getAccount called [Thu, 01 Feb 2024 13:28:28 GMT] : [] : @azure/msal-browser @3.7.1 : Trace - BrowserCacheManager.getTokenKeys called [Thu, 01 Feb 2024 13:28:28 GMT] : [] : @azure/msal-common @14.6.1 : Trace - CacheManager - getIdToken called [Thu, 01 Feb 2024 13:28:28 GMT] : [] : @azure/msal-browser @3.7.1 : Trace - BrowserCacheManager.getIdTokenCredential: cache hit [Thu, 01 Feb 2024 13:28:28 GMT] : [] : @azure/msal-common @14.6.1 : Trace - getAliasesFromMetadata called with source: config [Thu, 01 Feb 2024 13:28:28 GMT] : [] : @azure/msal-common @14.6.1 : Trace - getAliasesFromMetadata called with source: hardcoded_values [Thu, 01 Feb 2024 13:28:28 GMT] : [] : @azure/msal-common @14.6.1 : Trace - getAliasesFromMetadata: found cloud discovery metadata in hardcoded_values, returning aliases [Thu, 01 Feb 2024 13:28:28 GMT] : [] : @azure/msal-common @14.6.1 : Info - CacheManager:getIdToken - Returning ID token [Thu, 01 Feb 2024 13:28:28 GMT] : [] : @azure/msal-browser @3.7.1 : Verbose - preflightBrowserEnvironmentCheck started [Thu, 01 Feb 2024 13:28:28 GMT] : [b19977ca-caf6-4e0f-b63e-2e8d22460626] : @azure/msal-browser @3.7.1 : Verbose - ssoSilent called [Thu, 01 Feb 2024 13:28:28 GMT] : [] : @azure/msal-browser @3.7.1 : Info - Emitting event: msal:ssoSilentStart [Thu, 01 Feb 2024 13:28:28 GMT] : [] : @azure/msal-browser @3.7.1 : Verbose - Emitting event to callback d08a493c-9f19-4ee1-8292-1cca81b5e304: msal:ssoSilentStart [Thu, 01 Feb 2024 13:28:28 GMT] : [] : @azure/msal-angular @3.0.11 : Verbose - BroadcastService - msal:ssoSilentStart results in setting inProgress from none to ssoSilent [Thu, 01 Feb 2024 13:28:28 GMT] : [] : @azure/msal-browser @3.7.1 : Trace - canUseNative called [Thu, 01 Feb 2024 13:28:28 GMT] : [] : @azure/msal-browser @3.7.1 : Trace - isNativeAvailable called [Thu, 01 Feb 2024 13:28:28 GMT] : [] : @azure/msal-browser @3.7.1 : Trace - isNativeAvailable: allowNativeBroker is not enabled, returning false [Thu, 01 Feb 2024 13:28:28 GMT] : [] : @azure/msal-browser @3.7.1 : Trace - canUseNative: isNativeAvailable returned false, returning false [Thu, 01 Feb 2024 13:28:28 GMT] : [] : @azure/msal-browser @3.7.1 : Trace - BrowserCacheManager.getAuthorityMetadata: cache hit [Thu, 01 Feb 2024 13:28:28 GMT] : [] : @azure/msal-browser @3.7.1 : Trace - BrowserCacheManager.setAuthorityMetadata called [Thu, 01 Feb 2024 13:28:28 GMT] : [b19977ca-caf6-4e0f-b63e-2e8d22460626] : @azure/msal-common @14.6.1 : Trace - Executing function authClientCreateQueryString [Thu, 01 Feb 2024 13:28:28 GMT] : [b19977ca-caf6-4e0f-b63e-2e8d22460626] : @azure/msal-common @14.6.1 : Verbose - createAuthCodeUrlQueryString: login_hint claim present on account [Thu, 01 Feb 2024 13:28:28 GMT] : [b19977ca-caf6-4e0f-b63e-2e8d22460626] : @azure/msal-common @14.6.1 : Trace - Returning result from authClientCreateQueryString [Thu, 01 Feb 2024 13:28:38 GMT] : [] : @azure/msal-browser @3.7.1 : Trace - BrowserCacheManager.getServerTelemetry: cache hit [Thu, 01 Feb 2024 13:28:38 GMT] : [] : @azure/msal-browser @3.7.1 : Trace - BrowserCacheManager.setServerTelemetry called [Thu, 01 Feb 2024 13:28:38 GMT] : [] : @azure/msal-browser @3.7.1 : Info - Emitting event: msal:ssoSilentFailure [Thu, 01 Feb 2024 13:28:38 GMT] : [] : @azure/msal-browser @3.7.1 : Verbose - Emitting event to callback d08a493c-9f19-4ee1-8292-1cca81b5e304: msal:ssoSilentFailure [Thu, 01 Feb 2024 13:28:38 GMT] : [] : @azure/msal-angular @3.0.11 : Verbose - BroadcastService - msal:ssoSilentFailure results in setting inProgress from ssoSilent to none [Thu, 01 Feb 2024 13:28:38 GMT] : [] : @azure/msal-browser @3.7.1 : Trace - BrowserCacheManager.getActiveAccount: Active account filters schema found [Thu, 01 Feb 2024 13:28:38 GMT] : [] : @azure/msal-browser @3.7.1 : Trace - BrowserCacheManager.getAccountKeys called [Thu, 01 Feb 2024 13:28:38 GMT] : [] : @azure/msal-browser @3.7.1 : Trace - BrowserCacheManager.getAccount called [Thu, 01 Feb 2024 13:28:38 GMT] : [] : @azure/msal-browser @3.7.1 : Trace - BrowserCacheManager.getTokenKeys called [Thu, 01 Feb 2024 13:28:38 GMT] : [] : @azure/msal-common @14.6.1 : Trace - CacheManager - getIdToken called [Thu, 01 Feb 2024 13:28:38 GMT] : [] : @azure/msal-browser @3.7.1 : Trace - BrowserCacheManager.getIdTokenCredential: cache hit [Thu, 01 Feb 2024 13:28:38 GMT] : [] : @azure/msal-common @14.6.1 : Trace - getAliasesFromMetadata called with source: config [Thu, 01 Feb 2024 13:28:38 GMT] : [] : @azure/msal-common @14.6.1 : Trace - getAliasesFromMetadata called with source: hardcoded_values [Thu, 01 Feb 2024 13:28:38 GMT] : [] : @azure/msal-common @14.6.1 : Trace - getAliasesFromMetadata: found cloud discovery metadata in hardcoded_values, returning aliases [Thu, 01 Feb 2024 13:28:38 GMT] : [] : @azure/msal-common @14.6.1 : Info - CacheManager:getIdToken - Returning ID token [Thu, 01 Feb 2024 13:28:38 GMT] : [] : @azure/msal-browser @3.7.1 : Trace - BrowserCacheManager.getActiveAccount: Active account filters schema found [Thu, 01 Feb 2024 13:28:38 GMT] : [] : @azure/msal-browser @3.7.1 : Trace - BrowserCacheManager.getAccountKeys called [Thu, 01 Feb 2024 13:28:38 GMT] : [] : @azure/msal-browser @3.7.1 : Trace - BrowserCacheManager.getAccount called [Thu, 01 Feb 2024 13:28:38 GMT] : [] : @azure/msal-browser @3.7.1 : Trace - BrowserCacheManager.getTokenKeys called [Thu, 01 Feb 2024 13:28:38 GMT] : [] : @azure/msal-common @14.6.1 : Trace - CacheManager - getIdToken called [Thu, 01 Feb 2024 13:28:38 GMT] : [] : @azure/msal-browser @3.7.1 : Trace - BrowserCacheManager.getIdTokenCredential: cache hit [Thu, 01 Feb 2024 13:28:38 GMT] : [] : @azure/msal-common @14.6.1 : Trace - getAliasesFromMetadata called with source: config [Thu, 01 Feb 2024 13:28:38 GMT] : [] : @azure/msal-common @14.6.1 : Trace - getAliasesFromMetadata called with source: hardcoded_values [Thu, 01 Feb 2024 13:28:38 GMT] : [] : @azure/msal-common @14.6.1 : Trace - getAliasesFromMetadata: found cloud discovery metadata in hardcoded_values, returning aliases [Thu, 01 Feb 2024 13:28:38 GMT] : [] : @azure/msal-common @14.6.1 : Info - CacheManager:getIdToken - Returning ID token

Network Trace (Preferrably Fiddler)

Sent
Pending

MSAL Configuration

export const msalConfig: Configuration = {
  auth: {
      clientId: <CLIENT_ID>,
      authority: `https://login.microsoftonline.com/${TENANT_ID}`, 
      redirectUri: '/auth',
      postLogoutRedirectUri: '/',
  },
  cache: {
      cacheLocation: BrowserCacheLocation.LocalStorage, 
      storeAuthStateInCookie: isIE,
  },
  system: {
      allowRedirectInIframe: true,
      loggerOptions: {
          loggerCallback(logLevel: LogLevel, message: string) {
              console.log(message);
          },
          logLevel: LogLevel.Trace,
          piiLoggingEnabled: false,
      },
  },
};

Relevant Code Snippets

async acquireTokenSilent() {
    console.log("AUTH_SERVICE | ACQUIRE_TOKEN_SILENT");
    const account = this.msalService.instance.getActiveAccount();
    if (account) {
      console.log("AUTH_SERVICE | ACQUIRE_TOKEN_SILENT:ACCOUNT_FOUND; ", account);
      console.log("AUTH_SERVICE | ACQUIRE_TOKEN_SILENT:LOGIN_HINT = ", account?.idTokenClaims?.login_hint);
      console.log("AUTH_SERVICE | ACQUIRE_TOKEN_SILENT:SESSION_ID = ", account?.idTokenClaims?.sid);

      this.msalService.instance.ssoSilent({
        ...this.msalGuardConfig.authRequest,
        account: account
      })
      .then(() => {
        console.log("AUTH_SERVICE | ACQUIRE_TOKEN_SSOSILENT:SUCCESS");
      })
      .catch((error) => {
        console.log("AUTH_SERVICE | ACQUIRE_TOKEN_SSOSILENT:ERROR = ", error);
      });
    }
  }

Reproduction Steps

Log in via MsalService.loginRedirect
After user is logged in, trigger “acquireTokenSilent” method

Expected Behavior

A successfull response from ssoSilent (“AUTH_SERVICE | ACQUIRE_TOKEN_SSOSILENT:SUCCESS” is shown in the logs).

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

Other

Regression

No response

Source

External (Customer)

About this issue

Original URL
State: closed
Created 5 months ago
Comments: 35 (1 by maintainers)

Most upvoted comments

Is it possible allow-top-navigation needs to be added to the sandbox setting?

No, if the iframe is attempting a top level navigation then something is wrong, the iframe should be completely isolated. This can happen for 2 reasons:

The STS is attempting to show you some error
The page you use as your redirectUri is attempting to navigate to another page

If you’ve confirmed the redirect back to your redirectUri is happening then it’s reason 2 you’re after. We typically recommend setting your redirectUri to a completely blank, static page to eliminate the chance of some logic in your app attempting a redirect.

If you think there’s a chance it’s reason 1 then you can try opening the login.microsoftonline.com url from the error message in a new tab and that should enable you to see the error the STS is attempting to show you.

tnorling on Feb 6, 2024

Perhaps also of use, this is the iFrame that’s created: <iframe sandbox="allow-scripts allow-same-origin allow-forms" src="https://login.microsoftonline.com/...." style="visibility: hidden; position: absolute; height: 0px; width: 0px; border: 0px;"></iframe>

kevveh on Feb 5, 2024

From your screenshot of the network requests it looks like the /auth route failed to load. Can you see if there’s any more detail there? Do you happen to have any CSPs applied such as X-Frame-Options that might prevent loading your site inside iframes?

tnorling on Feb 2, 2024