microsoft-authentication-library-for-js: MSAL Guard on redirect URI causes: Token renewal operation failed due to timeout.
Please follow the issue template below. Failure to do so will result in a delay in answering your question.
Library
-
msal@1.2.1
or@azure/msal@1.x.x
-
@azure/msal-browser@2.x.x
-
@azure/msal-angular@0.x.x
-
@azure/msal-angular@1.0.0-beta2
-
@azure/msal-angularjs@1.x.x
Important: Please fill in your exact version number above, e.g. msal@1.1.3
.
Framework
If you are using a framework, please provide the framework and version (e.g. Angular v8, React v16, etc). Angular 7
Description
I upgraded to my code to msal-angular@1.0.0-beta2. Since then, i got most of the time token renewal error. Sometimes it works sometimes not.
Below you find the error that i get: ERROR ClientAuthError: URL navigated to is https://login.microsoftonline.com/6e5433e0-76fc-44b7-b71b-0e5446a3fa94/oauth2/v2.0/authorize?response_type=token&scope=user.read user.read.all openid profile&client_id=XXXXX&redirect_uri=https%3A%2F%2Flocalhost%3A44321%2F&state=2c239776-194a-4dd1-9ffd-5ef6a8170bfb&nonce=64ebf40a-c982-4d0f-947a-008486098f0e&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=1.2.1&login_hint=XXXXt&login_req=69fe329f-7029-47ae-9640-35f2b80d3dc7&domain_req=6e5433e0-76fc-44b7-b71b-0e5446a3fa94&domain_hint=organizations&client-request-id=d5399407-a9b0-449f-bacb-c51b451f341c&prompt=none&response_mode=fragment, Token renewal operation failed due to timeout. at t [as constructor] (https://localhost:44321/main.85b343060f18cba93e8d.js:1:522654) at new t (https://localhost:44321/main.85b343060f18cba93e8d.js:1:523276) at Function.t.createTokenRenewalTimeoutError (https://localhost:44321/main.85b343060f18cba93e8d.js:1:524233) at https://localhost:44321/main.85b343060f18cba93e8d.js:1:545696 at e.invokeTask (https://localhost:44321/polyfills.ad66e791a6ddbd9fe3e0.js:1:8059) at Object.onInvokeTask (https://localhost:44321/main.85b343060f18cba93e8d.js:1:193339) at e.invokeTask (https://localhost:44321/polyfills.ad66e791a6ddbd9fe3e0.js:1:7980) at t.runTask (https://localhost:44321/polyfills.ad66e791a6ddbd9fe3e0.js:1:3241) at t.invokeTask (https://localhost:44321/polyfills.ad66e791a6ddbd9fe3e0.js:1:9142) at invoke (https://localhost:44321/polyfills.ad66e791a6ddbd9fe3e0.js:1:9033)
Security
Is this issue security related?
Regression
Did this behavior work before? I had no issue related to timeout with version 0.1.4
Configuration
MsalModule.forRoot( { auth: {
clientId:"xxxxxxx",
authority:"https://login.microsoftonline.com/tenantid",
postLogoutRedirectUri:"https://login.microsoftonline.com/tenantid",
validateAuthority:true ,
navigateToLoginRequestUrl: true,
},
cache:{
cacheLocation:"localStorage",
storeAuthStateInCookie:isIE
},
system:{
loadFrameTimeout:35000,
}
},
{
popUp: false,
consentScopes: ['user.read','user.read.all','https://domain.net/api-access'],
protectedResourceMap,
unprotectedResources:["https://www.microsoft.com/en-us/"],
extraQueryParameters: {}
}
// Provide configuration values here.
// For Azure B2C issues, please include your policies.
Reproduction steps
- Logout,
- Login,
- Call authorized endpoint, 3.1 In my case i load some data from graph api with its scope and another data from my web api. After login i can acquire toke for one of the both and for the second it fails to obtain access token. 3.2 It also happened on token renewal.
Expected behavior
no timeout error should be returned when trying to acquire token. specially after fresh login
Browsers
Is this issue browser-specific? If so, please detail which browsers are impacted (e.g. IE 11, Safari). I tried this on Chrome and IE edge
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 39 (12 by maintainers)
Commits related to this issue
- Short-circuit MSAL Guard if it detects it is loaded in an iframe, to prevent timeouts that occur as a result of redirecting, fixes #1260 — committed to AzureAD/microsoft-authentication-library-for-js by jasonnutter 4 years ago
- Merge pull request #1337 from AzureAD/dev-msal-guard-redirect-uri Short-circuit MSAL Guard if it detects it is loaded in an iframe, to prevent timeouts that occur as a result of redirecting, fixes #1... — committed to AzureAD/microsoft-authentication-library-for-js by jasonnutter 4 years ago
@jasonnutter Removed the MsalGuard off the redirect URI and that seems to have solved the issue for me.
The same issue with: “@azure/msal-angular”: “1.0.0” and Safari only(Third-party cookies enabled) when trying to acquire an access token for the consentScopes.
Error when acquiring token for scopes …: ClientAuthError: URL navigated to is https://login.microsoftonline.com/...../oauth2/v2.0/authorize?…
The only difference it’s not beta anymore))
Works fine with chrome so there’s nothing wrong with configuration.
Hello eynenad,
You shouldn’t redirect to the loading component until you have a valid user object with valid token. And you shouldn’t redirect at all in the 2 cases: 1- When the screen is IFrame (your application is reloaded when the renew token or the login occurs but inside an IFrame) 2- When it is not an IFrame but the query string contains id token parameters (microsoftlogin redirect to your redirectUri after the user login).
You can also make the redirect url be an empty page when renewing the token silently.
Best regards, Emad
@Ivan-L You are correct, and I agree that you should have the ability to do that. Note that for now, if you aren’t using one of the redirect flows (
loginRedirect
oracquireTokenRedirect
) you can set the defaultredirectUri
to a blank page. I’ll follow up when I have more on this.@brayanL Makes sense, thanks for the update!
@brayanL Timeouts can happen for a number of reasons, so any investigations you can do in your app to determine what might be causing your timeouts would be helpful, thanks!
@emadalsous Correct, putting the MsalGuard on your redirect URI could cause another redirect and thus a timeout. I’ll see if we can make the guard smarter such that it doesn’t cause the redirect when it is loaded inside a hidden iframe. Note that since
msal@1.2.0
, you can set your redirect uri for silent/popup requests to a page that has no content at all (e.g. a blank html page), and that you can set redirectUri per request (in case you need to also make redirect requests).