microsoft-authentication-library-for-js: SSO with AAD B2C fails


We’ve been hitting issues similar to #208. We are using AAD B2C and have Single Sign On configured on the policies correctly. No issues when using MVC OpenID Connect apps, we get the expected SSO behavior. First time we login to B2C and subsequent apps, pressing the login button redirects to B2C and then instantly returns.

We have not been able to get MSAL.js to work. I strongly suspect the prompt=select_account is interfering with SSO. The suggested workarounds did not work as we got errors back saying login_required despite having an active SSO session.

Repro is this: Two apps sharing a B2C signup or sign in policy configured with SSO. First app is an ASP.NET Core app using MVC and the OIDC middleware. Second app is a SPA app with MSAL.js. Login with the ASP.NET Core app first. Now in the same browser tab, go to the SPA app. You should still be signed into B2C, but when you press login on the SPA site, the redirect to B2C forces a sign in.

The ask is this: MSAL.js, out-of-the-box, needs to support SSO with AAD B2C. No special workarounds, it just needs to work. We have validated that MSAL.js is the issue, and not B2C, since other apps using hello.js, for example, do work correctly.

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 17 (6 by maintainers)

Most upvoted comments

We have confirmed that by removing that prompt parameter, MSAL.js does work. So perhaps that needs to be revisited?

This also impacts other flows, like calling edit profile. aquireTokenRedirect always adds that prompt, so even if we try to do an edit profile, it prompts for a login

   clientApplication.acquireTokenRedirect(applicationConfig.b2cScopes, applicationConfig.editProfileAuthority, clientApplication.getUser());
   /* NOTE: optional popup login
   clientApplication.acquireTokenPopup(applicationConfig.b2cScopes, applicationConfig.editProfileAuthority, clientApplication.getUser()).then(function (accessToken) {
           logMessage(“Edit profile success.“);
       function(error) {
           logMessage(“Error editing profile:\n” + error);

@nehaagrawal @navyasric I’m not sure how we’re expected to use SID or login_hint for SSO. These are still values that need to either be saved in the application or entered by the user. If the user has an active SSO session in B2C, then they should count as authenticated when first entering the application even if the application doesn’t have anything to identify the user.

acquireTokenSilent doesn’t even check B2C for a session if the application doesn’t already have saved or provide some kind of user identification (userObject, sid, or login_hint).

The desired behavior is achieved with prompt=none, but MSAL.js still has prompt=select_account hard-coded in. The apparent reluctance in allowing this is frustrating, and forces us to reconsider using MSAL.js at all.

@azure/msal-angular npm package is not updated yet, is it in progress or all have ignored this issue… ?

@onovotny we just released msal 0.2.3 and it has support for SSO. SSO can be achieved by passing either login_hint or SID. Can you please tell me if you were passing either login_hint or SID?

@onovotny We have a PR in progress to remove prompt=select_account hardcoding. Once this feature is released. I will update the details here.