redwood: [Bug?]: Azure Active Directory Authentication – Redirect to authorization endpoint despite @skipAuth

What’s not working?

@jeliasson @Tobbe

When Azure Active Directory Authentication is integrated as AuthProvider, I get a redirect right away to the authorization endpoint only by using a public query.

// api/src/graphql/foobars.sdl.ts

export const schema = gql`
  type Foobar {
    epoch: BigInt!
  }

  type Query {
    foobar: Foobar @skipAuth
  }
`

// api/src/services/foobars/foobars.ts

import type { QueryResolvers } from 'types/graphql'

export const foobar: QueryResolvers['foobar'] = () => ({ epoch: Date.now() })

So far, this is my understanding for the login process:

How do we reproduce the bug?

Version 3.6.1

What’s your environment? (If it applies)

Node: 16.14.2
Yarn: 3.2.3
@redwoodjs/core: 3.6.1

Are you interested in working on this?

  • I’m interested in working on this

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 30 (28 by maintainers)

Most upvoted comments

I did the simplest implementation I could think of in https://github.com/redwoodjs/redwood/pull/7386 Please run yarn rw upgrade -t canary in your projects (or create a new project and then upgrade) to verify that it works. If it doesn’t, let me know and we’ll reopen this issue.

+4
Tobbe on Jan 20, 2023

@m3t Sorry for the lack of response. I have spoken to @Tobbe who will look closer on this. We do not believe this is related to Azure Active Directory specifically, as the skipAuth fire before reaching the auth provider, but hopefully Tobbe will be able to to find something.

+3
jeliasson on Jan 17, 2023

I can confirm that this fixes the issue. Thanks you so much @Tobbe . This has been a big blocker for a lot of features. 🚀

While testing I opened my first PR - documentation only - but hopefully more to come. 💙

+2
tilmann on Jan 20, 2023

@jeliasson Tested with Safari on macos and ios and did not have any problems!

+1
tilmann on Feb 3, 2023

Thanks. @jtoar

This is very helpful. It seems like the behavior is the same as for dbAuth. As multiple requests after on interaction do not get a new token. Then I leave it as it is for now. And come back to it if I think we need to optimize for those 100-150ms.

+1
tilmann on Feb 3, 2023

@tilmann I don’t believe this is a bug, but I’m guessing it could probably be done better given how https://github.com/redwoodjs/redwood/issues/4739 (a similar Issue I think) resolved (via https://github.com/redwoodjs/redwood/pull/5816).

I’m going way back here, so could be wrong, but I think the reason for fetching a new token before every request is https://github.com/redwoodjs/redwood/issues/1576 and https://github.com/redwoodjs/redwood/pull/1609.

+1
jtoar on Jan 31, 2023

@Tobbe Agreed, we need to add some logic for choosing a path if we get an exception from .acquireTokenSilent(). When looking at the MSAL documentation, we should probably do .acquireTokenRedirect() if the the error name is consent_required, interaction_required or login_required. I remember doing something like this in the initial implementation, but we had issues capturing the exception InteractionRequiredAuthError and settled with what we have right now.

We should work on this in the now decoupled auth package @redwoodjs/auth-azure-active-directory-web and introduce this change in a v4.x (minor) release, or should we try aim for the v4 release? You have a better understanding on the timeline here @Tobbe, so I defer the timing to you. Otherwise, maybe we can have some collaboration next week?

Docs

+1
jeliasson on Jan 19, 2023

@m3t Thank you for the reproduction repo. I totally misunderstood what the error was until I ran your code and saw the issue with my own eyes.

So, what’s happening is that as soon as you load HomePage the useEffect will tell the Apollo client to make a gql query to the api side. Because the client can’t know if the query requires auth or not it will always pass along an auth token. When the query reaches the api side the @skipAuth and @requireAuth directives determines if the token will be verified or not.

Because of this, no matter what kind of query/mutation you do, Redwood will always ask the auth provider client sdk for a token. And apparently, when it does, the Azure sdk will trigger the login screen.

+1
Tobbe on Jan 18, 2023

@jeliasson You’ve been invited to a private repo with the data you’ve asked for.

+1
m3t on Dec 14, 2022

@jeliasson Unfortunately I can reproduce the same unwanted behaviour in the following repo:
https://github.com/m3t/redwood-demo/tree/azure-auth-public-query

I’ve installed it with following versions and commands :

# Node: 16.14.2
# Yarn: 3.2.3
# @redwoodjs/core: 3.6.1

yarn create redwood-app --ts ./redwood-demo

yarn rw setup auth azureActiveDirectory
+1
m3t on Dec 13, 2022
Read more comments on GitHub
← redwood: [Bug?]: 404 on paths containing periods
redwood: [Bug?]: Build Error "[plugin:vite:esbuild] Transform failed" when Router Page placed in root "web/pages" directory  →