microsoft-authentication-library-for-java icon indicating copy to clipboard operation
microsoft-authentication-library-for-java copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

[Bug] http://127.0.0.1 does not work as redirect URI for AcquireTokenInteractive

Open misirio opened this issue 1 year ago • 4 comments

Library version used

1.15.0

Java version

8

Scenario

PublicClient (AcquireTokenInteractive, AcquireTokenByUsernamePassword)

Is this a new or an existing app?

This is a new app or experiment

Issue description and reproduction steps

Using http://127.0.0.1 as the redirect URI does not work because it is overridden with http://localhost. This override causes the login to fail as http://localhost is not defined in the App Registration. According to Microsoft documentation, 127.0.0.1 should be preferred over localhost.

Workaround: Using an address with a fixed port like http://127.0.0.1:3490 works because the redirect URI is not overridden. However, this workaround is not ideal as it introduces the risk of port conflicts.

Relevant Documentation: According to Microsoft Documentation, 127.0.0.1 should be preferred over localhost.

Relevant code snippets

// Does not work, because redirect url is updated to http://localhost
    InteractiveRequestParameters parameters = InteractiveRequestParameters
                .builder(new URI("http://127.0.0.1"))
                .scopes(scope)
                .build();

// Works - redirect url remains http://127.0.0.1:3490
     InteractiveRequestParameters parameters = InteractiveRequestParameters
                .builder(new URI("http://127.0.0.1:3490"))
                .scopes(scope)
                .build();

Expected behavior

The redirect URI should remain as http://127.0.0.1 .

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

The relevant place in code is:

https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/dev/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AcquireTokenByInteractiveFlowSupplier.java#L103

The URI is hard coded and should be loaded from the interactiveRequestParameters() instead.

 private void updateRedirectUrl() {
        try {
            URI updatedRedirectUrl = new URI("http://localhost:" + httpListener.port());
            interactiveRequest.interactiveRequestParameters().redirectUri(updatedRedirectUrl);
            LOG.debug("Redirect URI updated to" + updatedRedirectUrl);
        } catch (URISyntaxException ex) {
            throw new MsalClientException("Error updating redirect URI. Not a valid URI format",
                    AuthenticationErrorCode.INVALID_REDIRECT_URI);
        }
    }

misirio avatar Jun 04 '24 11:06 misirio