microsoft-authentication-library-for-java icon indicating copy to clipboard operation
microsoft-authentication-library-for-java copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

[Bug] Interactive flow with a JavaFX WebView based OpenBrowserAction incorrectly reports password as incorrect exactly once

Open NepNep21 opened this issue 10 months ago • 2 comments

Library version used

1.15.0

Java version

21.0.2

Scenario

PublicClient (AcquireTokenInteractive, AcquireTokenByUsernamePassword)

Is this a new or an existing app?

The app is in production, I haven't upgraded MSAL, but started seeing this issue

Issue description and reproduction steps

If the interactive authentication window is displayed in a JavaFX WebView, it always reports the first authentication attempt as incorrect, but then works if you simply paste the same password again, this is reproducible across multiple accounts and attempts on the same account. The issue does not occur using the system browser.

Relevant code snippets

public static CompletableFuture<IAuthenticationResult> interactiveFlow(MSALogInForm form) {
    try {
        InteractiveRequestParameters params = InteractiveRequestParameters.builder(new URI("http://localhost/"))
            .scopes(scopes) // ["XboxLive.signin"]
            .tenant(tenant) // "consumers"
            .systemBrowserOptions(SystemBrowserOptions.builder().openBrowserAction(form).build())
            .build();
        return app.acquireToken(params);
    } catch (URISyntaxException e) {
        throw new IllegalStateException(e);
    }
}
...
@Override
public void openBrowser(final URL url) {
    Platform.runLater(() -> MSALogInForm.this.browser.load(url.toString()));
}

Results in the issue, commenting out .systemBrowserOptions(SystemBrowserOptions.builder().openBrowserAction(form).build()) prevents it

Expected behavior

No response

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

Using the system browser instead of a WebView

NepNep21 avatar Apr 04 '24 00:04 NepNep21

Hello @NepNep21 : Could you post the error message you're getting? What exactly is saying the password is incorrect? And do you get tokens the first time despite the error message, or only after the second time?

Also, you mention that you haven't upgraded MSAL but version 1.15.0 only came out last week. Does that mean it was working fine for a bit after you updated, and only started failing sometime after that?

In version 1.15.0 we changed how we bind localhost addresses in the interactive flow (https://github.com/AzureAD/microsoft-authentication-library-for-java/pull/797). We only test that scenario in a browser and not JavaFX so maybe there is something different with how loopback addresses and redirects work in JavaFX, but I'm not sure why it would suddenly stop working.

Avery-Dunn avatar Apr 04 '24 15:04 Avery-Dunn