microsoft-authentication-library-for-js icon indicating copy to clipboard operation
microsoft-authentication-library-for-js copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

Avoid applying .toLowerCase() to the authority URL

Open alexqbm opened this issue 1 year ago • 1 comments
trafficstars

Core Library

MSAL.js (@azure/msal-browser)

Wrapper Library

Not Applicable

Public or Confidential Client?

Public

Description

My issue happens trying to use a non-Microsoft identity provider.

When using Microsoft as the identity provider, the authority URL is always using the https://login.microsoftonline.com structure, and for that, everything works fine.

However, when trying to use any non-Microsoft authority, such as, in this case, https://my-own-domain.com/realms/EXAMPLE I am unable to even start my application due to several requests that MSAL performs under the hood that are using https://my-own-domain.com/realms/example as the URL.

Notice how /EXAMPLE is /example after MSAL manipulates it. This results in any request performed using this URL to throw a 404 error, since URLs are case sensitive, and hence, the URL that MSAL is using is not the one I've specified and thus, fails.

This issue seems to happen because the canonicalizeUri(url: string): string called in the UrlString class constructor always applies a .toLowerCase() transformation to the URL, and since the class is invoked from the Authority class, any authority that has some uppercase segment will always fail.

I see that this was partially addressed in https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/4366, but it looks that it was abandoned. I see it has caused some problems in https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/3621 too.

I understand that the priorities from the MSAL team maybe don't include improving support for other identity providers, but to me this is an issue that, were it to be solved, would really expand MSAL's support for more people since this matter is not a MSAL not wanting to support other identity providers but rather MSAL doing something that, unfortunately, unintentionally limits support for other identity providers. I hope I have explained myself there correctly.

Source

External (Customer)

alexqbm avatar Apr 30 '24 10:04 alexqbm

@alexqbm Thanks for raising this. Tracking this internally.

sameerag avatar May 07 '24 11:05 sameerag

Hi! Any news on this topic, @sameerag ?

alexqbm avatar Jun 03 '24 06:06 alexqbm

Hello again. I don't want to bother you all, guys, but I'd like to check on you regarding this issue. Mentioning @sameerag again. Thank you in advance.

alexqbm avatar Jun 19 '24 14:06 alexqbm

We unfortunately do not have bandwidth to prioritize issues for external IDPs right now. If you are unable to update your IDP to use case insensitive urls you may propose the changes you need through PR and we would be more than happy to consider them.

tnorling avatar Jul 15 '24 21:07 tnorling

@alexqbm This issue has been automatically marked as stale because it is marked as requiring author feedback but has not had any activity for 5 days. If your issue has been resolved please let us know by closing the issue. If your issue has not been resolved please leave a comment to keep this open. It will be closed automatically in 7 days if it remains stale.

microsoft-github-policy-service[bot] avatar Jul 22 '24 14:07 microsoft-github-policy-service[bot]