microsoft-authentication-library-for-js icon indicating copy to clipboard operation
microsoft-authentication-library-for-js copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

Help needed: Bypass authority metadata resolution

Open vella-nicholas opened this issue 7 months ago • 4 comments

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

3.1.0

Wrapper Library

MSAL Angular (@azure/msal-angular)

Wrapper Library Version

3.1.0

Public or Confidential Client?

Public

Description

I would like some help in bypassing authority metadata resolution. The problem is we have two endpoints for resolution, one for b2c_1a_signup_signin and the other b2c_1a_signup and if we pass only one, one of the policies will not work.

The endpoints are: https://login.aposta1.com/aposta1prod.onmicrosoft.com/b2c_1a_signup_signin/v2.0/.well-known/openid-configuration and https://login.aposta1.com/aposta1prod.onmicrosoft.com/b2c_1a_signup/v2.0/.well-known/openid-configuration

Error Message

The aim is to avoid this error, possibly due to network latency Error message: ClientAuthError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientAuthError: openid_config_error: Could not retrieve endpoints. Check your authority and verify the .well-known/openid-configuration endpoint returns the required endpoints. Attempted to retrieve endpoints from: https://login.aposta1.com/aposta1prod.onmicrosoft.com/b2c_1a_signup_signin/v2.0/.well-known/openid-configuration

MSAL Logs

No response

Network Trace (Preferrably Fiddler)

  • [ ] Sent
  • [ ] Pending

MSAL Configuration

export function MSALInstanceFactory(): IPublicClientApplication {
    const isIE = window.navigator.userAgent.indexOf('MSIE ') > -1 || window.navigator.userAgent.indexOf('Trident/') > -1;
    const msalConfig: Configuration = {
        auth: {
            clientId: environment.activeDirectory.clientId,
            authority: `https://${environment.activeDirectory.loginDomain}/${environment.activeDirectory.domain}/B2C_1A_SIGNUP_SIGNIN`,
            knownAuthorities: [
                environment.activeDirectory.loginDomain,
                environment.activeDirectory.editDomain
            ],
            redirectUri: '/',
            navigateToLoginRequestUrl: false
        },
        cache: {
            cacheLocation: BrowserCacheLocation.LocalStorage,
            storeAuthStateInCookie: isIE
        },
        system: {
            loggerOptions: {
                loggerCallback(logLevel: LogLevel, message: string) { },
                logLevel: LogLevel.Error,
                piiLoggingEnabled: false,
            },
            allowNativeBroker: false
        }
    };
    
    return new PublicClientApplication(msalConfig);
}

Relevant Code Snippets

We would like something like this but with two authorities:
const msalInstance = new PublicClientApplication({
    auth: {
        authorityMetadata: '{"token_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/common/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/{tenantid}/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/authorize","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"tenant_region_scope":null,"cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net"}'
    }
});

Reproduction Steps

Two policies are used, one for registration and one for login. I need help in bypassing authority depending on which policy is used.

Expected Behavior

The ability to add more than one authorityMetadata depending on which policy is used.

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

Chrome, Firefox, Edge, Safari

Regression

No response

Source

External (Customer)

vella-nicholas avatar Jul 25 '24 14:07 vella-nicholas