Handle AADSTS50105 and other login failures on client

[agrahamwize]

Core Library

MSAL.js v2 (@azure/msal-browser)

Core Library Version

2.28.3

Wrapper Library

MSAL React (@azure/msal-react)

Wrapper Library Version

1.4.7

Public or Confidential Client?

Public

Description

Hi there,

At times, we have users receive the AADSTS50105 error message for their login request because the client they are logging into does not contain any role assignments and we are blocking logins with no role assignments. However, this message by default provides sensitive information to the end user and our government client would prefer the message/functionality be far more general so as not to expose client ids, etc.

It does not appear that there is a corresponding callback event to intercept this message via addEventCallback or handleRedirectPromise. I need to identify a way to intercept this error and avoid presenting the default message.

Any guidance would be appreciated.

Thanks!
Adam.g

MSAL Configuration

auth: {
        authority: "tenantId",
        clientId: "clientId",
        redirectUri: document.getElementById('root').baseURI
    },
    cache: {
        cacheLocation: "localStorage"
    }

Relevant Code Snippets

No response

Identity Provider

Azure AD / MSA

Source

External (Customer)

[sameerag]

@agrahamwize Can you please share a screenshot of the error you are seeing? You can grey out the confidential parts if needed or email me here.

[agrahamwize]

Hey, absolutely. Included is the more full text and display for the error when it is encountered.

[ghost]

This issue requires attention from the MSAL.js team and has not seen activity in 5 days. @sameerag please follow up.

[sameerag]

@agrahamwize AAD adds this error and they do not relay that to msal to handle the message. This has to be handled by the service teams. Can you please file an issue with developer support (here)[https://learn.microsoft.com/en-us/azure/active-directory/develop/developer-support-help-options)?

I will ping the internal service teams to track this too, however we cannot fix this from MSAL.

If the support channel does not help, please reach out to me (my email is in my profile) and I can redirect to them as needed.

Closing this.

[agrahamwize]

Thanks @sameerag. I have a support ticket logged with them, 2211170040004474. I will let you know if there are issues working with them, per your guidance.

Thanks again!
Adam.g

[jlcCognizant]

Hi @agrahamwize. I would like to know if there ever has been a solution Microsoft gave you that works (aside from configuring it in Azure itself which is not really my use case as I need to redirect a user to another page if this error appears).

[agrahamwize]

Hi @agrahamwize. I would like to know if there ever has been a solution Microsoft gave you that works (aside from configuring it in Azure itself which is not really my use case as I need to redirect a user to another page if this error appears).

Unfortunately not. Sounds like this happens internally in their system and is both, a) not a callback sort of notification condition and, b) not something that is returned to the client in the overall oauth response.

I reckon its primary function is to make it easy to fully block apps that Azure is doing SSO for versus handling role-based authorization for custom apps. I guess the expectation is for the developer to handle that on their end instead.

In your case, that would look like, 1) turning off the role assignment requirement, 2) Checking the roles returned in a successful authentication, and 3) if no roles (or maybe default access role?), redirect on the client side.

[agrahamwize]

MS confirmed, no current capability and no plan for implementing.