MSAL Doesn't Redirect on Safari

[hansakaRightS]

Core Library

MSAL.js v2 (@azure/msal-browser)

Core Library Version

2.32.1

Wrapper Library

MSAL Angular (@azure/msal-angular)

Wrapper Library Version

2.1.2

Public or Confidential Client?

Public

Description

User tying to redirect to the login page from the application on safari mobile and the msal does not respond to the request. works with Chrome IOS and Android.

We only see this issue sometimes but we have users complaining they are not able to log into the application.

We were not able to see any errors in our logs to detect anything related to this issue. We would like to get more information about the situation and monitoring to tackle this issue. any help would be appreciated.

Error Message

No response

Msal Logs

No response

MSAL Configuration

auth: {
        clientId: clientId,
        authority: "B2C_1A_SIGNUP_SIGNIN",
        redirectUri: '/',
        navigateToLoginRequestUrl: false
    },
    cache: {
        cacheLocation: "LocalStoarage",
        storeAuthStateInCookie: false
    }

Relevant Code Snippets

extraParameters = {
        ...extraParameters
        device_id: deviceId
      };

      // set the redirection flag
      this.storage.setDeviceHasRedirectedToLogin(deviceId);
        
      const redirect = this.msalService.loginRedirect({
        scopes:[`https://${environment.activeDirectory.domain}/${environment.activeDirectory.tenantId}/access_as_user`],
        extraQueryParameters: extraParameters
      });

      return redirect;

Reproduction Steps

1. Access the Application
2. Press the login button
3. Nothing happens

Expected Behavior

Needs to redirect to the login page.

Identity Provider

Azure AD / MSA

Browsers Affected (Select all that apply)

Safari

Regression

No response

Source

External (Customer)

[hectormmg]

@HansakaSS could you please elaborate on the issue? It's hard to determine what's going on without logs or a reproducible scenario. Is the failure happening after the user logs in and the login page redirects back to the application? Or is the issue happening when MSAL first redirects to the login page?

My initial assumption if the problem is happening on the redirect back from the login screen is that there could be a race condition where the hash is being cleared by the apps routing logic before MSAL has a chance to parse the auth code.

[hansakaRightS]

@hectormmg we were able to see following error on audits for users when they having the issue.

The provided grant has expired. Please re-authenticate and try again. Current time: 1676633207, Grant issued time: 1676514293, Grant expiration time: 1676575579

users were not able to redirect to the login page.

[mlhamatms]

@HansakaSS , it looks like, from your posted, the request is taking 118 seconds from the time you got the grant time to the time you used it in the above log, your 57 seconds over the allowed exp of the token.

It looks like your grants are only valid for 60 seconds.

[hansakaRightS]

@mlhamatms thanks for the response.
I understand the token expiration issue.
I would like to know how to increase this expiration time.

Some users seems to have this problem continuously on the same device, even after clearing cache. but they were able to login on other devices without a problem. Some users were able log in on chrome but not in Safari.

Also in case of this problem is there a way to let know the users know something went wrong or redirect to a another page to let user know more information about the problem ?

[hectormmg]

@HansakaSS that error should cause MSAL to return an InteractionRequired error. The correct usage pattern is to call acquireTokenRedirect or acquireTokenPopup for the user to reauthenticate. As far as changing the access token lifetime, that is not something you can do from MSAL, I would suggest looking at the AAD docs and your portal configuration.

[ghost]

@HansakaSS This issue has been automatically marked as stale because it is marked as requiring author feedback but has not had any activity for 5 days. If your issue has been resolved please let us know by closing the issue. If your issue has not been resolved please leave a comment to keep this open. It will be closed automatically in 7 days if it remains stale.

[hansakaRightS]

we have applied the acquireTokenRedirect solution to out application but we still see some users still having the login problems. user was able to see the login page and after redirect to the application user is not authenticated. and alos user cannot access the redirect again with the login button

we were able to see the Acquire Token Error. Unexpected Error. Error message: BrowserAuthError: no_account_error: No account object provided to acquireTokenSilent and no active account has been set. Please call setActiveAccount or provide an account on the request in our logs

[tnorling]

@HansakaSS The error message tells you exactly what is wrong and how to fix it. Did you have specific questions about this?

[hansakaRightS]

@tnorling i understand that. but this is happening right after user login to the system. i wanted to prevent this from happening, is there a reason for this kind of behaviour ?

[tnorling]

You either didn't pass an account to acquireTokenSilent or you didn't set the active account after login. You need to do one of those things to resolve this error.

[JohnButare]

@HansakaSS i think we are seeing similar issues in Safari using MSAL, it may be related to Safari's lack of look regex lookbehind, ours is erroring out in the MSAL function CredentialEntity.getCredentialType calling 'f (key.toLowerCase().search("(?<=" + separator + domainRe + ")" + separator + credVal + separator) !== -1) {' can you confirm if yours is failing there? If so I believe MSFT will need to change the search function to support Safari's lack of regex look behind

[hansakaRightS]

@tnorling thanks, i have updated the code with the setActivateAccount. i will keep you posted.

@JohnButare Yes we had the same issue, i believe it has been fixed now. you can find the discussion here. #5548

[ghost]

@HansakaSS This issue has been automatically marked as stale because it is marked as requiring author feedback but has not had any activity for 5 days. If your issue has been resolved please let us know by closing the issue. If your issue has not been resolved please leave a comment to keep this open. It will be closed automatically in 7 days if it remains stale.

[hansakaRightS]

@tnorling we have set the active account after login. now we have less no_account_error. i have one question, do we have to check if we have an activeAccount before calling the acquireTokenSilent ? currently we call the acquireTokenSilent and if the no active account, and when we get the error we are redirecting to login page.

[ghost]

This issue requires attention from the MSAL.js team and has not seen activity in 5 days. @tnorling please follow up.

[tnorling]

What you've described is fine, although our recommended best-practice approach is to check if a user is signed in prior to calling acquireTokenSilent and invoking interaction if not.

[hansakaRightS]

@tnorling I understand now, Thanks everyone for the support.