Microsoft-authentication-library-for-js: Unable to use acquireTokenSilent() method for Live Accounts via Azure B2C

Created on 9 Mar 2018 · 15Comments · Source: AzureAD/microsoft-authentication-library-for-js

It seems that the Out of Box experience for using MS Live as a Identity Provider isn't working properly. I'm able to log in correctly. However, the acquireTokenSilent() method forces a redirect in my Angular application. The problem is, MSAL 0.1.5 doesn't set a 'msal.state.acquireToken' entry to the Sesson or Local storage cache, thus causing the URL hash and subsequently the newly acquired access token to be systematically disregarded. I have included a really nasty hack that seems to address this issue from the client's perspective, but I'd image there must be a much better solution that can be implemented from within the MSAL code base:

const hackToSupportLive = 'Renew token Expected state:';
const storage = new Storage('localStorage');
        const logger = new Msal.Logger(
            (level: Msal.LogLevel, message: string, containsPii: boolean) => {
                const index = message.indexOf(AuthenticationService.hackToSupportLive);
                if (index > -1) {
                    const neededState = message.substring(index + 28);
                    storage.setItem(Constants.stateAcquireToken, neededState.trim());
                }
            },
            { level: Msal.LogLevel.Verbose, piiLoggingEnabled: true });

        this.authClient$ = new Msal.UserAgentApplication(
            this.appConfig$.clientID,
            this.appConfig$.authority,
            (errorDesc, token, error, tokenType) => {
                if (!error && token) {
                    console.log(`Token: ${token} - ${tokenType}`);
                } else {
                    console.log(`Error: ${error} - ${errorDesc}`);
                }
            },
            { cacheLocation: 'localStorage', loadFrameTimeout: 20000, navigateToLoginRequestUrl: false, logger: logger });

My questions are

What's causing MSAL to force a redirect whenever an attempt to acquire an access token from a Live account?
Why doesn't this occur whenever other 3rd party identification providers are used (i.e. Facebook)?
Though the acquireTokenSilent apparently sets a new randomized State ID, why is it not being stored in the Local or Session storage areas so that it can be properly processed during the next callback?

b2c more-information-needed

Source

tvperez76

👍5

Most helpful comment

Hi folks.
The problem is not MSAL.js but https://login.live.com/oauth20_authorize.srf. Here is what I found out when I was debugging the entire acquireTokenSilent process:

When the iframe (msalRenewFrame…) tries to authenticate at https://login.live.com/oauth20_authorize.srf, https://login.live.com/oauth20_authorize.srf attempts to ‘framebust’ (navigate the parent of the iframe which is the main site). Chrome shows this warning:

Frame with URL 'https://login.live.com/oauth20_authorize.srf?client_id=… attempted to navigate its top-level window with URL 'http://localhost:4200/#/dashboard'. Navigating the top-level window from a cross-origin iframe will soon require that the iframe has received a user gesture. See https://www.chromestatus.com/features/5851021045661696. DoSubmit @ oauth20_authorize… onload @ oauth20_authorize…

This causes the main site to redirect, which turns acquireTokenSilent into acquireTokenBoisterous. Just kidding.

I tried to sandbox the msalRenewFrame… with ifr.setAttribute("sandbox", "allow-forms allow-pointer-lock allow-popups allow-same-origin allow-scripts") according to https://www.w3schools.com/tags/att_iframe_sandbox.asp. Now the main site does not redirect away, but now Chrome shows an error:

Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:4200/#/dashboard' from frame with URL 'https://login.live.com/oauth20_authorize.srf?client_id=… The frame attempting navigation of the top-level window is sandboxed, but the flag of 'allow-top-navigation' or 'allow-top-navigation-by-user-activation' is not set.

I assume this framebusting happens for compatibility reasons (we all know how redirect heavy logging in into Microsoft services is). I am afraid this is no easy fix. But Chrome will break it soon anyway so maybe the team behind https://login.live.com/oauth20_authorize.srf is already on it. Until then Azure AD B2C in combination with Live Accounts and MSAL.js is broken and cannot be used.

I also posted this on StackOverflow: https://stackoverflow.com/questions/49831045/msal-js-acquiretokensilent-on-azure-ad-b2c-with-microsoft-account-login-live-co

halllo on 13 Apr 2018

👍10

All 15 comments

@tvperez76 For acquireTokenSilent , Msal JS saves the state in the parent window and when you receive the response in the iframe, we match the state from the parent windon using window.parent as the parent window state stays unaffected. We save the state in the browser storage only in the case of loginRedirect/acquireTokenRedirect. You might be facing a different issue. Can you please provide logs or a code repro for this issue?

rohitnarula7176 on 9 Mar 2018

Certainly. Here's a log trace from MSAL, Chrome and Angular:

Contains: PII: true; Message: Fri, 09 Mar 2018 20:37:05 GMT:0.1.5-Info Navigate to:https://login.microsoftonline.com/te/mlpexpress.onmicrosoft.com/b2c_1_mlpexpressloginpolicies/oauth2/v2.0/authorize?response_type=id_token&scope=https%3A%2F%2Fmlpexpress.onmicrosoft.com%2Fwebapi%2Fcommon%20https%3A%2F%2Fmlpexpress.onmicrosoft.com%2Fwebapi%2Fuser_impersonation%20openid%20profile&client_id=a663f6ae-7de9-4bd9-be48-9709add850ac&redirect_uri=http%3A%2F%2Flocalhost%3A32897%2F&state=497836d4-33aa-49c1-bbe6-1e6d16680105&nonce=f4d410d2-0c78-418c-94a9-56d781793b26&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=0.1.5&client-request-id=3059f809-c187-4556-86ed-9964c053bf43&prompt=select_account&response_mode=fragment

Navigated to https://login.microsoftonline.com/te/mlpexpress.onmicrosoft.com/b2c_1_mlpexpressloginpolicies/oauth2/v2.0/authorize?response_type=id_token&scope=https%3A%2F%2Fmlpexpress.onmicrosoft.com%2Fwebapi%2Fcommon%20https%3A%2F%2Fmlpexpress.onmicrosoft.com%2Fwebapi%2Fuser_impersonation%20openid%20profile&client_id=a663f6ae-7de9-4bd9-be48-9709add850ac&redirect_uri=http%3A%2F%2Flocalhost%3A32897%2F&state=497836d4-33aa-49c1-bbe6-1e6d16680105&nonce=f4d410d2-0c78-418c-94a9-56d781793b26&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=0.1.5&client-request-id=3059f809-c187-4556-86ed-9964c053bf43&prompt=select_account&response_mode=fragment
authorize?response_type=id_token&scope=https%3A%2F%2Fmlpexpress.onmicrosoft.com%2Fwebapi%2Fcommon https%3A%2F%2Fmlpexpress.onmicrosoft.com%2Fwebapi%2Fuser_impersonation openid profile&client_id=a663f6ae-7de9-4bd9-be48-9709add850ac&redirect_uri=http%3A%2F%2Flocalhost%3A32897%2F&state=497836d4-33aa-49c1-bbe6-1e6d16680105&nonce=f4d410d2-0c78-418c-94a9-56d781793b26&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=0.1.5&client-request-id=3059f809-c187-4556-86ed-9964c053bf43&prompt=select_account&response_mode=fragment:1 [DOM] Password field is not contained in a form: (More info: https://goo.gl/9p2vKq) <input type="password" id="password" name="Password" placeholder="Password" tabindex="1">
oauth20_authorize.srf?client_id=ffb2788c-8dd8-45e6-9213-b9ba9e692f8f&redirect_uri=https%3a%2f%2flogin.microsoftonline.com%2fte%2fmlpexpress.onmicrosoft.com%2foauth2%2fauthresp&response_type=code&scope=openid+profile+email&response_mode=form_post&nonce=e82cTg7AZEHPAvRGYnwIdg%3d%3d&state=StateProperties%3deyJTSUQiOiJ4LW1zLWNwaW0tcmM6ZDg4ODlmNzAtNDgyMi00MmY5LTllMmItNTIxYzZhNDE0NmY4IiwiVElEIjoiYjhkYzc5MTEtMzA0Yy00OWFiLWFhZmEtZDRmZjY0ZDc5MmM1In0:1 [Violation] Avoid using document.write().
(anonymous) @ oauth20_authorize.srf?client_id=ffb2788c-8dd8-45e6-9213-b9ba9e692f8f&redirect_uri=https%3a%2f%2flogin.microsoftonline.com%2fte%2fmlpexpress.onmicrosoft.com%2foauth2%2fauthresp&response_type=code&scope=openid+profile+email&response_mode=form_post&nonce=e82cTg7AZEHPAvRGYnwIdg%3d%3d&state=StateProperties%3deyJTSUQiOiJ4LW1zLWNwaW0tcmM6ZDg4ODlmNzAtNDgyMi00MmY5LTllMmItNTIxYzZhNDE0NmY4IiwiVElEIjoiYjhkYzc5MTEtMzA0Yy00OWFiLWFhZmEtZDRmZjY0ZDc5MmM1In0:1

Navigated to https://login.live.com/oauth20_authorize.srf?client_id=ffb2788c-8dd8-45e6-9213-b9ba9e692f8f&redirect_uri=https%3a%2f%2flogin.microsoftonline.com%2fte%2fmlpexpress.onmicrosoft.com%2foauth2%2fauthresp&response_type=code&scope=openid+profile+email&response_mode=form_post&nonce=e82cTg7AZEHPAvRGYnwIdg%3d%3d&state=StateProperties%3deyJTSUQiOiJ4LW1zLWNwaW0tcmM6ZDg4ODlmNzAtNDgyMi00MmY5LTllMmItNTIxYzZhNDE0NmY4IiwiVElEIjoiYjhkYzc5MTEtMzA0Yy00OWFiLWFhZmEtZDRmZjY0ZDc5MmM1In0

Navigated to https://login.live.com/ppsecure/post.srf?client_id=ffb2788c-8dd8-45e6-9213-b9ba9e692f8f&redirect_uri=https%3a%2f%2flogin.microsoftonline.com%2fte%2fmlpexpress.onmicrosoft.com%2foauth2%2fauthresp&response_type=code&scope=openid+profile+email&response_mode=form_post&nonce=e82cTg7AZEHPAvRGYnwIdg%3d%3d&state=StateProperties%3deyJTSUQiOiJ4LW1zLWNwaW0tcmM6ZDg4ODlmNzAtNDgyMi00MmY5LTllMmItNTIxYzZhNDE0NmY4IiwiVElEIjoiYjhkYzc5MTEtMzA0Yy00OWFiLWFhZmEtZDRmZjY0ZDc5MmM1In0&contextid=0702AF4C511DF596&bk=1520627827&uaid=5094cf185aaa4e05ba3e68ac9e0a4f9c&pid=15216

Navigated to http://localhost:32897/
VM590 main.bundle.js:729 Contains: PII: false; Message: Fri, 09 Mar 2018 20:37:14 GMT:0.1.5-Info Returned from redirect url
VM590 main.bundle.js:729 Contains: PII: false; Message: Fri, 09 Mar 2018 20:37:14 GMT:0.1.5-Info State status:true; Request type:LOGIN
VM590 main.bundle.js:729 Contains: PII: false; Message: Fri, 09 Mar 2018 20:37:14 GMT:0.1.5-Info State is right
VM590 main.bundle.js:729 Contains: PII: false; Message: Fri, 09 Mar 2018 20:37:14 GMT:0.1.5-Info Fragment has id token
VM590 main.bundle.js:740 Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrNHh5b2pORnVtMWtsMll0djhkbE5QNC1jNTdkTzZRR1RWQndhTmsifQ.eyJleHAiOjE1MjA2MzE0MzIsIm5iZiI6MTUyMDYyNzgzMiwidmVyIjoiMS4wIiwiaXNzIjoiaHR0cHM6Ly9sb2dpbi5taWNyb3NvZnRvbmxpbmUuY29tL2Y1NjA4YzlkLWUyMzgtNDdmOS04ZTkxLTBkY2U0YTcwMDNjYy92Mi4wLyIsInN1YiI6IjE5YjMwNDA4LTU4NTMtNDBlMi1iZDNjLTZhZDJmN2E1YzEyYiIsImF1ZCI6ImE2NjNmNmFlLTdkZTktNGJkOS1iZTQ4LTk3MDlhZGQ4NTBhYyIsIm5vbmNlIjoiZjRkNDEwZDItMGM3OC00MThjLTk0YTktNTZkNzgxNzkzYjI2IiwiaWF0IjoxNTIwNjI3ODMyLCJhdXRoX3RpbWUiOjE1MjA2Mjc4MzIsImlkcCI6ImxpdmUuY29tIiwibmFtZSI6IlRvbnkgUGVyZXoiLCJvaWQiOiIxOWIzMDQwOC01ODUzLTQwZTItYmQzYy02YWQyZjdhNWMxMmIiLCJnaXZlbl9uYW1lIjoiVG9ueSIsImZhbWlseV9uYW1lIjoiUGVyZXoiLCJzdHJlZXRBZGRyZXNzIjoiMjkwMyBDb25ub3JzIFJkIiwiY2l0eSI6IlNub2hvbWlzaCIsInN0YXRlIjoiV0EiLCJwb3N0YWxDb2RlIjoiOTgyOTAiLCJjb3VudHJ5IjoiVW5pdGVkIFN0YXRlcyIsImVtYWlscyI6WyJ0dnBlcmV6NzZAaG90bWFpbC5jb20iXSwidGZwIjoiQjJDXzFfTUxQRXhwcmVzc0xvZ2luUG9saWNpZXMifQ.Vfzo5NhAD-sTSe5_0EsjpkXx4zhpJY75UhLjUTM9QzI1M-6V_5UulOEFVZxDwydGqsn-_C8AmnlAtgu2wM5CNUB7sFg5MG559SwxZbHy3075L06FBCreO4TkXIURq7ACGvKmLqrtq6hdQYzzCub4pp4BKkBEchIy3IQ0WPjOy4N1R_jBodb-FJ90KDRt9DDzahEYVkRqRCAQcoZCnLEW67XkhcK0p0J5sv9iPKoT5aLjbWoA1lSnXFE0gTaXRuQ7y-QGsF1XV6zNSs2GVTiUylXH0UlRnUH7xoWbLUhv403WcQLO2wUkkhDBzarQhJNp7u6Uj95pkruk9_2Xr5p5YQ - id_token
VM589 vendor.bundle.js:21192 Angular is running in the development mode. Call enableProdMode() to enable the production mode.
VM590 main.bundle.js:729 Contains: PII: false; Message: Fri, 09 Mar 2018 20:37:20 GMT:0.1.5-Verbose renewing accesstoken
VM590 main.bundle.js:729 Contains: PII: false; Message: Fri, 09 Mar 2018 20:37:20 GMT:0.1.5-Verbose renewToken is called for scope:https://mlpexpress.onmicrosoft.com/webapi/common https://mlpexpress.onmicrosoft.com/webapi/user_impersonation
VM590 main.bundle.js:729 Contains: PII: false; Message: Fri, 09 Mar 2018 20:37:20 GMT:0.1.5-Info Add msal frame to document:msalRenewFramehttps://mlpexpress.onmicrosoft.com/webapi/common https://mlpexpress.onmicrosoft.com/webapi/user_impersonation
VM590 main.bundle.js:729 Contains: PII: false; Message: Fri, 09 Mar 2018 20:37:20 GMT:0.1.5-Verbose Renew token Expected state: 0d4071b9-866a-4c17-b60f-9a59ae94f6c7
VM590 main.bundle.js:729 Contains: PII: true; Message: Fri, 09 Mar 2018 20:37:20 GMT:0.1.5-Info Navigate to:https://login.microsoftonline.com/te/mlpexpress.onmicrosoft.com/b2c_1_mlpexpressloginpolicies/oauth2/v2.0/authorize?response_type=token&scope=https%3A%2F%2Fmlpexpress.onmicrosoft.com%2Fwebapi%2Fcommon%20https%3A%2F%2Fmlpexpress.onmicrosoft.com%2Fwebapi%2Fuser_impersonation%20openid%20profile&client_id=a663f6ae-7de9-4bd9-be48-9709add850ac&redirect_uri=http%3A%2F%2Flocalhost%3A32897%2F&state=0d4071b9-866a-4c17-b60f-9a59ae94f6c7&nonce=aaf6c5f1-4988-4bce-b206-32a550b88f4e&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=0.1.5&client-request-id=3bf9f817-4ddf-4885-bc1b-3d0a0fba7f83&prompt=none&domain_req=f5608c9d-e238-47f9-8e91-0dce4a7003cc&login_req=19b30408-5853-40e2-bd3c-6ad2f7a5c12b-b2c_1_mlpexpressloginpolicies&domain_hint=organizations
VM590 main.bundle.js:729 Contains: PII: false; Message: Fri, 09 Mar 2018 20:37:20 GMT:0.1.5-Verbose Set loading state to pending for: https://mlpexpress.onmicrosoft.com/webapi/common https://mlpexpress.onmicrosoft.com/webapi/user_impersonation
VM590 main.bundle.js:729 Contains: PII: false; Message: Fri, 09 Mar 2018 20:37:20 GMT:0.1.5-Info LoadFrame: msalRenewFramehttps://mlpexpress.onmicrosoft.com/webapi/common https://mlpexpress.onmicrosoft.com/webapi/user_impersonation
VM590 main.bundle.js:729 Contains: PII: false; Message: Fri, 09 Mar 2018 20:37:20 GMT:0.1.5-Info Add msal frame to document:msalRenewFramehttps://mlpexpress.onmicrosoft.com/webapi/common https://mlpexpress.onmicrosoft.com/webapi/user_impersonation
VM590 main.bundle.js:729 Contains: PII: true; Message: Fri, 09 Mar 2018 20:37:20 GMT:0.1.5-Info Frame Name : msalRenewFramehttps://mlpexpress.onmicrosoft.com/webapi/common https://mlpexpress.onmicrosoft.com/webapi/user_impersonation Navigated to: https://login.microsoftonline.com/te/mlpexpress.onmicrosoft.com/b2c_1_mlpexpressloginpolicies/oauth2/v2.0/authorize?response_type=token&scope=https%3A%2F%2Fmlpexpress.onmicrosoft.com%2Fwebapi%2Fcommon%20https%3A%2F%2Fmlpexpress.onmicrosoft.com%2Fwebapi%2Fuser_impersonation%20openid%20profile&client_id=a663f6ae-7de9-4bd9-be48-9709add850ac&redirect_uri=http%3A%2F%2Flocalhost%3A32897%2F&state=0d4071b9-866a-4c17-b60f-9a59ae94f6c7&nonce=aaf6c5f1-4988-4bce-b206-32a550b88f4e&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=0.1.5&client-request-id=3bf9f817-4ddf-4885-bc1b-3d0a0fba7f83&prompt=none&domain_req=f5608c9d-e238-47f9-8e91-0dce4a7003cc&login_req=19b30408-5853-40e2-bd3c-6ad2f7a5c12b-b2c_1_mlpexpressloginpolicies&domain_hint=organizations

Navigated to http://localhost:32897/
authentication.service.ts:30 Contains: PII: false; Message: Fri, 09 Mar 2018 20:37:22 GMT:0.1.5-Info Returned from redirect url
authentication.service.ts:30 Contains: PII: false; Message: Fri, 09 Mar 2018 20:37:22 GMT:0.1.5-Info State status:false; Request type:undefined
authentication.service.ts:30 Contains: PII: false; Message: Fri, 09 Mar 2018 20:37:22 GMT:0.1.5-Error State Mismatch.Expected State: 497836d4-33aa-49c1-bbe6-1e6d16680105,Actual State: 0d4071b9-866a-4c17-b60f-9a59ae94f6c7
authentication.service.ts:48 Error: undefined - undefined

Though the new state value was identified, 0d4071b9-866a-4c17-b60f-9a59ae94f6c7, it was never stored which ultimately causes MSAL JS to ignore the newly acquired access token. This is why in the code I've provided, I had to extract the State ID of the token acquisition process and manually store it to Storage, LocalStorage in this case, with key "msal.state.acquireToken".

tvperez76 on 9 Mar 2018

Is this resolved? The version 0.1.1 works for me, but not 0.1.5. The response comes back, but does not store the state.

export class MsalService extends BaseAuthService implements IAuthService{
public access_token: string;
public user: string;
private authority: string=AppSettings.authority;
private tenantConfig:any = {
tenant: AppSettings.tenant,
clientID: AppSettings.clientId,

    signUpSignInPolicy:AppSettings.signUpSignInPolicy,
    b2cScopes: AppSettings.b2cScopes
};
private clientApplication: any;

constructor() {
    super();
    debugger;
    this.initAuthApp();

}

public authCallback(errorDesc, token, error, tokenType) {
    if (token) {
       // console.log(token + ":" + token);
        alert(token);
    }
    else {
        //console.log(error + ":" + errorDesc);
        alert(errorDesc);
    }
}

protected initAuthApp() {
            this.clientApplication = new Msal.UserAgentApplication(
        this.tenantConfig.clientID, this.authority,this.authCallback
    );
    this.clientApplication.redirectUri = AppSettings.B2C_AD_RedirectUri;
}
public login(): void {
    debugger;
    this.clientApplication.loginRedirect(AppSettings.b2cScopes);
}

public  acquireTokenSilent():Promise<any>
{

debugger;
return this.clientApplication.acquireTokenSilent(AppSettings.b2cScopes)
.then(token => {
return token;
}).catch(error => {
console.error('error getting accees token: ' + error);
return Promise.resolve('');
});
}
public createUser(rawIdToken) {

}

logout(): void {
    this.clientApplication.logout();
};

isOnline(): boolean {
    debugger;
    return this.clientApplication.getUser() != null; 
};
getUser(): AuthUser {
    debugger;
    var decodedIdToken = this.clientApplication.getUser().idToken;
    //v 0.1.1 Msal.Storage._instance.getItem(Msal.Constants.idTokenKey)
    var email: string ="", lastName:string ="", firstName:string ="", objectId:string = "", phoneNumber:number, idp:string=""; 
    email =   decodedIdToken.emails[0];
    lastName = decodedIdToken.family_name;  
    firstName = decodedIdToken.given_name;  
    objectId = decodedIdToken.oid;    
    idp = decodedIdToken.idp;
    if(idp=='undefined' || idp==null|| idp==""|| idp=="0"){
        idp='EmailAndPassword';
    }
    return AuthUser.createUser(objectId, firstName, lastName,  email , phoneNumber, idp )
};

getToken():string {return this.clientApplication.getUser().rawIdToken;
}

narindermakin on 16 Mar 2018

So, is there any word on getting this resolved?

tvperez76 on 25 Mar 2018

👍4

Hi folks.
The problem is not MSAL.js but https://login.live.com/oauth20_authorize.srf. Here is what I found out when I was debugging the entire acquireTokenSilent process:

This causes the main site to redirect, which turns acquireTokenSilent into acquireTokenBoisterous. Just kidding.

I also posted this on StackOverflow: https://stackoverflow.com/questions/49831045/msal-js-acquiretokensilent-on-azure-ad-b2c-with-microsoft-account-login-live-co

halllo on 13 Apr 2018

👍10

Is this issue resolved? I am trying to renew idtoken before it expires by calling acquiretokensilent, I get a new token but it disregards it and still uses the old idtoken and as soon as idtoken expires it redirects me back to my login page. is there any resolution to it? I am using the latest msal library. I don't want the users to login again after every one hour. How do I renew the session?

chetanku on 15 Aug 2018

👍2

I'm seeing exactly the same issue so it's good to see that the bug tag has been applied. In my scenario login to my website works for MS Accounts and Google accounts however if you then hit a page which makes a call to an API secured using B2C the above issue occurs.

My error on Google accounts is slightly different but i'll include it below in-case the two are somehow linked.

Refused to display 'https://accounts.google.com/o/oauth2/auth.....' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

My understanding is that all of the tokens are issues from B2C and not from the ID providers so I'm unsure why any redirect is happening off to login.live.com or accounts.google.com when the token is no more than a few seconds old.

I'm using the latest version of msal-angular which at the time of writing is 0.1.2.

andyamacdonald on 6 Nov 2018

👍1

@navyasric, what can we do to workaround this issue ? It is a blocking issue since we cannot get access tokens for all MS accounts from MSAL.js. (We also have a different issue for Twitter accounts #349)
The README reads

This library is suitable for use in a production environment.

This (blocking) issue is 7 months old ! The #349 is 3-4 months old. Please do something...

aloene on 8 Nov 2018

👍3

any updates? still encountering this issue

mdressman on 26 Nov 2018

👍1

In my Angular/MSAL testing, I have found that this error occurs frequently when users with multiple accounts attempt to login to the application.

Drodarious on 8 Feb 2019

@andyamacdonald @drocm @aloene @mdressman Sorry for the delay. To confirm, are you are experiencing the iframe related errors in Angular apps using @azure/msal-angular? Can you let us know if your app is creating nested iframes due to the way msal is loading? Please check this FAQ topic to see how to load the msal module and let us know if it helps with x-frame issue.

navyasric on 13 Feb 2019

For NPM users attempting to implement @navyasric above suggestion. Note that "msal-angular" is NOT the correct package (this caused me some headaches).

The correct NPM package is "@azure/msal-angular".

Drodarious on 28 Feb 2019

Hello,

I am not sure if this is related but I'm also having the same issue getting the user information via the MSAL Library after the user has authenticated fine. It seems to detect the #id_token just fine but nothing else.

Every time it does the process, I noticed that on the Microsoft site (in Google Developer Tools) it says the cookie couldn't be stored because it was too large and it was ignored.

Could it simple be that, because the cookie isn't getting stored on aadcdn.msftauth.net and when the MSAL Library checks it's environment on a recall, it has no cookie to refer to?

Only a thought, I'm reporting it as anything saying it ignored cookies can't be good.

GOOGLE DEVELOPER TOOLS - COPY/PASTE
"Cookie length should be less than or equal to 4096 characters."

Set-Cookie header is ignored in response from url: https://login.microsoftonline.com/common/reprocess?ctx=XXX&sessionid=XXXX. Cookie length should be less than or equal to 4096 characters.

z.view_onRedirect @ aadcdn.msftauth.net/ests/2.1.8696.9/content/cdnbundles/oldconvergedlogin_pcore.min_uk4aej10w7m4lzu2edwvig2.js:22
(anonymous) @ aadcdn.msftauth.net/ests/2.1.8696.9/content/cdnbundles/oldconvergedlogin_pcore.min_uk4aej10w7m4lzu2edwvig2.js:20
notifySubscribers @ aadcdn.msftauth.net/ests/2.1.8696.9/content/cdnbundles/oldconvergedlogin_pcore.min_uk4aej10w7m4lzu2edwvig2.js:19
t.W @ aadcdn.msftauth.net/ests/2.1.8696.9/content/cdnbundles/oldconvergedlogin_pcore.min_uk4aej10w7m4lzu2edwvig2.js:19
t @ aadcdn.msftauth.net/ests/2.1.8696.9/content/cdnbundles/oldconvergedlogin_pcore.min_uk4aej10w7m4lzu2edwvig2.js:19
e @ aadcdn.msftauth.net/ests/2.1.8696.9/content/cdnbundles/oldconvergedlogin_pcore.min_uk4aej10w7m4lzu2edwvig2.js:21
f.tile_onClick @ aadcdn.msftauth.net/ests/2.1.8696.9/content/cdnbundles/oldconvergedlogin_pcore.min_uk4aej10w7m4lzu2edwvig2.js:34
(anonymous) @ aadcdn.msftauth.net/ests/2.1.8696.9/content/cdnbundles/oldconvergedlogin_pcore.min_uk4aej10w7m4lzu2edwvig2.js:20
notifySubscribers @ aadcdn.msftauth.net/ests/2.1.8696.9/content/cdnbundles/oldconvergedlogin_pcore.min_uk4aej10w7m4lzu2edwvig2.js:19
t.W @ aadcdn.msftauth.net/ests/2.1.8696.9/content/cdnbundles/oldconvergedlogin_pcore.min_uk4aej10w7m4lzu2edwvig2.js:19
t @ aadcdn.msftauth.net/ests/2.1.8696.9/content/cdnbundles/oldconvergedlogin_pcore.min_uk4aej10w7m4lzu2edwvig2.js:19
e @ aadcdn.msftauth.net/ests/2.1.8696.9/content/cdnbundles/oldconvergedlogin_pcore.min_uk4aej10w7m4lzu2edwvig2.js:21
S.tile_onClick @ aadcdn.msftauth.net/ests/2.1.8696.9/content/cdnbundles/oldconvergedlogin_pcore.min_uk4aej10w7m4lzu2edwvig2.js:34
(anonymous) @ aadcdn.msftauth.net/ests/2.1.8696.9/content/cdnbundles/oldconvergedlogin_pcore.min_uk4aej10w7m4lzu2edwvig2.js:20