Microsoft-authentication-library-for-js: Using MSAL to get tokens without using MSAL to sign in

Created on 22 Apr 2018 · 7Comments · Source: AzureAD/microsoft-authentication-library-for-js

Portal capabilities for Dynamics 365 provides the ability to sign in using Azure AD B2C. This is a feature of the product over which I have limited control, as far as I know, this is feature is implemented without MSAL.

Within the context of the portal I am attempting to use MSAL to acquire a token, acquireTokenSilent.

With a user signed into the portal - using the native features of the portal and not MSAL, e.g. loginPopup- using acquireTokenSilentresults in user_login_error:User login is required.

Is this a scenario that MSAL actually supports? The ability to recognise the user is signed into Azure AD B2C but not via MSAL. Is there a way this could be supported?

Source

sirjameswood

😕1 👍1

Most helpful comment

@ashleywb @jhossy The information for this scenario is documented towards end of this Wiki page:
https://github.com/AzureAD/microsoft-authentication-library-for-js/wiki/Sso

navyasric on 29 Oct 2018

👍2

All 7 comments

@sirjameswood This is a feature which is not yet supported. We have plans to add this feature but in order for msal to acquire tokens for the user not signed in through msal, we would require login_hint and domain_hint of the user.

Do you have this information available for the user? login_hint would be the preferred_username field in the id_token and domain_hint would be either consumers/organizations.

rohitnarula7176 on 1 Jun 2018

👍1

Yes I think so, we configure AD, so we should have that information available.

sirjameswood on 1 Jun 2018

@sirjameswood were you able to resolve this? You need to parse the id_token that you got during login and check if it has preferred_username or upn field. You can use these fields as login_hint. For domain_hint, if it's a AAD account, you need to pass organizations and if it's a MSA account(consumer's account like live.com , hotmail.com etc) you will pass consumers. Hope this was helpful. I will also document this on our wiki.

nehaagrawal on 14 Jul 2018

@nehaagrawal Sort of, I built a seperate connection without using MSAL.

sirjameswood on 16 Jul 2018

@nehaagrawal Did you add this information to the wiki yet? When I try to navigate to https://github.com/AzureAD/microsoft-authentication-library-for-js/wiki/Single-sign-on I just get an error "you are not authorized to edit this page."

We are also currently very interested in using MSAL.js for SSO, in the scenario where the user is logged into Azure AD B2C through a non-MSAL application

jhossy on 30 Jul 2018

@sirjameswood were you able to resolve this? You need to parse the id_token that you got during login and check if it has preferred_username or upn field. You can use these fields as login_hint. For domain_hint, if it's a AAD account, you need to pass organizations and if it's a MSA account(consumer's account like live.com , hotmail.com etc) you will pass consumers. Hope this was helpful. I will also document this on our wiki.

Is this supported now? If it is, do you know where I can find the documentation?