Microsoft-authentication-library-for-js: Redirect callback is not called when loginRedirect() is run from a popup window

Created on 11 Jan 2020 · 11Comments · Source: AzureAD/microsoft-authentication-library-for-js

Currently MSAL.js uses the WindowUtils.isInPopup() method to determine if the redirect or popup flow should be applied. However, in my use case, I want to be able to use the login redirect flow from a popup window. Perhaps it would be possible to create a configuration option where the developer can declare explicitly that MSAL.js should use the redirect or popup flow, instead of trying to deduct it from properties of the Window object.

Library

[x] [email protected]

Framework

No framework required.

Description

When MSAL.js is run from a popup window that was created by its calling application, the redirect callback is not called when the loginRedirect() method is used. This is caused by the WindowUtils.isInPopup() method of returning true, despite MSAL not using the loginPopup() flow.

Security

No security issue.

Regression

No regression.

Configuration

Please provide your MSAL configuration options.

auth: {
    clientId: clientId,
    authority: process.env.AUTH_AUTHORITY,
    redirectUri: process.env.AUTH_URL,
    postLogoutRedirectUri: process.env.AUTH_URL,
    navigateToLoginRequestUrl: false
},
cache: {
    cacheLocation: 'localStorage',
    storeAuthStateInCookie: true
}

Reproduction steps

Implement a simple page to login a user via MSAL.js with the redirect flow UserAgentApplication.loginRedirect().
Create a new page that opens the page with the implementation of step 1 in a popup window with window.open().
Complete the login flow, and verify that the redirect callback that was declared in UserAgentApplication.handleRedirectCallback() is not called when the user returns from the authentication provider.

Expected behavior

The callback method that was declared with UserAgentApplication.handleRedirectCallback() is called when the user returns from the authentication provider.

Browsers

Tested in Edge and Chrome, latest versions.

bug documentation known-issue

Source

ehmPlankje

Most helpful comment

[email protected] is available with a fix for this issue, please let us know if it is still a problem. Thanks!

jasonnutter on 9 Apr 2020

🎉2

All 11 comments

@ehmPlankje We are aware of this limitation and this issue is tracked with #1095 (Teams attempts to do exactly the same - calls loginRedirect from pop up);

The solution needs:

#1169 to be supported first (the behavior is introduced as a part of this PR which is pending)
#1095 then fixed with appropriate checks

We plan to address this by the end of the month. Hope this clarifies.

sameerag on 11 Jan 2020

@sameerag Thank you for the clarification. I already solved the issue for my stack by applying a patch on the WindowUtils.isInPopup() method, so that it always returns false, because we don't need the popup flow in our project.

Perhaps you could include this limitation in the documentation, because it took me considerable time before I found out why my implementation did not work as intended.

diff --git a/node_modules/msal/lib-es6/utils/WindowUtils.js b/node_modules/msal/lib-es6/utils/WindowUtils.js
index 3d9ddec..7aaed8f 100644
--- a/node_modules/msal/lib-es6/utils/WindowUtils.js
+++ b/node_modules/msal/lib-es6/utils/WindowUtils.js
@@ -18,7 +18,7 @@ var WindowUtils = /** @class */ (function () {
      * @ignore
      */
     WindowUtils.isInPopup = function () {
-        return !!(window.opener && window.opener !== window);
+        return false;
     };
     /**
      * @hidden
diff --git a/node_modules/msal/src/utils/WindowUtils.ts b/node_modules/msal/src/utils/WindowUtils.ts
index 4dd2c3b..0a800c6 100644
--- a/node_modules/msal/src/utils/WindowUtils.ts
+++ b/node_modules/msal/src/utils/WindowUtils.ts
@@ -27,7 +27,7 @@ export class WindowUtils {
      * @ignore
      */
     static isInPopup(): boolean {
-        return !!(window.opener && window.opener !== window);
+        return false;
     }

     /**

ehmPlankje on 12 Jan 2020

@ehmPlankje Thanks for the feedback. Sure, we will add this to our documentation, until we have a solution in place. cc @hamiltonha

sameerag on 12 Jan 2020

Is there any progress on this issue?

kvergins on 23 Mar 2020

Same here, is there any progress on this issue. If not, what is the best way to get the access token if we are using the redirect approach?

nikhil-nomula on 23 Mar 2020

Sorry for the delay, yes, we are planning to have a fix for this very soon (this week, hopefully).

@nikhil-nomula One potential workaround is to set window.opener = null.

jasonnutter on 23 Mar 2020

Looks like you've made progress on this issue. When do you plan to deliver the fix?

kvergins on 1 Apr 2020

@kvergins We are planning to have a new version available soon (likely this week or early next week) with the fix for this issue.

jasonnutter on 1 Apr 2020

[email protected] is available with a fix for this issue, please let us know if it is still a problem. Thanks!

jasonnutter on 9 Apr 2020

🎉2

Can i use this fix in production app?

sivahanuman on 27 Apr 2020

@sivahanuman [email protected] is now available on npm.

jasonnutter on 28 Apr 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

How to manually expire token in order to test token renewal?

jfbloom22 · 3Comments

Subsequent calls to acquireTokenPopup break the first invocation and prevent authentication

jviney · 3Comments

Passing claims to B2C policy

ed-ilyin · 4Comments

Password reset flow not working due to cache not cleared

Calamari · 3Comments

Token silent renewal fails on Chrome only

lecaillon · 3Comments