Microsoft-authentication-library-for-js: AADSTS50058 in IOS Safari

Created on 14 Jan 2020 · 8Comments · Source: AzureAD/microsoft-authentication-library-for-js

Please follow the issue template below. Failure to do so will result in a delay in answering your question.

Library

[ x] [email protected]
[ ] @azure/[email protected]
[ ] @azure/[email protected]
[ ] @azure/[email protected]

Important: Please fill in your exact version number above, e.g. [email protected].

Framework

React

Description

We have a react application that works fine when running on Chrome on windows, but when running in Safari on IOS we get an "AADSTS50058: A silent sign-in request was sent but no user is signed in..." error when trying to request an Access Token.

So far, we have observed this happening on IOS 13.3 devices. And it appears that we can work around it by disabling "Prevent Cross-Site Tracking" in safari, but we cannot expect our users to disable that setting.

Security

Is this issue security related? No

Regression

Did this behavior work before? Unknown

Configuration

Please provide your MSAL configuration options.

    try {
      const myMSALObj = getMSAL(config);
      console.log('requesting token', myMSALObj.getAccount()); // we get a valid user here
      const response = await myMSALObj.acquireTokenSilent({
        scopes: scopes
      });
      return response.accessToken;
    } catch (error) {
      console.log('error acquiring token with acquireTokenPopup', error); // we get our AADSTS50058 error here
      return 'error';
    }

Reproduction steps

Expected behavior

Should be able to get an access token in IOS 13.3

Browsers

IOS 13.3 Safari

bug compatibility known-issue

Source

beolson

All 8 comments

@beolson Unfortunately, this is a known issue with Safari. The next version of our library (currently in development) will use the Auth Code Flow w/ PKCE, which we expect to mitigate the problems caused by Safari ITP in most scenarios.

We will make an announcement when there is a version of MSAL with Auth Code Flow that you can try out.

jasonnutter on 14 Jan 2020

Correct me I am wrong, but I didn't think Auth Code Flow is a valid approach for SPA style applications.

I did some more testing and discovered that if I do an acquireTokenRedirect whenever the acquireTokenSilent fails, it seems to fix what ever it was broken, and I can get an Access token. Biggest problem is, I suspect this approach will cause another acquireTokenRedirect after a period of time and the user application will lose state.

beolson on 14 Jan 2020

@beolson The Auth Code Flow w/ PKCE is now the recommended best-practice for browser-based applications such as SPAs. We'll have more information soon about how this will work for AAD.

And yeah, it makes sense with ITP enabled that silently acquiring an access token would fail when a network request is involved, and that an interactive request would succeed. You can also consider using acquireTokenPopup if acquireTokenRedirect is undesirable.

jasonnutter on 14 Jan 2020

👍1

Thanks for the clarification here, @jasonnutter. Would you say the best workaround here would be to detect user agent string for Safari browsers and fallback to a acquireTokenPopup call when receiving an AADSTS50058 error code? I'm seeing some users reporting the same on Safari.

AndrewCraswell on 17 Jan 2020

👍1

@AndrewCraswell I suppose that might work, although we generally advise against coding for specific error codes, as they can change without warning. But seems like a reasonable workaround for now, until Auth Code is ready.

jasonnutter on 21 Jan 2020

Closing. Early versions of MSAL.js w/ Auth Code Flow are available on npm: https://www.npmjs.com/package/@azure/msal-browser

jasonnutter on 17 Mar 2020

@jasonnutter sorry for comment on a closed issue, I run into this issue for our app that is using @azure/msal package. If I want to support Safari, is there any plan to fix it in the @azure/msal or do we have to use the @azure/msal-browser package?