Microsoft-authentication-library-for-js: Safari on iOS: acquireTokenSilent never completes

Library

• [X] [email protected] or @azure/[email protected]
• [ ] @azure/[email protected]
• [ ] @azure/[email protected]
• [ ] @azure/[email protected]
• [ ] @azure/[email protected]

Framework

React 16.12.0

Description

In iOS Safari, acquireTokenSilent does not complete. No result is ever processed, no error is caught.

Security

No

Regression

No

Configuration

var instance = 'https://login.microsoftonline.com/tfp/';
var tenant = 'nssapp.onmicrosoft.com';
var signInPolicy = 'B2C_1_signup_signin_v2';
var authority = `${instance}${tenant}/${signInPolicy}`

export const msalApp = new UserAgentApplication({
    auth: {
        clientId: "abcdabcd-643f-4914-9a04-dff4097879fb",
        authority: authority,
        validateAuthority: true,
        postLogoutRedirectUri: window.location.origin,
        navigateToLoginRequestUrl: false
    },
    cache: {
        cacheLocation: "sessionStorage",
        storeAuthStateInCookie: isIE()
    },
    system: {
        navigateFrameWait: 0,
        logger: {
            error: console.error,
            errorPii: console.error,
            info: console.log,
            infoPii: console.log,
            verbose: console.log,
            verbosePii: console.log,
            warning: console.warn,
            warningPii: console.warn
        }
    }
});

Reproduction steps

Uses Azure B2C. Flow is the provided b2c_1_signup_signin_v2 .

1. Check for presence of account with msalApp.getAccount();
2. If account is present, call acquireTokenSilent with user_impersonation scope
3. Wait for the promise returned to complete, or catch(...) to receive an error. Neither occurs.**

** This is not entirely true. An error is never received. Occasionally, the promise does complete, and the object passed in has a valid accessToken. After this point, the app continues to run fine. The frequency of this is very low.

Expected behavior

On other browsers, acquireTokenSilent always seems to complete fine, and the result includes a valid accessToken that is accepted by the target API.

Browsers

Fault occurs on:

• Safari on iOS, iPad OS
• iOS: 13.3.1
• iPadOS: 13.3

Fault does not occur on:

• Safari on MacOS Mojave
• Chrome, Edge, Firefox on Windows

Notes

Behavior is the same whether cross-site tracking prevention is turned on or off.
Delaying the calls mentioned in the reproduction steps seems to have no noticeable effect on the behavior.

My experience in js/react/... is very limited, so I could be doing something pretty silly. However, this does work fine in other browsers I've tried. A user reported a similar-looking issue in Chrome on Windows once, but I haven't been able to reproduce that. Could be related.

I looked over similar issues and tried a few things suggested, but the behavior didn't change, and it didn't seem like any were identical to my issue.

Could https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/1354 be a fix?

Logs

[Log] renewing accesstoken (2.1114f352.chunk.js, line 2)
[Log] renewToken is called for scope:https://nssapp.onmicrosoft.com/nssreactapi/user_impersonation (2.1114f352.chunk.js, line 2)
[Log] Add msal frame to document:msalRenewFramehttps://nssapp.onmicrosoft.com/nssreactapi/user_impersonation (2.1114f352.chunk.js, line 2)
[Log] Renew token Expected state: aa28b938-c0e8-427b-9e53-0de3a4ac791c (2.1114f352.chunk.js, line 2)
[Log] Navigate to:https://login.microsoftonline.com/te/nssapp.onmicrosoft.com/b2c_1_signup_signin_v2/oauth2/v2.0/authorize?response_type=token&scope=https%3A%2F%2Fnssapp.onmicrosoft.com%2Fnssreactapi%2Fuser_impersonation%20openid%20profile&client_id=abcdabcd-643f-4914-9a04-dff4097879fb&redirect_uri=https%3A%2F%2Fapp.nss.network%2F&state=aa28b938-c0e8-427b-9e53-0de3a4ac791c&nonce=c52296a9-0915-4e79-b7b4-536444310d2b&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=1.2.1&login_req=0380f6d1-69a8-4970-afd4-eda0e28952dd-b2c_1_signup_signin_v2&domain_req=34f8bf94-6258-4891-b74e-4578c7d7ad23&domain_hint=organizations&client-request-id=ee20e51e-ea95-4c77-b54c-8da9b51e46a3&prompt=none&response_mode=fragment (2.1114f352.chunk.js, line 2)
[Log] Set loading state to pending for: https://nssapp.onmicrosoft.com/nssreactapi/user_impersonation:aa28b938-c0e8-427b-9e53-0de3a4ac791c (2.1114f352.chunk.js, line 2)
[Log] LoadFrame: msalRenewFramehttps://nssapp.onmicrosoft.com/nssreactapi/user_impersonation (2.1114f352.chunk.js, line 2)
[Log] Add msal frame to document:msalRenewFramehttps://nssapp.onmicrosoft.com/nssreactapi/user_impersonation (2.1114f352.chunk.js, line 2)
[Log] Frame Name : msalRenewFramehttps://nssapp.onmicrosoft.com/nssreactapi/user_impersonation Navigated to: https://login.microsoftonline.com/te/nssapp.onmicrosoft.com/b2c_1_signup_signin_v2/oauth2/v2.0/authorize?response_type=token&scope=https%3A%2F%2Fnssapp.onmicrosoft.com%2Fnssreactapi%2Fuser_impersonation%20openid%20profile&client_id=abcdabcd-643f-4914-9a04-dff4097879fb&redirect_uri=https%3A%2F%2Fapp.nss.network%2F&state=aa28b938-c0e8-427b-9e53-0de3a4ac791c&nonce=c52296a9-0915-4e79-b7b4-536444310d2b&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=1.2.1&login_req=0380f6d1-69a8-4970-afd4-eda0e28952dd-b2c_1_signup_signin_v2&domain_req=34f8bf94-6258-4891-b74e-4578c7d7ad23&domain_hint=organizations&client-request-id=ee20e51e-ea95-4c77-b54c-8da9b51e46a3&prompt=none&response_mode=fragment (2.1114f352.chunk.js, line 2)