Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mac Outlook; msal acquireTokenInteractive() called via acquireTokenPopup() prompts but then fails with no useful error #7498

Open
2 tasks
thoffmann-fms opened this issue Jan 9, 2025 · 5 comments
Open
2 tasks

Mac Outlook; msal acquireTokenInteractive() called via acquireTokenPopup() prompts but then fails with no useful error #7498

thoffmann-fms opened this issue Jan 9, 2025 · 5 comments
Labels
bug-unconfirmed A reported bug that needs to be investigated and confirmed msal-browser Related to msal-browser package Needs: Attention 👋 Awaiting response from the MSAL.js team public-client Issues regarding PublicClientApplications question Customer is asking for a clarification, use case or information.

Comments

@thoffmann-fms
Copy link

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

3.28.0

Wrapper Library

Not Applicable

Wrapper Library Version

none

Public or Confidential Client?

Public

Description

      const pca: IPublicClientApplication = await createNestablePublicClientApplication({
        auth: {
          clientId: clientIdResponse.data,
          authority: "https://login.microsoftonline.com/common",
        },
      });
 
      const tokenRequest: SilentRequest = {
        scopes: ["openid"],
      };
      const pur: PopupRequest = { scopes: ["openid"] };
      const xx = await pca.acquireTokenPopup(pur);

User is prompted for credentials but then acquireTokenInteractive() aborts at const response = await this.bridgeProxy.getTokenInteractive(naaRequest); with error {status: "PERSISTENT_ERROR"} and no other information.

class AuthError extends Error {
    constructor(errorCode, errorMessage, suberror) {
        const errorString = errorMessage
            ? `${errorCode}: ${errorMessage}`
            : errorCode;
        super(errorString);
        Object.setPrototypeOf(this, AuthError.prototype);
        this.errorCode = errorCode || Constants.EMPTY_STRING;
        this.errorMessage = errorMessage || Constants.EMPTY_STRING;
        this.subError = suberror || Constants.EMPTY_STRING;
        this.name = "AuthError";

Has no information, all fields are undefined/blank.

This same code works fine on Windows Outlook and Windows OWA (Edge, Chrome) and Mac OWA (Safari).

Error Message

{status: "PERSISTENT_ERROR"}

MSAL Logs

[Info] [Thu, 09 Jan 2025 14:43:58 GMT] : [] : @azure/[email protected] : Info - Nested App Auth Bridge available: true (taskpane.js, line 99967)
[Log] [Thu, 09 Jan 2025 14:43:58 GMT] : [] : @azure/[email protected] : Trace - getAccount called (taskpane.js, line 99976)
[Log] [Thu, 09 Jan 2025 14:44:07 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager.getAccountKeys called (taskpane.js, line 99976)
[Debug] [Thu, 09 Jan 2025 14:44:07 GMT] : [] : @azure/[email protected] : Verbose - BrowserCacheManager.getAccountKeys - No account keys found (taskpane.js, line 99970)
[Debug] [Thu, 09 Jan 2025 14:44:07 GMT] : [] : @azure/[email protected] : Verbose - getAccount: No matching account found, returning null (taskpane.js, line 99970)
[Debug] [Thu, 09 Jan 2025 14:44:07 GMT] : [] : @azure/[email protected] : Verbose - setActiveAccount: No account passed, active account not set (taskpane.js, line 99970)
[Info] ~9:44:07 AM; GetMSALIdTokenAsync (taskpane.js, line 99612)
  request popup

[Error] ServerError
AuthError — msal-browser.cjs:364
ServerError — msal-browser.cjs:6186
fromBridgeError — msal-browser.cjs:17512
(anonymous function) — msal-browser.cjs:17682

	(anonymous function) (taskpane.js:100003)
	step (taskpane.js:99691)
	rejected (taskpane.js:99664)
	invokeCallback (taskpane.js:49648)
	publish (taskpane.js:49631)
	publishRejection (taskpane.js:49572)
	flush (taskpane.js:49368)

Log from OWA/Safari:

[Info] [Thu, 09 Jan 2025 14:48:51 GMT] : [] : @azure/[email protected] : Info - Nested App Auth Bridge available: true (taskpane.js, line 99967)
[Info] ~9:48:51 AM; GetMSALIdTokenAsync (taskpane.js, line 99612)
  request popup

[Info] Successfully preconnected to https://login.microsoftonline.com/ (x3)
[Debug] [Thu, 09 Jan 2025 14:48:52 GMT] : [] : @azure/[email protected] : Verbose - hydrateCache called (taskpane.js, line 99970)
[Log] [Thu, 09 Jan 2025 14:48:52 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager.setAccount called (taskpane.js, line 99976)
[Log] [Thu, 09 Jan 2025 14:48:52 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager.addAccountKeyToMap called (taskpane.js, line 99976)
[Log] [Thu, 09 Jan 2025 14:48:52 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager.getAccountKeys called (taskpane.js, line 99976)
[Debug] [Thu, 09 Jan 2025 14:48:52 GMT] : [] : @azure/[email protected] : Verbose - BrowserCacheManager.getAccountKeys - No account keys found (taskpane.js, line 99970)
[Debug] [Thu, 09 Jan 2025 14:48:52 GMT] : [] : @azure/[email protected] : Verbose - BrowserCacheManager.addAccountKeyToMap account key added (taskpane.js, line 99970)
[Log] [Thu, 09 Jan 2025 14:48:52 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager.setIdTokenCredential called (taskpane.js, line 99976)
[Log] [Thu, 09 Jan 2025 14:48:52 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager addTokenKey called (taskpane.js, line 99976)
[Log] [Thu, 09 Jan 2025 14:48:52 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager.getTokenKeys called (taskpane.js, line 99976)
[Debug] [Thu, 09 Jan 2025 14:48:52 GMT] : [] : @azure/[email protected] : Verbose - BrowserCacheManager.getTokenKeys - No token keys found (taskpane.js, line 99970)
[Info] [Thu, 09 Jan 2025 14:48:52 GMT] : [] : @azure/[email protected] : Info - BrowserCacheManager: addTokenKey - idToken added to map (taskpane.js, line 99967)
[Log] [Thu, 09 Jan 2025 14:48:52 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager.getTokenKeys called (taskpane.js, line 99976)
[Log] [Thu, 09 Jan 2025 14:48:52 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager.setAccessTokenCredential called (taskpane.js, line 99976)
[Log] [Thu, 09 Jan 2025 14:48:52 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager addTokenKey called (taskpane.js, line 99976)
[Log] [Thu, 09 Jan 2025 14:48:52 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager.getTokenKeys called (taskpane.js, line 99976)
[Info] [Thu, 09 Jan 2025 14:48:52 GMT] : [] : @azure/[email protected] : Info - BrowserCacheManager: addTokenKey - accessToken added to map (taskpane.js, line 99967)
[Debug] [Thu, 09 Jan 2025 14:48:52 GMT] : [] : @azure/[email protected] : Verbose - setActiveAccount: Active account set (taskpane.js, line 99970)
[Info] ~9:48:52 AM; GetMSALIdTokenAsync (taskpane.js, line 99612)
  got popup

Network Trace (Preferrably Fiddler)

  • Sent
  • Pending

MSAL Configuration

const pca: IPublicClientApplication = await createNestablePublicClientApplication({
        auth: {
          clientId: clientIdResponse.data,
          authority: "https://login.microsoftonline.com/common",
        },
      });

Relevant Code Snippets

async acquireTokenInteractive(request) {
        const validRequest = this.ensureValidRequest(request);
        this.eventHandler.emitEvent(EventType.ACQUIRE_TOKEN_START, exports.InteractionType.Popup, validRequest);
        const atPopupMeasurement = this.performanceClient.startMeasurement(PerformanceEvents.AcquireTokenPopup, validRequest.correlationId);
        atPopupMeasurement?.add({ nestedAppAuthRequest: true });
        try {
            const naaRequest = this.nestedAppAuthAdapter.toNaaTokenRequest(validRequest);
            const reqTimestamp = nowSeconds();
            const response = await this.bridgeProxy.getTokenInteractive(naaRequest);
            const result = {
                ...this.nestedAppAuthAdapter.fromNaaTokenResponse(naaRequest, response, reqTimestamp),
            };
            // cache the tokens in the response
            await this.hydrateCache(result, request);
            this.browserStorage.setActiveAccount(result.account);
            this.eventHandler.emitEvent(EventType.ACQUIRE_TOKEN_SUCCESS, exports.InteractionType.Popup, result);
            atPopupMeasurement.add({
                accessTokenSize: result.accessToken.length,
                idTokenSize: result.idToken.length,
            });
            atPopupMeasurement.end({
                success: true,
                requestId: result.requestId,
            });
            return result;
        }
        catch (e) {
            const error = this.nestedAppAuthAdapter.fromBridgeError(e);
            this.eventHandler.emitEvent(EventType.ACQUIRE_TOKEN_FAILURE, exports.InteractionType.Popup, null, e);
            atPopupMeasurement.end({

Reproduction Steps

Execute the above in Mac Outlook.

Expected Behavior

Mac Outlook should provide a Token.

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

Other

Regression

n/a
@thoffmann-fms thoffmann-fms added bug-unconfirmed A reported bug that needs to be investigated and confirmed question Customer is asking for a clarification, use case or information. labels Jan 9, 2025
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: Attention 👋 Awaiting response from the MSAL.js team label Jan 9, 2025
@github-actions github-actions bot added msal-browser Related to msal-browser package public-client Issues regarding PublicClientApplications labels Jan 9, 2025
@thoffmann-fms
Copy link
Author

MSAL log from Windows Outlook:

[Thu, 09 Jan 2025 15:07:06 GMT] : [] : @azure/[email protected] : Info - Nested App Auth Bridge available: true
OfficeInterface.ts:281 [Thu, 09 Jan 2025 15:07:06 GMT] : [] : @azure/[email protected] : Trace - getAccount called
OfficeInterface.ts:281 [Thu, 09 Jan 2025 15:07:06 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager.getAccountKeys called
DebugLog.ts:19 ~10:07:06 AM; GetMSALIdTokenAsync
  request popup
OfficeInterface.ts:281 [Thu, 09 Jan 2025 15:07:06 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager.setAccount called
OfficeInterface.ts:281 [Thu, 09 Jan 2025 15:07:06 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager.addAccountKeyToMap called
OfficeInterface.ts:281 [Thu, 09 Jan 2025 15:07:06 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager.getAccountKeys called
OfficeInterface.ts:281 [Thu, 09 Jan 2025 15:07:06 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager.setIdTokenCredential called
OfficeInterface.ts:281 [Thu, 09 Jan 2025 15:07:06 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager addTokenKey called
OfficeInterface.ts:281 [Thu, 09 Jan 2025 15:07:06 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager.getTokenKeys called
OfficeInterface.ts:272 [Thu, 09 Jan 2025 15:07:06 GMT] : [] : @azure/[email protected] : Info - BrowserCacheManager: addTokenKey - idToken added to map
OfficeInterface.ts:281 [Thu, 09 Jan 2025 15:07:06 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager.getTokenKeys called
OfficeInterface.ts:281 [Thu, 09 Jan 2025 15:07:06 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager.setAccessTokenCredential called
OfficeInterface.ts:281 [Thu, 09 Jan 2025 15:07:06 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager addTokenKey called
OfficeInterface.ts:281 [Thu, 09 Jan 2025 15:07:06 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager.getTokenKeys called
OfficeInterface.ts:272 [Thu, 09 Jan 2025 15:07:06 GMT] : [] : @azure/[email protected] : Info - BrowserCacheManager: addTokenKey - accessToken added to map
DebugLog.ts:19 ~10:07:06 AM; GetMSALIdTokenAsync
  got popup

@thoffmann-fms
Copy link
Author

Also I see that getAccountByUsername() returns null with a similar set of errors about missing Account Keys.

[Info] [Thu, 09 Jan 2025 21:16:04 GMT] : [] : @azure/[email protected] : Info - Nested App Auth Bridge available: true (taskpane.js, line 99953)
[Log] [Thu, 09 Jan 2025 21:16:04 GMT] : [] : @azure/[email protected] : Trace - getAccount called (taskpane.js, line 99962)
[Log] [Thu, 09 Jan 2025 21:16:04 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager.getAccountKeys called (taskpane.js, line 99962)
[Debug] [Thu, 09 Jan 2025 21:16:04 GMT] : [] : @azure/[email protected] : Verbose - BrowserCacheManager.getAccountKeys - No account keys found (taskpane.js, line 99956)
[Debug] [Thu, 09 Jan 2025 21:16:04 GMT] : [] : @azure/[email protected] : Verbose - getAccount: No matching account found, returning null (taskpane.js, line 99956)
[Debug] [Thu, 09 Jan 2025 21:16:04 GMT] : [] : @azure/[email protected] : Verbose - setActiveAccount: No account passed, active account not set (taskpane.js, line 99956)
[Log] [Thu, 09 Jan 2025 21:16:04 GMT] : [] : @azure/[email protected] : Trace - getAccountByUsername called (taskpane.js, line 99962)
[Log] [Thu, 09 Jan 2025 21:16:04 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager.getAccountKeys called (taskpane.js, line 99962)
[Debug] [Thu, 09 Jan 2025 21:16:04 GMT] : [] : @azure/[email protected] : Verbose - BrowserCacheManager.getAccountKeys - No account keys found (taskpane.js, line 99956)
[Debug] [Thu, 09 Jan 2025 21:16:04 GMT] : [] : @azure/[email protected] : Verbose - getAccountByUsername: No matching account found, returning null (taskpane.js, line 99956)

@sameerag
Copy link
Member

@thoffmann-fms Are you a host app? Why are you using to and fro conversion APIs for NAA? It is expected for you to use only the acquireToken APIs and the naa application to take care of everything else. Did you reference your code from any public docs?

@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Author Feedback Awaiting response from issue author and removed Needs: Attention 👋 Awaiting response from the MSAL.js team labels Jan 13, 2025
@thoffmann-fms
Copy link
Author

thoffmann-fms commented Jan 13, 2025
edited
Loading

This is an Outlook add-in and I'm migrating away from EWSToken to an ID token. It was suggested that I change the scopes to be User.Read rather than just openid, but that doesn't change the Mac Outlook behavior.

I'm just requesting an ID Token via createNestablePublicClientApplication. My code then calls pca.ssoSilent to silently get a token and if that fails it calls Popup. Both methods are failing in BrowserCacheManger (somewhere in the MSAL runtime) related to the GetAccountKeys process.

@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Attention 👋 Awaiting response from the MSAL.js team and removed Needs: Author Feedback Awaiting response from issue author labels Jan 13, 2025
@thoffmann-fms thoffmann-fms mentioned this issue Jan 14, 2025
Open
@thoffmann-fms
Copy link
Author

Hello, can I get an update, please?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug-unconfirmed A reported bug that needs to be investigated and confirmed msal-browser Related to msal-browser package Needs: Attention 👋 Awaiting response from the MSAL.js team public-client Issues regarding PublicClientApplications question Customer is asking for a clarification, use case or information.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sameerag @thoffmann-fms