Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Login via a bookmark leads to the unexpected behavior #7338

Closed
2 tasks
gauert-dasgip opened this issue Sep 25, 2024 · 1 comment
Closed
2 tasks

Login via a bookmark leads to the unexpected behavior #7338

gauert-dasgip opened this issue Sep 25, 2024 · 1 comment
Labels
b2c Related to Azure B2C library-specific issues bug-unconfirmed A reported bug that needs to be investigated and confirmed msal-browser Related to msal-browser package msal-react Related to @azure/msal-react public-client Issues regarding PublicClientApplications question Customer is asking for a clarification, use case or information.

Comments

@gauert-dasgip
Copy link

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

3.1.0

Wrapper Library

MSAL React (@azure/msal-react)

Wrapper Library Version

2.0.3

Public or Confidential Client?

Public

Description

If a user sets a bookmark on AAD B2C login page, it leads to problems with the login.
The following scenario:

User A logs in: clicks the login button, is redirected to the login screen, enters his data and is successfully logged in und is redirected back to the application then closes the browser without logging out.

User B opens the browser and navigates directly via bookmark to the login screen, enters his data and is successfully logged in, is redirected back to the application and ends up in the session of user A.

It is not about protecting the session of user A, as you can also use the session of user A without logging in by simply opening the application, as user A has not logged out, but to prevent the error situation that user B accidentally and unknowingly uses the session of user A.

It would be helpful to be able to intercept and handle the unexpected redirect somehow.

Error Message

No response

MSAL Logs

No response

Network Trace (Preferrably Fiddler)

  • Sent
  • Pending

MSAL Configuration

https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/samples/msal-react-samples/b2c-sample/src/authConfig.js without any change

Relevant Code Snippets

https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-react-samples/b2c-sample/src without any change

Reproduction Steps

  1. Start b2c-sample from msal-react-samples as described in readme.
  2. Click Sign in using redirect
  3. Set a bookmark
  4. Log in with user A
  5. Expected: Redirect to the application and claims from user A are displayed
  6. Close the browser without logging out
  7. Open the browser
  8. Use bookmark from step 3 to get to the login screen
  9. Log in with user B
  10. Expected: Redirect to the application and claims from user B are displayed or there is an error
  11. Actual: Redirect to the application and claims from user A are displayed

Expected Behavior

I would have expected there to be an event for the unexpected redirect (state and nonce unknown), like the login failed event.

Identity Provider

Azure B2C Basic Policy

Browsers Affected (Select all that apply)

Chrome

Regression

No response

Source

External (Customer)
@gauert-dasgip gauert-dasgip added bug-unconfirmed A reported bug that needs to be investigated and confirmed question Customer is asking for a clarification, use case or information. labels Sep 25, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: Attention 👋 Awaiting response from the MSAL.js team label Sep 25, 2024
@github-actions github-actions bot added b2c Related to Azure B2C library-specific issues msal-browser Related to msal-browser package msal-react Related to @azure/msal-react public-client Issues regarding PublicClientApplications labels Sep 25, 2024
@tnorling
Copy link
Collaborator

tnorling commented Oct 1, 2024

This is expected behavior, the login must begin from the app attempting to login as there are ephemeral request artifacts that need to be generated for each distinct login request. Bookmarking and returning to a previous login url is not supported.

@tnorling tnorling closed this as completed Oct 1, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot removed the Needs: Attention 👋 Awaiting response from the MSAL.js team label Oct 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
b2c Related to Azure B2C library-specific issues bug-unconfirmed A reported bug that needs to be investigated and confirmed msal-browser Related to msal-browser package msal-react Related to @azure/msal-react public-client Issues regarding PublicClientApplications question Customer is asking for a clarification, use case or information.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tnorling @gauert-dasgip