Skip to content

I want to send a domain_hint from Blazor Web Assembly (using Microsoft.Extensions.DependencyInjection.MsalWebAssemblyServiceCollectionExtensions.AddMsalAuthentication ) #29440  #45468

New issue
New issue
Closed
Closed
I want to send a domain_hint from Blazor Web Assembly (using Microsoft.Extensions.DependencyInjection.MsalWebAssemblyServiceCollectionExtensions.AddMsalAuthentication ) #29440 #45468
Assignees
javiercn
Labels
✔️ Resolution: AnsweredResolved because the question asked by the original author has been answered.Status: Resolvedarea-blazorIncludes: Blazor, Razor Componentsfeature-blazor-msalThis issue is related to MSAL usage in Blazorfeature-blazor-wasm-authinvestigatequestion
@szalapski

Description

@szalapski
szalapski
opened on Dec 5, 2022 · edited by szalapski

Is there an existing issue for this?

  • I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

Issue reference: https://stackoverflow.com/questions/63605653/is-there-a-way-to-supply-a-domain-hint-for-single-sign-on-using-msal-net-on-a-bl

domain_hint is a AuthenticationParameter of MSAL, which does not appear to be supported/exposed by the Microsoft.Authentication.WebAssembly.Msal package

Here are related issues for other Authentication parameters:
extraQueryParameter: #25391 (#25391)
loginHint: #19877 (#19925)

I believe this issue was unfairly closed with the suggestion that we could customize our own msal.js library. This is not the case; msal.js supports domain hints, it is the .NET MSAL library that doesn't pass it through.

Describe the solution you'd like

I would hope that simply adding support for additional parameters, which will be passed through to MSAL.JS, would be easy to implement, test, and support. So in my client Program.cs, I could do:

WebAssemblyHostBuilder builder = WebAssemblyHostBuilder.CreateDefault(args);
...
builder.Services.AddMsalAuthentication(options =>{
    ...
    options.ProviderOptions.AddAdditionalProviderParameter("domain_hint","mydomain.com");
});

Alternatively, it would be acceptable to add explicit parameters for DomainHint and LoginHint.

    ...
    options.ProviderOptions.DomainHint = "mydomain.com";

Or is there some other way to do this that I am missing?

Activity

szalapski
changed the title [-] Unable to send a domain_hint from Blazor Web Assembly (using MSAL JS via Microsoft.Extensions.DependencyInjection.MsalWebAssemblyServiceCollectionExtensions.AddMsalAuthentication ) #29440 [/-] [+]I want to send a domain_hint from Blazor Web Assembly (using MSAL JS via Microsoft.Extensions.DependencyInjection.MsalWebAssemblyServiceCollectionExtensions.AddMsalAuthentication ) #29440 [/+] on Dec 5, 2022
szalapski
changed the title [-]I want to send a domain_hint from Blazor Web Assembly (using MSAL JS via Microsoft.Extensions.DependencyInjection.MsalWebAssemblyServiceCollectionExtensions.AddMsalAuthentication ) #29440 [/-] [+]I want to send a domain_hint from Blazor Web Assembly (using Microsoft.Extensions.DependencyInjection.MsalWebAssemblyServiceCollectionExtensions.AddMsalAuthentication ) #29440 [/+] on Dec 5, 2022
TanayParikh
added
area-blazorIncludes: Blazor, Razor Components
feature-blazor-msalThis issue is related to MSAL usage in Blazor
feature-blazor-wasm-auth
on Dec 5, 2022
TanayParikh

TanayParikh commented on Dec 5, 2022

@TanayParikh
TanayParikh
on Dec 5, 2022
Contributor

Hey @szalapski, thanks for reaching out. This may be related to #44973 / #44854.

Can you please try out #44854 (comment)?

TanayParikh
added
Needs: Author FeedbackThe author of this issue needs to respond in order for us to continue investigating this issue.
on Dec 5, 2022
ghost

ghost commented on Dec 5, 2022

@ghost
ghost
on Dec 5, 2022

Hi @szalapski. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.

szalapski

szalapski commented on Dec 6, 2022

@szalapski
szalapski
on Dec 6, 2022 · edited by szalapski
Author

@TanayParikh, thanks for the response. As instructed, I have added the TrimmerRootDescriptor.xml to the root of my Client project, and added the TrimmerRootDescriptor inside a new ItemGroup in my client's .csproj file. I then call this to start sign-in:

  private void NavigateToLogin()
  {

      var requestOptions = new InteractiveRequestOptions()
      {
          Interaction = InteractionType.SignIn,
          ReturnUrl =  Navigation.Uri
      };

      requestOptions.TryAddAdditionalParameter("domain_hint", "mydomain.com");
      Navigation.NavigateToLogin(Options.Get(DefaultOptionName).AuthenticationPaths.LogInPath, requestOptions);
  }

No change: still asked to "Pick an account" when signing in via OIDC to Active Directory, even though the only account it knows about is the one that matches mydomain.com.

I am on .NET SDK 7.0.100 and package Microsoft.AspNetCore.Components.WebAssembly.Authentication v 7.0.0.

Any further ideas?

ghost added
Needs: Attention 👋This issue needs the attention of a contributor, typically because the OP has provided an update.
on Dec 6, 2022
ghost removed
Needs: Author FeedbackThe author of this issue needs to respond in order for us to continue investigating this issue.
on Dec 6, 2022
mkArtakMSFT
added
investigate
on Dec 6, 2022
mkArtakMSFT
assigned
javiercn
on Dec 6, 2022
mkArtakMSFT
removed
Needs: Attention 👋This issue needs the attention of a contributor, typically because the OP has provided an update.
on Dec 6, 2022
javiercn

javiercn commented on Dec 12, 2022

@javiercn
javiercn
on Dec 12, 2022
Member

@szalapski can you turn on the logs to trace level on your webassembly app? You should be able to see the exact request object being passed down to msal-browser.

szalapski

szalapski commented on Dec 12, 2022

@szalapski
szalapski
on Dec 12, 2022 · edited by szalapski
Author

Thanks for the reply, @javiercn -- I got the following. Is there anything wrong with it? If not, any idea why Azure AD's login doesn't take the hint?

trce: Microsoft.AspNetCore.Components.WebAssembly.Authentication.RemoteAuthenticationService[0]
      signIn: {"url":null,"state":{"returnUrl":"/"},"interactiveRequest":{"returnUrl":"/","scopes":null,"interaction":"SignIn","additionalRequestParameters":{"domain_hint":"mydomain.com"}}} [AuthenticationService.js:2:310560](https://localhost:5008/_content/Microsoft.Authentication.WebAssembly.Msal/AuthenticationService.js)
trce: Microsoft.AspNetCore.Components.WebAssembly.Authentication.RemoteAuthenticationService[0]
      signIn-Request: {"redirectUri":"https://localhost:5008/authentication/login-callback","state":"d7221a02-3cbc-4f38-a7d1-guidredacted","domain_hint":"mydomain.com","scopes":["9e32b5ae-f519-4632-850e-guidredacted/user_impersonation"]} [AuthenticationService.js:2:310560](https://localhost:5008/_content/Microsoft.Authentication.WebAssembly.Msal/AuthenticationService.js)
dbug: Microsoft.AspNetCore.Components.WebAssembly.Authentication.RemoteAuthenticationService[0]
      Starting sign-in pop-up

Below is the URI that it opens in a popup to start login--shouldn't I expect to see the domain hint in here?

https://login.microsoftonline.com/0c33cce8-883c-4ba5-b615-guidredacted/oauth2/v2.0/authorize?client_id=9e32b5ae-f519-4632-850e-guidredacted&scope=9e32b5ae-f519-4632-850e-guidredacted/user_impersonation openid profile offline_access&redirect_uri=https://localhost:5008/authentication/login-callback&client-request-id=62e3f911-01c6-48be-b4d9-guidredacted&response_mode=fragment&response_type=code&x-client-SKU=msal.js.browser&x-client-VER=2.28.3&client_info=1&code_challenge=rExM--OqtAlMstringRedactedfcOQ&code_challenge_method=S256&nonce=ab1b920b-4a3a-477b-8214-guidredacted&state=eyJpZstringRedactedstringRedactedstringRedactedstringRedactedstringRedactedstringRedacted34e7

javiercn

javiercn commented on Dec 12, 2022

@javiercn
javiercn
on Dec 12, 2022
Member

@szalapski I am not sure about the specific way to achieve this in MSAL, my guess is that you are likely not passing the correct parameter downstream. If you want to know for sure, you can put a breakpoint on the JS right before the call to sign-in in MSAL and inspect that the values are what you expect.

What you see in the trace is literally what gets passed to msal-browser here

szalapski

szalapski commented on Dec 12, 2022

@szalapski
szalapski
on Dec 12, 2022 · edited by szalapski
Author

By this doc as well as this one and this one and this answer, the additional parameter needed is indeed domain_hint. But as noted above, this does not seem to result in domain_hint being added to the querystring sent to authorize.

I don't see where to put a breakpoint, as the code you showed me is regular Typescript, but the code my browser sees is minified Javascript. In any case, it doesn't seem necessary as it seems that the signIn-Request object is correct but what MSAL does resulting in a call to authorize has the wrong query string.

Any other ideas?

javiercn

javiercn commented on Dec 12, 2022

@javiercn
javiercn
on Dec 12, 2022
Member

@szalapski I would suggest trying to achieve this in a simpler repro that you can tweak with msal.js without going through Blazor. I do not know the specifics of how this is achieved in msal-browser, all I can tell is that the parameters you are passing in from .NET seem to be passed down to the msal call, if that does not result on the behavior you expect, I can't tell if it is because the parameter you are using is not correct or because there is a bug in msal-browser.

szalapski
mentioned this on Dec 12, 2022
javiercn

javiercn commented on Dec 12, 2022

@javiercn
javiercn
on Dec 12, 2022 · edited by javiercn
Member

@szalapski I took another look, I think you should use "domainHint" and not "domain_hint" as per https://azuread.github.io/microsoft-authentication-library-for-js/ref/modules/_azure_msal_browser.html#redirectrequest

If you still have issues after that, please let us know. I've created an issue to bring more clarity in the docs about this scenario.

javiercn
added
question
✔️ Resolution: AnsweredResolved because the question asked by the original author has been answered.
on Dec 12, 2022
ghost added
Status: Resolved
on Dec 12, 2022
szalapski

szalapski commented on Dec 12, 2022

@szalapski
szalapski
on Dec 12, 2022 · edited by szalapski
Author

That's the ticket. Wow, what a surprise. Every other document refers to "domain_hint". Thank you very much, would never have figured it out otherwise.

szalapski
closed this as completedon Dec 12, 2022
ghost locked as resolved and limited conversation to collaborators on Jan 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

✔️ Resolution: AnsweredResolved because the question asked by the original author has been answered.Status: Resolvedarea-blazorIncludes: Blazor, Razor Componentsfeature-blazor-msalThis issue is related to MSAL usage in Blazorfeature-blazor-wasm-authinvestigatequestion

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

    Development

    No branches or pull requests

      Participants

      @szalapski@javiercn@TanayParikh@mkArtakMSFT

      Issue actions
        I want to send a domain_hint from Blazor Web Assembly (using Microsoft.Extensions.DependencyInjection.MsalWebAssemblyServiceCollectionExtensions.AddMsalAuthentication ) #29440 · Issue #45468 · dotnet/aspnetcore