microsoft-graph-toolkit icon indicating copy to clipboard operation
microsoft-graph-toolkit copied to clipboard
verified publisher icon microsoftgraph

[BUG] TeamsMsal2Provider - unable to determine if sso token exchange failed

Open ebclark2 opened this issue 4 years ago • 9 comments

Describe the bug TeamsMsal2Provider uncaught (promise) from constructor when ssourl configured when ssourl call fails. When constructing TeamsMsal2Provider it calls async internalLogin() if ssoUrl is configured. Exceptions from internalLogin are not handled. Is there a way to determine authentication failed? I am resorting to window.addEventListener('unhandledrejection', ...).

To Reproduce Steps to reproduce the behavior: let config: TeamsMsal2Config = { <Some valid configuration> ssoUrl: "https://some.url.that.will.fail/, }; const teamsMsal2Provider = new TeamsMsal2Provider(config);

Expected behavior I'd like to be notified authentication failed.

Screenshots image

Environment (please complete the following information):

  • OS: Windows 10
  • Browser chrome
  • Framework react
  • Context Microsoft Teams
  • Version 2.3.1
  • Provider TeamsMsal2Provider

ebclark2 avatar Jan 13 '22 03:01 ebclark2

Hello ebclark2, thank you for opening an issue with us!

I have automatically added a "needs triage" label to help get things started. Our team will analyze and investigate the issue, and escalate it to the relevant team if possible. Other community members may also look into the issue and provide feedback 🙌

ghost avatar Jan 13 '22 03:01 ghost

Can you clarify what is a SSO call failure? Is it that the service doesn't respond? We'd love to know more about the scenario! Thanks!

sebastienlevert avatar Jan 27 '22 17:01 sebastienlevert

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.

ghost avatar Jan 31 '22 19:01 ghost

Apologies, I evidently wasn't setup to get a notification for responses. Can this be reopened?

In the TeamsMSAL2Provider library I provide an ssoUrl in the configuration, which is used for token exchange/validation. This call can fail because the backend service is down, or maybe validation fails because the app registration is configured for single tenant auth and the user is from another tenant.

ebclark2 avatar Feb 08 '22 16:02 ebclark2

Absolutely @ebclark2! Are you passing the token from the backend service to the client or you are handling the Graph calls from the backend? When reading a little bit more into the Microsoft Identity platform, this becomes clear that issuing tokens on the backend should prevent sending them to another party (your client). Reference Maybe the ProxyProvider would be better suited for your use case?

sebastienlevert avatar Feb 08 '22 22:02 sebastienlevert

Here is the example I have used. https://docs.microsoft.com/en-us/graph/toolkit/get-started/build-a-microsoft-teams-sso-tab?tabs=unpkg%2CHTML

Is this okay to use? If so, my concern is with the user experience when the backend component in the example is down.

It has true I am only authenticating to make graph calls. Is it better to use the ProxyProvider in this case?

Thanks! Ed

ebclark2 avatar Feb 08 '22 22:02 ebclark2

This is definitely a valid scenario! When the backend service is working, is it working like it should? We'll be looking at catching this error but I want to make sure you have a happy path when your backend service responds OK! Thanks!

sebastienlevert avatar Feb 10 '22 15:02 sebastienlevert

That sounds great, thanks. It works great when all goes well, and the user allowed.

ebclark2 avatar Feb 10 '22 16:02 ebclark2

Hey @sebastienlevert any updates on this? We also would like to gracefully handle the exception in SSO using TeamsMSALProvider

sadviramana avatar May 04 '22 11:05 sadviramana

Closing as this provider is deprecated and should no longer be used

gavinbarron avatar Jul 17 '23 18:07 gavinbarron