`protectedResourceMap` incorrectly matches endpoint substrings instead of exact matches

[avtarnanrey]

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

3.26.1

Wrapper Library

MSAL Angular (@azure/msal-angular)

Wrapper Library Version

3.0.25

Public or Confidential Client?

Public

Description

When defining multiple API endpoints in the protectedResourceMap, the library incorrectly matches endpoints based on substring logic instead of an exact match. This causes conflicts when one endpoint is a substring of another.

protectedResourceMap.set(`${environment.adb2cConfig.apiEndpointUrl}/Membership`, protectAll);
protectedResourceMap.set(`${environment.adb2cConfig.apiEndpointUrl}/MembershipType`, null);

Expected Behavior:

/MembershipType should not inherit the configuration of /Membership.
Requests to /MembershipType should follow the configuration explicitly set for /MembershipType.

Actual Behavior:

Requests to /MembershipType are incorrectly matched to the configuration for /Membership due to prefix/substring matching.
This causes the MsalInterceptor to apply token acquisition rules incorrectly.

Temporary Solution I'm Using

Switching the order, works

protectedResourceMap.set(`${environment.adb2cConfig.apiEndpointUrl}/MembershipType`, null);
protectedResourceMap.set(`${environment.adb2cConfig.apiEndpointUrl}/Membership`, protectAll);

Error Message

No response

MSAL Logs

[Tue, 12 Nov 2024 14:51:47 GMT] : [] : @azure/msal-browser@3.27.0 : Verbose - Claims-based caching is disabled. Clearing the previous cache with claims
app.config.ts:32 [Tue, 12 Nov 2024 14:51:47 GMT] : [] : @azure/msal-browser@3.27.0 : Verbose - BrowserCacheManager.getTokenKeys - No token keys found
app.config.ts:32 [Tue, 12 Nov 2024 14:51:47 GMT] : [] : @azure/msal-browser@3.27.0 : Verbose - Event callback registered with id: 019320db-f872-7504-ac9e-55db95caf775
app.config.ts:32 [Tue, 12 Nov 2024 14:51:47 GMT] : [] : @azure/msal-angular@3.1.0 : Verbose - MSAL Interceptor activated
app.config.ts:32 [Tue, 12 Nov 2024 14:51:47 GMT] : [] : @azure/msal-angular@3.1.0 : Verbose - Interceptor - getting scopes for endpoint
app.config.ts:32 [Tue, 12 Nov 2024 14:51:47 GMT] : [] : @azure/msal-angular@3.1.0 : Verbose - Interceptor - no scopes for endpoint
core.mjs:30060 Angular is running in development mode.
app.config.ts:32 [Tue, 12 Nov 2024 14:51:47 GMT] : [] : @azure/msal-angular@3.1.0 : Verbose - MSAL Interceptor activated
app.config.ts:32 [Tue, 12 Nov 2024 14:51:47 GMT] : [] : @azure/msal-angular@3.1.0 : Verbose - Interceptor - getting scopes for endpoint
app.config.ts:32 [Tue, 12 Nov 2024 14:51:47 GMT] : [] : @azure/msal-angular@3.1.0 : Warning - Interceptor - More than 1 matching scopes for endpoint found.
app.config.ts:32 [Tue, 12 Nov 2024 14:51:47 GMT] : [] : @azure/msal-angular@3.1.0 : Verbose - Interceptor - no active account, fallback to first account
app.config.ts:32 [Tue, 12 Nov 2024 14:51:47 GMT] : [] : @azure/msal-browser@3.27.0 : Verbose - getAllAccounts called
app.config.ts:32 [Tue, 12 Nov 2024 14:51:47 GMT] : [] : @azure/msal-browser@3.27.0 : Verbose - BrowserCacheManager.getAccountKeys - No account keys found
app.config.ts:32 [Tue, 12 Nov 2024 14:51:47 GMT] : [] : @azure/msal-angular@3.1.0 : Info - Interceptor - 2 scopes found for endpoint
app.config.ts:32 [Tue, 12 Nov 2024 14:51:47 GMT] : [] : @azure/msal-angular@3.1.0 : Info - Interceptor - [https://domain.onmicrosoft.com/dev/api/User.Read,https://domain.onmicrosoft.com/dev/api/User.Write] scopes found for https://localhost:7092/api/MembershipType
app.config.ts:32 [Tue, 12 Nov 2024 14:51:47 GMT] : [019320db-f999-7b7c-8a89-a9d1efc0b99c] : @azure/msal-browser@3.27.0 : Verbose - acquireTokenSilent called
app.config.ts:32 [Tue, 12 Nov 2024 14:51:47 GMT] : [] : @azure/msal-angular@3.1.0 : Error - Interceptor - acquireTokenSilent rejected with error. Invoking interaction to resolve.

Network Trace (Preferrably Fiddler)

• Sent
• Pending

MSAL Configuration

{
    auth: {
      clientId: environment.adb2cConfig.clientId,
      authority: b2cPolicies.authorities.signIn.authority,
      knownAuthorities: [b2cPolicies.authorityDomain],
      redirectUri: '/',
      postLogoutRedirectUri: '/',
    },
    cache: {
      cacheLocation: BrowserCacheLocation.LocalStorage,
    },
    system: {
      allowNativeBroker: false,
      loggerOptions: {
        loggerCallback,
        logLevel: LogLevel.Verbose,
        piiLoggingEnabled: true,
      },
    },
}

Relevant Code Snippets

protectedResourceMap.set(`${environment.adb2cConfig.apiEndpointUrl}/Membership`, protectAll);
protectedResourceMap.set(`${environment.adb2cConfig.apiEndpointUrl}/MembershipType`, null);

const protectAll = [
  {
    httpMethod: 'GET',
    scopes: [...environment.adb2cConfig.scopeUrls],
  },
  {
    httpMethod: 'POST',
    scopes: [...environment.adb2cConfig.scopeUrls],
  },
  {
    httpMethod: 'PUT',
    scopes: [...environment.adb2cConfig.scopeUrls],
  },
  {
    httpMethod: 'DELETE',
    scopes: [...environment.adb2cConfig.scopeUrls],
  },
  {
    httpMethod: 'PATCH',
    scopes: [...environment.adb2cConfig.scopeUrls],
  },
];

Reproduction Steps

1. Define overlapping endpoints (/MembershipType and /Membership) in the protectedResourceMap with different configurations.
2. Make a GET request to /MembershipType from the Angular app.
3. Observe that the MsalInterceptor incorrectly matches the /MembershipType request to the /Membership configuration.

Expected Behavior

/MembershipType should not inherit the configuration of /Membership.
Requests to /MembershipType should follow the configuration explicitly set for /MembershipType.

Identity Provider

Azure B2C Basic Policy

Browsers Affected (Select all that apply)

Chrome, Firefox, Edge, Safari

Regression

No response