Description
Core Library
MSAL.js (@azure/msal-browser)
Core Library Version
3.26.1
Wrapper Library
Not Applicable
Wrapper Library Version
None
Public or Confidential Client?
Public
Description
Description
I am using the MSAL Browser npm library to implement authentication, leveraging the new NAA (Network Authentication Agent) feature. While it works as expected on Windows (Chrome and Outlook) and Mac (Chrome), I encountered an issue on the Mac Outlook desktop app. The issue persisted for 2 days but eventually resolved itself without any changes to the code or configuration.
Problem
When attempting to acquire a token silently using acquireTokenSilent, it failed. As a fallback, I executed acquireTokenPopup, which also failed.
This issue occurred specifically on the Mac Outlook desktop app, which has multiple accounts configured. The same setup works fine on Windows Outlook desktop app, Mac (Chrome), and Windows (Chrome).
Observations
- The issue does not occur on:
- Chrome (Windows and Mac)
- Windows Outlook desktop app
- Only affects the Mac Outlook desktop app.
- This setup includes multiple accounts in Outlook, which may be relevant to the issue.
Error Message
Additional Information
Error details (from the screenshot):
- Request ID: 5a97e1fc-77fa-41c1-b945-b1181dc9500
- Correlation ID: 01932303-6213-733f-a60d-76e57847a0b8
- Timestamp: 2024-11-12T11:47:39Z
- Message: AADSTS900054: Specified Broker Client ID does not match ID in provided grant.
MSAL Logs
No response
Network Trace (Preferrably Fiddler)
- Sent
- Pending
MSAL Configuration
{
auth: {
clientId: AppConfig.config.currentApp.msAppId,
authority: "https://login.microsoftonline.com/common",
},
cache: {
cacheLocation: BrowserCacheLocation.LocalStorage,
cacheMigrationEnabled: true,
storeAuthStateInCookie: true,
secureCookies: true,
},
};Relevant Code Snippets
class MSALService {
public static async initialize() {
if (!MsalService._msalInstance) {
const msalConfig: Configuration = {
auth: {
clientId: AppConfig.config.currentApp.msAppId,
authority: "https://login.microsoftonline.com/common",
},
cache: {
cacheLocation: BrowserCacheLocation.LocalStorage,
cacheMigrationEnabled: true,
storeAuthStateInCookie: true,
secureCookies: true,
},
};
MsalService._msalInstance = nestedApp
? await createNestablePublicClientApplication(msalConfig)
: await createStandardPublicClientApplication(msalConfig);
}
return MsalService._msalInstance;
}
private static async getToken(_scopes?: Array<string>): Promise<AuthenticationResult> {
const msalInstance = await MsalService.initialize();
const loginHint = await MsalService.getLoginHint();
const scopes = _scopes || AppConfig.accessTokenScopes;
try {
const result = await msalInstance.acquireTokenSilent({
scopes,
cacheLookupPolicy: CacheLookupPolicy.Default,
});
if (result.account.username !== loginHint) {
throw new Error("Force_Login");
}
return result;
} catch (err) {
const authenticatePromise = !nestedApp
? MsalService.openAddinLoginPopup(scopes)
: msalInstance.acquireTokenPopup({
scopes,
loginHint,
});
return authenticatePromise.then(result => {
msalInstance.setActiveAccount(result.account);
return result;
});
}
}
}Reproduction Steps
Steps to Reproduce
- Set up MSAL Browser with NAA.
- Configure Outlook desktop app on Mac with multiple accounts.
- Attempt authentication:
- Observe failure during
acquireTokenSilent. - Observe failure during fallback with
acquireTokenPopup, leading to the error.
- Observe failure during
- Note: The issue resolved itself after 2 days without any code or configuration changes.
Expected Behavior
- Token acquisition should work seamlessly across all supported platforms, including the Mac Outlook desktop app.
Identity Provider
Entra ID (formerly Azure AD) / MSA
Browsers Affected (Select all that apply)
Other
Regression
No response