Adal Infinite redirection + Edge + Trusted sites

0
votes

Background: I have a single page app (built using Angular) which uses adal and adal-angular to authenticate against Azure Active Directory. Have been using version 1.0.7 of adal and adal-angular (tried using 1.0.14 as well but still no luck) and ui-router for routing.

Issue: Few of our users are getting continuous authentication loop while trying to access the web application on Edge browser specifically. Note that it works fine with IE, Chrome and Firefox. Surprisingly it also works fine when Edge is opened in InPrivate window. This issue is device specific, user specific and only occurs in Edge.

Workaround: When my site is added to the trusted sites (via Control Panel -> Internet Options), the authentication loop issue is resolved and everything works seamlessly.

Any idea why this is happening? From what I’m assuming as of now is that it’s a cookie issue when adal writes to the auth cookie to the site and Edge can’t seem to read it?

Also any suggestions for a better fix/workaround for this? As I can’t tell all my users to go and add my website to their trusted sites collection.

Code snippet of app.js:

function authenticationInit(adalAuthenticationServiceProvider, $httpProvider, $locationProvider) {
$locationProvider.html5Mode(false);
var endpoints = {
// Map the location of a request to an API to a the identifier of the associated resource
"EndPointKey": window.config.aadEndPointUrl,
"EndPointValue": window.config.aadResouceIdUrl
};
    adalAuthenticationServiceProvider.init(
              {
                  instance: window.config.AADAuthenticationInstance,
                  tenant: window.config.tenant,
                  clientId: window.config.clientId,
                  extraQueryParameter: 'nux=1',
                  endpoints: endpoints
              }, $httpProvider);
}


function registerRoutes($stateProvider) {

    $stateProvider
        .state('home', {
            templateUrl: getViewUrl('widgets'),
            controller: 'WidgetsController',
            controllerAs: 'widget',
            url: '/dashboard'
        })
         .state('terms',
        {
            templateUrl: getViewUrl('terms'),
            controller: 'TermsController',
            controllerAs: 'terms',
            url: '/terms'
        })
}


$rootScope.$on('$locationChangeStart', function (e) {
if (adalAuthenticationService.userInfo.isAuthenticated == false) { // Will be executed during first time login and token expiration
adalAuthenticationService.login();
}
});


$rootScope.$on("adal:loginSuccess", function (e) { // Will be executed after AAD authentication is successful
NavigationFactory.navigateTo('home');
});

Have raised the same query here- https://github.com/AzureAD/azure-activedirectory-library-for-js/issues/537

1
angularjsadaladal.js
To narrow down this issue, I suggest debug the code to see which line of code causing this issue. BTW, are you able to check the token was write successfully to the session storage?Fei Xue - MSFT
Upon further analysis, I figured out that there is an issue with cacheLocation as sessionStorage in Edge browser for certain users. I could see adal.error as ‘Invalid_state’ in sessionStorage for certain users. After setting cacheLocation as localStorage in my adalAuthenticationServiceProvider.init config, the issue was resolved. I wouldn’t prefer using localStorage for its own disadvantages and security concerns. As of now I have written conditional code to set cacheLocation as localStorage for only Edge browsers and sessionStorage for others. Any thoughts or a better way to solve this?Manish Ramchand
Which line of code cause the Invalid_state issue? Since the issue could only be reproduced on specific user, it seems be relative to the environment or settings of Edge.Fei Xue - MSFT

1 Answers

0
votes

adal uses localStorage to save the tokens and reads data from it later on (you also have the option to change it to session storage). The point is that if adal is not able to write into local storage, you will not get the tokens. There is a setting in Microsoft Edge that lets the websites store data. To enable this, go to: Settings>Advanced Settings and enable: 'Let sites save protected media license on my device'. I hope this fixes your issue.