Call to authorize: all the documents indicate that I can supply "domain_hint" but it actually it must be "domainHint"

[szalapski]

Core Library

MSAL.js v2 (@azure/msal-browser)

Core Library Version

2.28.3

Wrapper Library

.NET Microsoft.Authentication.WebAssembly.Msal

Wrapper Library Version

7.0.0

Public or Confidential Client?

Public

Description

I tried to supply a domain_hint in calling from MSAL .NET library. It seems the .NET code is fine and passing the correct value to MSAL.js, so I think the issue is either in my understanding of MSAL.js or in the precise way I am passing the info in.

I got the following trace output on the call to login ("NavigateToLogin" in C# code), and it seems to call MSAL.js correctly. It looks like signIn-Request is correct, with the right domain_hint, but then the call to authorize results in a request without domain_hint in the query string.

Would you expect a domain_hint in additionalRequestParameters to result in a domain_hint in the query string? If not, how do I make MSAL.js take the hint?

trce: Microsoft.AspNetCore.Components.WebAssembly.Authentication.RemoteAuthenticationService[0]
      signIn: {"url":null,"state":{"returnUrl":"/"},"interactiveRequest":{"returnUrl":"/","scopes":null,"interaction":"SignIn","additionalRequestParameters":{"domain_hint":"mydomain.com"}}} [AuthenticationService.js:2:310560](https://localhost:5008/_content/Microsoft.Authentication.WebAssembly.Msal/AuthenticationService.js)
trce: Microsoft.AspNetCore.Components.WebAssembly.Authentication.RemoteAuthenticationService[0]
      signIn-Request: {"redirectUri":"https://localhost:5008/authentication/login-callback","state":"d7221a02-3cbc-4f38-a7d1-guidredacted","domain_hint":"mydomain.com","scopes":["9e32b5ae-f519-4632-850e-guidredacted/user_impersonation"]} [AuthenticationService.js:2:310560](https://localhost:5008/_content/Microsoft.Authentication.WebAssembly.Msal/AuthenticationService.js)
dbug: Microsoft.AspNetCore.Components.WebAssembly.Authentication.RemoteAuthenticationService[0]
      Starting sign-in pop-up

Below is the URI that it opens in a popup to start login--shouldn't I expect to see the domain hint in here?

https://login.microsoftonline.com/0c33cce8-883c-4ba5-b615-guidredacted/oauth2/v2.0/authorize?client_id=9e32b5ae-f519-4632-850e-guidredacted&scope=9e32b5ae-f519-4632-850e-guidredacted/user_impersonation openid profile offline_access&redirect_uri=https://localhost:5008/authentication/login-callback&client-request-id=62e3f911-01c6-48be-b4d9-guidredacted&response_mode=fragment&response_type=code&x-client-SKU=msal.js.browser&x-client-VER=2.28.3&client_info=1&code_challenge=rExM--OqtAlMstringRedactedfcOQ&code_challenge_method=S256&nonce=ab1b920b-4a3a-477b-8214-guidredacted&state=eyJpZstringRedactedstringRedactedstringRedactedstringRedactedstringRedactedstringRedacted34e7

When I change the above to domainHint instead of domain_hint, it works. Can the documents be updated to suggest that? By this doc and this one and this answer, the additional parameter needed is said to be domain_hint. It seems like sometimes it needs to be one or the other and the distinction is not clear.

Error Message

Shown above

Msal Logs

Shown above

MSAL Configuration

(configured via .NET Microsoft.Authentication.WebAssembly.Msal)

Relevant Code Snippets

Shown above

Reproduction Steps

If necessary, I could create a demo app, but that is very time-consuming, and I think the issue is apparent from my description.

Expected Behavior

I'd expect MSAL.js to call authorize with a domain hint so that my call to Azure AD will result in the sign-in popup but automatically choose the user that matches the hint.

Instead, it seems like the domain_hint is ineffective and users are always prompted to "pick an account" .

When I supply domainHint instead, it works--the user is not prompted to pick an account.

Identity Provider

Azure AD / MSA

Browsers Affected (Select all that apply)

Chrome, Firefox

Regression

No response

Source

External (Customer)

[derisen]

@szalapski apologies for the confusion. You haven't actually shared your MSAL.js usage (the request object that you pass to msal's acquireToken* APIs), but I assume you are confused between these two:

domain_hint is the name of the parameter at the protocol level. The extraQueryParameters property in the msal request object allows you to attach any custom query parameter to the authorization request, so it's up to you to ensure it is the correct parameter name:

myMsalObj.acquireTokenPopup({
    scopes: ["User.Read"],
    extraQueryParameters: { domain_hint: "myDomain.com" }
});

domainHint is the name of the property at the application level (see CommonAuthorizationUrlRequest type). It will map to 'domain_hint' when msal constructs the authorization code request URL:

myMsalObj.acquireTokenPopup({
   scopes: ["User.Read"],
   domainHint: "myDomain.com"
});

Now the snippet below will not work, since the request object type has no property named domain_hint

myMsalObj.acquireTokenPopup({
   scopes: ["User.Read"],
   domain_hint: "myDomain.com"
});

On the other hand, this would work since MSAL will attach properties passed to the extraQueryParameters to the set of parameters:

myMsalObj.acquireTokenPopup({
   scopes: ["User.Read"],
   extraQueryParameters: { domainHint: "myDomain.com" }
});

Let me see if I can clarify our docs further.

[derisen]

@szalapski I've updated the docs to just use domainHint for clarity. I'll go ahead and close this, but please let us know if you need more help.

[szalapski]

OK, thanks.