I want to send a domain_hint from Blazor Web Assembly (using Microsoft.Extensions.DependencyInjection.MsalWebAssemblyServiceCollectionExtensions.AddMsalAuthentication ) #29440

[szalapski]

Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

Issue reference: https://stackoverflow.com/questions/63605653/is-there-a-way-to-supply-a-domain-hint-for-single-sign-on-using-msal-net-on-a-bl

domain_hint is a AuthenticationParameter of MSAL, which does not appear to be supported/exposed by the Microsoft.Authentication.WebAssembly.Msal package

Here are related issues for other Authentication parameters:
extraQueryParameter: #25391 (#25391)
loginHint: #19877 (#19925)

I believe this issue was unfairly closed with the suggestion that we could customize our own msal.js library. This is not the case; msal.js supports domain hints, it is the .NET MSAL library that doesn't pass it through.

Describe the solution you'd like

I would hope that simply adding support for additional parameters, which will be passed through to MSAL.JS, would be easy to implement, test, and support. So in my client Program.cs, I could do:

WebAssemblyHostBuilder builder = WebAssemblyHostBuilder.CreateDefault(args);
...
builder.Services.AddMsalAuthentication(options =>{
    ...
    options.ProviderOptions.AddAdditionalProviderParameter("domain_hint","mydomain.com");
});

Alternatively, it would be acceptable to add explicit parameters for DomainHint and LoginHint.

    ...
    options.ProviderOptions.DomainHint = "mydomain.com";

Or is there some other way to do this that I am missing?

[TanayParikh]

Hey @szalapski, thanks for reaching out. This may be related to #44973 / #44854.

Can you please try out #44854 (comment)?

Hi @szalapski. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.

[szalapski]

@TanayParikh, thanks for the response. As instructed, I have added the TrimmerRootDescriptor.xml to the root of my Client project, and added the TrimmerRootDescriptor inside a new ItemGroup in my client's .csproj file. I then call this to start sign-in:

  private void NavigateToLogin()
  {

      var requestOptions = new InteractiveRequestOptions()
      {
          Interaction = InteractionType.SignIn,
          ReturnUrl =  Navigation.Uri
      };

      requestOptions.TryAddAdditionalParameter("domain_hint", "mydomain.com");
      Navigation.NavigateToLogin(Options.Get(DefaultOptionName).AuthenticationPaths.LogInPath, requestOptions);
  }

No change: still asked to "Pick an account" when signing in via OIDC to Active Directory, even though the only account it knows about is the one that matches mydomain.com.

I am on .NET SDK 7.0.100 and package Microsoft.AspNetCore.Components.WebAssembly.Authentication v 7.0.0.

Any further ideas?

[javiercn]

@szalapski can you turn on the logs to trace level on your webassembly app? You should be able to see the exact request object being passed down to msal-browser.