I want to send a domain_hint from Blazor Web Assembly (using Microsoft.Extensions.DependencyInjection.MsalWebAssemblyServiceCollectionExtensions.AddMsalAuthentication ) #29440

[szalapski]

Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

Issue reference: https://stackoverflow.com/questions/63605653/is-there-a-way-to-supply-a-domain-hint-for-single-sign-on-using-msal-net-on-a-bl

domain_hint is a AuthenticationParameter of MSAL, which does not appear to be supported/exposed by the Microsoft.Authentication.WebAssembly.Msal package

Here are related issues for other Authentication parameters:
extraQueryParameter: #25391 (#25391)
loginHint: #19877 (#19925)

I believe this issue was unfairly closed with the suggestion that we could customize our own msal.js library. This is not the case; msal.js supports domain hints, it is the .NET MSAL library that doesn't pass it through.

Describe the solution you'd like

I would hope that simply adding support for additional parameters, which will be passed through to MSAL.JS, would be easy to implement, test, and support. So in my client Program.cs, I could do:

WebAssemblyHostBuilder builder = WebAssemblyHostBuilder.CreateDefault(args);
...
builder.Services.AddMsalAuthentication(options =>{
    ...
    options.ProviderOptions.AddAdditionalProviderParameter("domain_hint","mydomain.com");
});

Alternatively, it would be acceptable to add explicit parameters for DomainHint and LoginHint.

    ...
    options.ProviderOptions.DomainHint = "mydomain.com";

Or is there some other way to do this that I am missing?

[TanayParikh]

Hey @szalapski, thanks for reaching out. This may be related to #44973 / #44854.

Can you please try out #44854 (comment)?

[ghost]

Hi @szalapski. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.

[szalapski]

@TanayParikh, thanks for the response. As instructed, I have added the TrimmerRootDescriptor.xml to the root of my Client project, and added the TrimmerRootDescriptor inside a new ItemGroup in my client's .csproj file. I then call this to start sign-in:

  private void NavigateToLogin()
  {

      var requestOptions = new InteractiveRequestOptions()
      {
          Interaction = InteractionType.SignIn,
          ReturnUrl =  Navigation.Uri
      };

      requestOptions.TryAddAdditionalParameter("domain_hint", "mydomain.com");
      Navigation.NavigateToLogin(Options.Get(DefaultOptionName).AuthenticationPaths.LogInPath, requestOptions);
  }

No change: still asked to "Pick an account" when signing in via OIDC to Active Directory, even though the only account it knows about is the one that matches mydomain.com.

I am on .NET SDK 7.0.100 and package Microsoft.AspNetCore.Components.WebAssembly.Authentication v 7.0.0.

Any further ideas?

[javiercn]

@szalapski can you turn on the logs to trace level on your webassembly app? You should be able to see the exact request object being passed down to msal-browser.

[szalapski]

Thanks for the reply, @javiercn -- I got the following. Is there anything wrong with it? If not, any idea why Azure AD's login doesn't take the hint?

trce: Microsoft.AspNetCore.Components.WebAssembly.Authentication.RemoteAuthenticationService[0]
      signIn: {"url":null,"state":{"returnUrl":"/"},"interactiveRequest":{"returnUrl":"/","scopes":null,"interaction":"SignIn","additionalRequestParameters":{"domain_hint":"mydomain.com"}}} [AuthenticationService.js:2:310560](https://localhost:5008/_content/Microsoft.Authentication.WebAssembly.Msal/AuthenticationService.js)
trce: Microsoft.AspNetCore.Components.WebAssembly.Authentication.RemoteAuthenticationService[0]
      signIn-Request: {"redirectUri":"https://localhost:5008/authentication/login-callback","state":"d7221a02-3cbc-4f38-a7d1-guidredacted","domain_hint":"mydomain.com","scopes":["9e32b5ae-f519-4632-850e-guidredacted/user_impersonation"]} [AuthenticationService.js:2:310560](https://localhost:5008/_content/Microsoft.Authentication.WebAssembly.Msal/AuthenticationService.js)
dbug: Microsoft.AspNetCore.Components.WebAssembly.Authentication.RemoteAuthenticationService[0]
      Starting sign-in pop-up

Below is the URI that it opens in a popup to start login--shouldn't I expect to see the domain hint in here?

https://login.microsoftonline.com/0c33cce8-883c-4ba5-b615-guidredacted/oauth2/v2.0/authorize?client_id=9e32b5ae-f519-4632-850e-guidredacted&scope=9e32b5ae-f519-4632-850e-guidredacted/user_impersonation openid profile offline_access&redirect_uri=https://localhost:5008/authentication/login-callback&client-request-id=62e3f911-01c6-48be-b4d9-guidredacted&response_mode=fragment&response_type=code&x-client-SKU=msal.js.browser&x-client-VER=2.28.3&client_info=1&code_challenge=rExM--OqtAlMstringRedactedfcOQ&code_challenge_method=S256&nonce=ab1b920b-4a3a-477b-8214-guidredacted&state=eyJpZstringRedactedstringRedactedstringRedactedstringRedactedstringRedactedstringRedacted34e7

[javiercn]

@szalapski I am not sure about the specific way to achieve this in MSAL, my guess is that you are likely not passing the correct parameter downstream. If you want to know for sure, you can put a breakpoint on the JS right before the call to sign-in in MSAL and inspect that the values are what you expect.

What you see in the trace is literally what gets passed to msal-browser here

[szalapski]

By this doc as well as this one and this one and this answer, the additional parameter needed is indeed domain_hint. But as noted above, this does not seem to result in domain_hint being added to the querystring sent to authorize.

I don't see where to put a breakpoint, as the code you showed me is regular Typescript, but the code my browser sees is minified Javascript. In any case, it doesn't seem necessary as it seems that the signIn-Request object is correct but what MSAL does resulting in a call to authorize has the wrong query string.

Any other ideas?

[javiercn]

@szalapski I would suggest trying to achieve this in a simpler repro that you can tweak with msal.js without going through Blazor. I do not know the specifics of how this is achieved in msal-browser, all I can tell is that the parameters you are passing in from .NET seem to be passed down to the msal call, if that does not result on the behavior you expect, I can't tell if it is because the parameter you are using is not correct or because there is a bug in msal-browser.

[javiercn]

@szalapski I took another look, I think you should use "domainHint" and not "domain_hint" as per https://azuread.github.io/microsoft-authentication-library-for-js/ref/modules/_azure_msal_browser.html#redirectrequest

If you still have issues after that, please let us know. I've created an issue to bring more clarity in the docs about this scenario.

[szalapski]

That's the ticket. Wow, what a surprise. Every other document refers to "domain_hint". Thank you very much, would never have figured it out otherwise.