-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Avoid applying .toLowerCase() to the authority URL #7067
Comments
@alexqbm Thanks for raising this. Tracking this internally. |
Hi! Any news on this topic, @sameerag ? |
Hello again. I don't want to bother you all, guys, but I'd like to check on you regarding this issue. Mentioning @sameerag again. Thank you in advance. |
We unfortunately do not have bandwidth to prioritize issues for external IDPs right now. If you are unable to update your IDP to use case insensitive urls you may propose the changes you need through PR and we would be more than happy to consider them. |
@alexqbm This issue has been automatically marked as stale because it is marked as requiring author feedback but has not had any activity for 5 days. If your issue has been resolved please let us know by closing the issue. If your issue has not been resolved please leave a comment to keep this open. It will be closed automatically in 7 days if it remains stale. |
Core Library
MSAL.js (@azure/msal-browser)
Wrapper Library
Not Applicable
Public or Confidential Client?
Public
Description
My issue happens trying to use a non-Microsoft identity provider.
When using Microsoft as the identity provider, the authority URL is always using the
https://login.microsoftonline.com
structure, and for that, everything works fine.However, when trying to use any non-Microsoft authority, such as, in this case,
https://my-own-domain.com/realms/EXAMPLE
I am unable to even start my application due to several requests that MSAL performs under the hood that are usinghttps://my-own-domain.com/realms/example
as the URL.Notice how
/EXAMPLE
is/example
after MSAL manipulates it. This results in any request performed using this URL to throw a 404 error, since URLs are case sensitive, and hence, the URL that MSAL is using is not the one I've specified and thus, fails.This issue seems to happen because the
canonicalizeUri(url: string): string
called in theUrlString
class constructor always applies a .toLowerCase() transformation to the URL, and since the class is invoked from theAuthority
class, any authority that has some uppercase segment will always fail.I see that this was partially addressed in #4366, but it looks that it was abandoned. I see it has caused some problems in #3621 too.
I understand that the priorities from the MSAL team maybe don't include improving support for other identity providers, but to me this is an issue that, were it to be solved, would really expand MSAL's support for more people since this matter is not a MSAL not wanting to support other identity providers but rather MSAL doing something that, unfortunately, unintentionally limits support for other identity providers. I hope I have explained myself there correctly.
Source
External (Customer)
The text was updated successfully, but these errors were encountered: