Avoid applying .toLowerCase() to the authority URL #7067
Comments
alexqbm
added
feature-unconfirmed
question
microsoft-github-policy-service
bot
added
the
Needs: Attention 👋
github-actions
bot
added
msal-browser
|
@alexqbm Thanks for raising this. Tracking this internally. |
microsoft-github-policy-service
bot
added
Needs: Author Feedback
sameerag
added
Needs: Attention 👋
microsoft-github-policy-service
bot
removed
the
Needs: Author Feedback
|
Hi! Any news on this topic, @sameerag ? |
|
Hello again. I don't want to bother you all, guys, but I'd like to check on you regarding this issue. Mentioning @sameerag again. Thank you in advance. |
|
We unfortunately do not have bandwidth to prioritize issues for external IDPs right now. If you are unable to update your IDP to use case insensitive urls you may propose the changes you need through PR and we would be more than happy to consider them. |
microsoft-github-policy-service
bot
added
Needs: Author Feedback
|
@alexqbm This issue has been automatically marked as stale because it is marked as requiring author feedback but has not had any activity for 5 days. If your issue has been resolved please let us know by closing the issue. If your issue has not been resolved please leave a comment to keep this open. It will be closed automatically in 7 days if it remains stale. |
microsoft-github-policy-service
bot
added
the
no-issue-activity
Core Library
MSAL.js (@azure/msal-browser)
Wrapper Library
Not Applicable
Public or Confidential Client?
Public
Description
My issue happens trying to use a non-Microsoft identity provider.
When using Microsoft as the identity provider, the authority URL is always using the
https://login.microsoftonline.comstructure, and for that, everything works fine.However, when trying to use any non-Microsoft authority, such as, in this case,
https://my-own-domain.com/realms/EXAMPLEI am unable to even start my application due to several requests that MSAL performs under the hood that are usinghttps://my-own-domain.com/realms/exampleas the URL.Notice how
/EXAMPLEis/exampleafter MSAL manipulates it. This results in any request performed using this URL to throw a 404 error, since URLs are case sensitive, and hence, the URL that MSAL is using is not the one I've specified and thus, fails.This issue seems to happen because the
canonicalizeUri(url: string): stringcalled in theUrlStringclass constructor always applies a .toLowerCase() transformation to the URL, and since the class is invoked from theAuthorityclass, any authority that has some uppercase segment will always fail.I see that this was partially addressed in #4366, but it looks that it was abandoned. I see it has caused some problems in #3621 too.
I understand that the priorities from the MSAL team maybe don't include improving support for other identity providers, but to me this is an issue that, were it to be solved, would really expand MSAL's support for more people since this matter is not a MSAL not wanting to support other identity providers but rather MSAL doing something that, unfortunately, unintentionally limits support for other identity providers. I hope I have explained myself there correctly.
Source
External (Customer)
The text was updated successfully, but these errors were encountered: