Question

ehahn9 on Fri, 21 Apr 2017 17:34:54


Hi! My ("code") flow is working perfectly when I sign the user in with prompt=login and the login.microsoftonline.com endpoint. I can get the access token and make API calls. Furthermore, I see that MS is setting a bunch of cookies after the authorization, etc. All is well (yay!)

But if I immediately go back with prompt=none, I get the dreaded:

login_required | AADSTS50058: A silent sign-in request was sent but no user is signed in. The cookies used to represent the user's session were not sent in the request to Azure AD. This can happen if the user is using Internet Explorer or Edge, and the web app sending the silent sign-in request is in different IE security zone than the Azure AD endpoint (login.microsoftonline.com). Trace ID: ce546152-caa1-4b63-8541-0d69a3eb0e00 Correlation ID: c92cf59f-a573-4082-a44f-c9822e8621a9 Timestamp: 2017-04-21 17:09:45Z

(I need this to work so I can "re-login" the user on a subsequent visit, nominally using a hidden iframe. For debugging, I'm just using the basic browser and still seeing problems).

To the best of my (limited!) abilities, I've verified that the response cookies from the initial prompt=consent flow are included in the second prompt=none, but clearly something is wrong! I've tried "keep me signed in" etc. - no diff. Interestingly(?), google's auth provider works perfectly in all cases I've tried. BTW, this is using Chrome, so I don't think it is related to IE's security zones, etc.

I could sure use some help on this! Thanks so so much!




Sponsored



Replies

ehahn9 on Fri, 21 Apr 2017 19:03:40


[update]

The bad behavior of prompt=none seems to apply to Azure AD 2.0 endpoint only (login.microsoftonline.com/oauth2/v2.0/authorize).

Running the exact same flow with the old windows live endpoint (login.live.com/oauth20_authorize.srf) and making the minor change that the parameter is called display=none, it works wonderfully - the second (silent) login goes without error!

So login.live.com and google's oauth flow seem to work (for me), but the Azure AD 2.0 endpoint does not.

ehahn9 on Sat, 22 Apr 2017 17:52:42


Thanks for the pointers.

Not that it matters, but I'm not using adal.js - but I've verified the (bad?) behavior from both a javascript client and using Rails+Omniauth. Also, I'm nearly certain it *isn't* a case of the auth cookies expiring, because I can issue the second auth request with prompt=none immediately after the first and I still see AADSTS50058.

So basically, still hoping someone has some great suggestion!

I'm wondering if there's some second-tier param I need to supply, like domain_hint, login_hint, etc. (but I've tried supplying those, I think!)

Sadiqh Ahmed on Tue, 25 Apr 2017 14:51:22


This can be better resolved as a support request. Would you mind contacting us by creating a technical support ticket?

Here is the link https://docs.microsoft.com/en-in/azure/azure-supportability/how-to-create-azure-support-request to create support case.