[Feature Request] MSAL support for other IdP's such as Okta #1538
Comments
|
MSAL only works with MS Identity Providers (AAD, B2C and ADFS) at this time. |
|
Thanks for the answer Bogdan. Yes that's what I guessed. Would be great to support other IDPs that respect the OpenId/OAuth standard. |
henrik-me
changed the title
|
@jmprieur to check with PM team if this would be a goal. Note that big companies rely on multiple clouds (Google cloud, AWS, ...) |
|
Would also be useful for 'smaller things' like Adobe Sign. |
|
Would love it too.
|
|
Oh crikey. MSAL seems to be the one dotnet library that manages token refreshing, and is properly integrated with AspNetCore. But, applications frequently need to integrate with other applications. Its the reason we use open standards like OpenID and OAuth. I need to deal with federated auth that only includes AzureAD as part of the stack. Finding out I can't use Microsoft.Identity.* to get and refresh my Keycloak and Okta tokens just wastes the time I've spend on the AzureAD part of the integration because now there is no general solution that covers all my target IdPs. I guess I'm back to trying to do everything the hard way with IdentityModel |
|
I support this request. |
1 similar comment
|
I support this request. |
|
For the public client / desktop app, @mjcheetham built a very nice general-purpose OAuth2 layer in Git Credential Manager - https://github.com/GitCredentialManager/git-credential-manager/tree/main/src/shared/Core/Authentication/OAuth |
|
Found this, so it may be possible for other identity providers as well, would just need to test and document the settings. https://www.frodehus.dev/use-keycloak-and-msal-with-react-spa/ |
|
Would a PR be accepted to bring support of OAuth2 authorization server metadata and/or OpenIdConnect discovery endpoint to configure MSAL.NET in non AzureAD context ? |
|
I see there is generic authority support in the confidential client app but not the public client app... would the generic (non-azure) authority be considered for the public client app interactive request? Are there any plans for that? |
|
Is there a sample for the new WithGenericAuthority method? I'm trying to use MSAL to get a token from salesforce, but there doesn't seem to be any documentation. |
|
No, we don't have a sample yet. Happy to answer any questions on this @Joffreyvl . You configure the authority as below. Note that PublicClientApplication is not yet supported. var msal = ConfidentialClientApplicationBuilder
.Create(ClientId)
.WithExperimentalFeatures(true)
.WithRedirectUri(RedirectUri)
.WithClientSecret(ClientSecret)
.WithGenericAuthority($"https://demo.duendesoftware.com/")
.Build();Note that MSAL will append https://demo.duendesoftware.com/.well-known/openid-configuration |
Yeah, we'll have to add support for this for public client as well, but I don't have an ETA yet. |
|
@bgavrilMS thanks for the response, this is the code I have now. var confidentialClientApplication = ConfidentialClientApplicationBuilder
.Create(clientId)
.WithExperimentalFeatures(true)
.WithClientSecret(clientSecret)
.WithGenericAuthority(baseUrl)
.Build();var authResult = await confidentialClientApplication
.AcquireTokenForClient(new[] { "openid", "api" })
.ExecuteAsync(cancellationToken);But when acquiring the token I get this exception: Microsoft.Identity.Client.MsalServiceException: 'scope parameter not supported' |
|
@Joffreyvl - What kind of app are you trying to build? A console app, a web site, a web api? |
|
@bgavrilMS I found the solution, the Salesforce api doesn't allow me to send scopes. var authResult = await confidentialClientApplication
.AcquireTokenForClient(new[] { " " })
.ExecuteAsync();I don't know if this is a bad implementation of de OAuth standard on Salesforces side or MSAL? |
|
Well MSAL was originally designed to be the SDK for Azure AD, and with Azure AD client_credentials always takes a scope, so that's why the argument is mandatory. Many Identity Providers don't allow scopes and just return a token with permissions to whatever your service principal is allowed to access. I created #4482 to track this, but the workaround you have seems pretty easy to use. Can you try to get the same token again (i.e. make 2 requests one after the other) and check |
Token is the same when I do multiple requests but authResult.AuthenticationResultMetadata.TokenSource is IdentityProvider in all requests, CacheLevel is set to None |
|
Is there an option to completely disable the well-known discovery check using WithGenericAuthority? I have a scenario where this document doesn’t actually exist and the config data needs to be manually populated. |
|
@trycatchdonothing - we were thinking of adding some helper to allow apps to provide their own metadata. Mostly because ASP.NET Core will do the OIDC discovery on its own and then MSAL takes over, so it results in 2 calls to OIDC. Please create a new issue. |
|
I am closing this as it will be avaialble on next MSAL 4.60.0 (eta - a few days) API is experiemtanl for public client, GA for confidential. |
|
Fixed in MSAL.Net 4.60.0 release |
Hi, is MSAL only compatible with MS Authorization servers or we could use it with other authorization server as well?
I'm trying to use it with Okta and the first error I'm getting is about the ClientID which should be a Guid, because of this code:
OAuth / OpenId does not seem to have any particular restriction on ClientID to be a GUID.
The text was updated successfully, but these errors were encountered: