You may encounter script errors with the background text saying cookies are disabled when running MSAL code snippet similar to the following in a XAML Browser Application (XBAP) from Internet Explorer when performing Azure AD login

string tenantId = "<Tenant ID>";
string clientId = "<Application ID>";
string[] Scopes = new string[] { "User.Read" };
string errorMessage = string.Empty;
try
  {
  using (HttpClient httpClient = new HttpClient())
  {
     IPublicClientApplication publicClientApp = PublicClientApplicationBuilder.Create(clientId)
       .WithDefaultRedirectUri()
       .WithAuthority(AzureCloudInstance.AzurePublic, AadAuthorityAudience.AzureAdMyOrg)
       .WithTenantId(tenantId)
       .Build();
        AuthenticationResult authenticationResult = null;
        var t = Task.Run(async () =>
          {
              try
              {
                 authenticationResult = await publicClientApp.AcquireTokenInteractive(Scopes)
                            .WithAccount(null)
                            .WithPrompt(Prompt.ForceLogin)
                            .ExecuteAsync();
                    }
                    catch (Exception ex)
                    {
                        errorMessage = "Error while getting token: " + ex.ToString();
                    }
                });
                t.Wait();

                if (authenticationResult != null)
                {
                    return authenticationResult.AccessToken;
                }
                else
                {
                    return errorMessage;
                }
            }
        }
        catch (Exception ex)
        {
            return ex.Message;
        }

Root Cause

XBAP Applications, although housed in Internet Explorer, runs in its own process space: PresentationHost.exe, which is a very tightly-controlled security container. XBAP Application uses the webBrowser control to host the Azure AD login page. This container host implements many security lockdown features to safe guard attacks which can be induced from the browser surface. These security restrictions include blocking cookies access which is required for the Azure AD login page to work. This security restriction causes the login page to break with the scripting error.

Resolution

Configure MSAL.Net to use the System Browser – Chromium Edge on Windows 10 (default is Embedded Browser in .Net framework) to launch the Azure AD login page. The following changes are what’s needed to use the System Browser

  1. Register ‘http://localhost’ (required) as a redirect URL under ‘Mobile and desktop applications’ platform
  2. Make the following highlighted change:
            try
            {
                using (HttpClient httpClient = new HttpClient())
                {
                    IPublicClientApplication publicClientApp = PublicClientApplicationBuilder.Create(clientId)
                                .WithRedirectUri("http://localhost")
                                .WithAuthority(AzureCloudInstance.AzurePublic, AadAuthorityAudience.AzureAdMyOrg)
                                .WithTenantId(tenantId)
                                .Build();
                    AuthenticationResult authenticationResult = null;

                    var t = Task.Run(async () =>
                    {
                        try
                        {
                            authenticationResult = await publicClientApp.AcquireTokenInteractive(Scopes)
                                .WithAccount(null)
                                .WithPrompt(Prompt.ForceLogin)
                                .WithUseEmbeddedWebView(false)
                                .ExecuteAsync();
                        }
                        catch (Exception ex)
                        {
                            errorMessage = "Error while getting token: " + ex.ToString();
                        }
                    });

Leave a Comment