Skip to content

MSAL Interceptor support for Cosmos Authorization header? #6795

New issue
New issue
Open
Open
MSAL Interceptor support for Cosmos Authorization header?#6795
Labels
featureFeature requests.msal-angularRelated to @azure/msal-angular packagemsal-browserRelated to msal-browser packagepublic-clientIssues regarding PublicClientApplications
@msundman78

Description

@msundman78
msundman78
opened on Dec 31, 2023

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

14.5.0

Wrapper Library

MSAL Angular (@azure/msal-angular)

Wrapper Library Version

3.0.9

Public or Confidential Client?

Public

Description

I'm trying to build an Angular SPA app using MSAL to acquire ACCESS tokens to access other Azure services like Blob storage and Cosmos DB (Core SQL REST API) directly on behalf of the OIDC authenticated user without any backend services in between.

For accessing blob storage it was very straight forward to add Blob URI to protectedResourceMap:

export function MSALInterceptorConfigFactory(): MsalInterceptorConfiguration {
  const protectedResourceMap = new Map<string, Array<string>>();
  protectedResourceMap.set('https://graph.microsoft.com/v1.0/me', ['user.read']);
  protectedResourceMap.set('https://msnblob1.blob.core.windows.net/*', ['https://storage.azure.com/.default']);
  protectedResourceMap.set('https://msn-db.documents.azure.com/*', ['https://cosmos.azure.com/.default']);

After this my REST HTTP calls to my blob storage was automatically intercepted and a correctly scoped access token acquired and used. Nice!

I'm now trying to do the same thing for Cosmos DB, however their REST API expects the authorization header in the following (URL encoded) format:
Authorization: type=aad&ver=1.0&sig=<access_token>

When I add my xxx.documents.azure.com URI to the protectedResourceMap list, it successfully intercepts my calls and acquires a token (that I can copy and use with curl to verify it works). However it is inserted as a standard Bearer token, which is not accepted by the Cosmos DB endpoint.

Would you consider patching the Interceptor in MSAL to support the Cosmos authorisation header format if such a URL is added to the list?

If not, how do I manually call the functions needed in MSAL to request the access token so I can manually craft the correct authorisation header?

MSAL Configuration

export function MSALInterceptorConfigFactory(): MsalInterceptorConfiguration {
  const protectedResourceMap = new Map<string, Array<string>>();
  protectedResourceMap.set('https://graph.microsoft.com/v1.0/me', ['user.read']);
  protectedResourceMap.set('https://msnblob1.blob.core.windows.net/*', ['https://storage.azure.com/.default']);
  protectedResourceMap.set('https://msn-db.documents.azure.com/*', ['https://cosmos.azure.com/.default']);

Relevant Code Snippets

No response

Identity Provider

Azure AD / MSA

Source

External (Customer)

Metadata

Metadata

Assignees

No one assigned

    Labels

    featureFeature requests.msal-angularRelated to @azure/msal-angular packagemsal-browserRelated to msal-browser packagepublic-clientIssues regarding PublicClientApplications

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions