Trouble getting accessToken from acquireTokenInteractive in packaged Electron app

[knutssonalex]

Core Library

MSAL Node (@azure/msal-node)

Core Library Version

2.13.0

Wrapper Library

Not Applicable

Wrapper Library Version

None

Public or Confidential Client?

Public

Description

When packaging Electron apps, either the ElectronSystemBrowserTestApp or a custom one, we can't get the access token back from the interactive sign in. The success template is displayed in the browser and the user is redirected back to the app, but we never get the accessToken/authResponse back.
This however, works fine in the example app and our own app.

Error Message

No errors are thrown.

MSAL Logs

[2024-09-11 10:43:33.828] [info] [Wed, 11 Sep 2024 08:43:33 GMT] : [] : @azure/msal-node@2.13.0 : Info - getTokenCache called
[2024-09-11 10:43:33.836] [info] [Wed, 11 Sep 2024 08:43:33 GMT] : [] : @azure/msal-node@2.13.0 : Info - getAuthCodeUrl called
[2024-09-11 10:43:33.836] [info] [Wed, 11 Sep 2024 08:43:33 GMT] : [] : @azure/msal-node@2.13.0 : Verbose - initializeRequestScopes called
[2024-09-11 10:43:33.837] [info] [Wed, 11 Sep 2024 08:43:33 GMT] : [ebebc577-14e1-43b7-965e-ed097641119b] : @azure/msal-node@2.13.0 : Verbose - buildOauthClientConfiguration called
[2024-09-11 10:43:33.837] [info] [Wed, 11 Sep 2024 08:43:33 GMT] : [ebebc577-14e1-43b7-965e-ed097641119b] : @azure/msal-node@2.13.0 : Verbose - createAuthority called
[2024-09-11 10:43:33.838] [info] [Wed, 11 Sep 2024 08:43:33 GMT] : [] : @azure/msal-node@2.13.0 : Verbose - Attempting to get cloud discovery metadata from authority configuration
[2024-09-11 10:43:33.838] [info] [Wed, 11 Sep 2024 08:43:33 GMT] : [] : @azure/msal-node@2.13.0 : Verbose - Known Authorities:
[2024-09-11 10:43:33.838] [info] [Wed, 11 Sep 2024 08:43:33 GMT] : [] : @azure/msal-node@2.13.0 : Verbose - Authority Metadata: N/A
[2024-09-11 10:43:33.838] [info] [Wed, 11 Sep 2024 08:43:33 GMT] : [] : @azure/msal-node@2.13.0 : Verbose - Canonical Authority: https://login.microsoftonline.com/c3af1697-15c2-44e3-99ae-9f34166c36fb/
[2024-09-11 10:43:33.839] [info] [Wed, 11 Sep 2024 08:43:33 GMT] : [] : @azure/msal-node@2.13.0 : Verbose - Did not find cloud discovery metadata in the config... Attempting to get cloud discovery metadata from the hardcoded values.
[2024-09-11 10:43:33.839] [info] [Wed, 11 Sep 2024 08:43:33 GMT] : [] : @azure/msal-node@2.13.0 : Verbose - Found cloud discovery metadata from hardcoded values.
[2024-09-11 10:43:33.839] [info] [Wed, 11 Sep 2024 08:43:33 GMT] : [] : @azure/msal-node@2.13.0 : Verbose - Attempting to get endpoint metadata from authority configuration
[2024-09-11 10:43:33.839] [info] [Wed, 11 Sep 2024 08:43:33 GMT] : [] : @azure/msal-node@2.13.0 : Verbose - Did not find endpoint metadata in the config... Attempting to get endpoint metadata from the hardcoded values.
[2024-09-11 10:43:33.839] [info] [Wed, 11 Sep 2024 08:43:33 GMT] : [] : @azure/msal-node@2.13.0 : Verbose - Replacing tenant domain name c3af1697-15c2-44e3-99ae-9f34166c36fb with id {tenantid}
[2024-09-11 10:43:33.840] [info] [Wed, 11 Sep 2024 08:43:33 GMT] : [ebebc577-14e1-43b7-965e-ed097641119b] : @azure/msal-node@2.13.0 : Info - Building oauth client configuration with the following authority: https://login.microsoftonline.com/c3af1697-15c2-44e3-99ae-9f34166c36fb/oauth2/v2.0/token.
[2024-09-11 10:43:33.840] [info] [Wed, 11 Sep 2024 08:43:33 GMT] : [ebebc577-14e1-43b7-965e-ed097641119b] : @azure/msal-node@2.13.0 : Verbose - Auth code client created
[2024-09-11 10:43:33.841] [info] [Wed, 11 Sep 2024 08:43:33 GMT] : [] : @azure/msal-node@2.13.0 : Verbose - Replacing tenant domain name c3af1697-15c2-44e3-99ae-9f34166c36fb with id {tenantid}
[2024-09-11 10:43:34.229] [info] [Wed, 11 Sep 2024 08:43:34 GMT] : [] : @azure/msal-node@2.13.0 : Info - acquireTokenByCode called
[2024-09-11 10:43:34.229] [info] [Wed, 11 Sep 2024 08:43:34 GMT] : [] : @azure/msal-node@2.13.0 : Verbose - initializeRequestScopes called
[2024-09-11 10:43:34.230] [info] [Wed, 11 Sep 2024 08:43:34 GMT] : [c76a70ee-6c5d-4898-8d68-a3ffd72a35f1] : @azure/msal-node@2.13.0 : Verbose - buildOauthClientConfiguration called
[2024-09-11 10:43:34.230] [info] [Wed, 11 Sep 2024 08:43:34 GMT] : [c76a70ee-6c5d-4898-8d68-a3ffd72a35f1] : @azure/msal-node@2.13.0 : Verbose - createAuthority called
[2024-09-11 10:43:34.231] [info] [Wed, 11 Sep 2024 08:43:34 GMT] : [] : @azure/msal-node@2.13.0 : Verbose - Attempting to get cloud discovery metadata from authority configuration
[2024-09-11 10:43:34.231] [info] [Wed, 11 Sep 2024 08:43:34 GMT] : [] : @azure/msal-node@2.13.0 : Verbose - Known Authorities:
[2024-09-11 10:43:34.231] [info] [Wed, 11 Sep 2024 08:43:34 GMT] : [] : @azure/msal-node@2.13.0 : Verbose - Authority Metadata: N/A
[2024-09-11 10:43:34.231] [info] [Wed, 11 Sep 2024 08:43:34 GMT] : [] : @azure/msal-node@2.13.0 : Verbose - Canonical Authority: https://login.microsoftonline.com/c3af1697-15c2-44e3-99ae-9f34166c36fb/
[2024-09-11 10:43:34.232] [info] [Wed, 11 Sep 2024 08:43:34 GMT] : [] : @azure/msal-node@2.13.0 : Verbose - Did not find cloud discovery metadata in the config... Attempting to get cloud discovery metadata from the hardcoded values.
[2024-09-11 10:43:34.232] [info] [Wed, 11 Sep 2024 08:43:34 GMT] : [] : @azure/msal-node@2.13.0 : Verbose - Found cloud discovery metadata from hardcoded values.
[2024-09-11 10:43:34.232] [info] [Wed, 11 Sep 2024 08:43:34 GMT] : [] : @azure/msal-node@2.13.0 : Verbose - Attempting to get endpoint metadata from authority configuration
[2024-09-11 10:43:34.232] [info] [Wed, 11 Sep 2024 08:43:34 GMT] : [] : @azure/msal-node@2.13.0 : Verbose - Did not find endpoint metadata in the config... Attempting to get endpoint metadata from the hardcoded values.
[2024-09-11 10:43:34.233] [info] [Wed, 11 Sep 2024 08:43:34 GMT] : [] : @azure/msal-node@2.13.0 : Verbose - Replacing tenant domain name c3af1697-15c2-44e3-99ae-9f34166c36fb with id {tenantid}
[2024-09-11 10:43:34.233] [info] [Wed, 11 Sep 2024 08:43:34 GMT] : [c76a70ee-6c5d-4898-8d68-a3ffd72a35f1] : @azure/msal-node@2.13.0 : Info - Building oauth client configuration with the following authority: https://login.microsoftonline.com/c3af1697-15c2-44e3-99ae-9f34166c36fb/oauth2/v2.0/token.
[2024-09-11 10:43:34.233] [info] [Wed, 11 Sep 2024 08:43:34 GMT] : [c76a70ee-6c5d-4898-8d68-a3ffd72a35f1] : @azure/msal-node@2.13.0 : Verbose - Auth code client created
[2024-09-11 10:43:34.234] [info] [Wed, 11 Sep 2024 08:43:34 GMT] : [] : @azure/msal-node@2.13.0 : Verbose - Replacing tenant domain name c3af1697-15c2-44e3-99ae-9f34166c36fb with id {tenantid}
[2024-09-11 10:43:34.457] [info] [Wed, 11 Sep 2024 08:43:34 GMT] : [c76a70ee-6c5d-4898-8d68-a3ffd72a35f1] : @azure/msal-common@14.14.1 : Verbose - setCachedAccount called
[2024-09-11 10:43:34.459] [info] [Wed, 11 Sep 2024 08:43:34 GMT] : [c76a70ee-6c5d-4898-8d68-a3ffd72a35f1] : @azure/msal-common@14.14.1 : Verbose - Persistence enabled, calling beforeCacheAccess
[2024-09-11 10:43:34.460] [info] [Wed, 11 Sep 2024 08:43:34 GMT] : [c76a70ee-6c5d-4898-8d68-a3ffd72a35f1] : @azure/msal-common@14.14.1 : Verbose - Persistence enabled, calling afterCacheAccess

Network Trace (Preferrably Fiddler)

• Sent
• Pending

MSAL Configuration

{
    authOptions: {
        clientId: "clientId",
        authority: "https://login.microsoftonline.com/c3af1697-15c2-44e3-99ae-9f34166c36fb",
    },
    resourceApi: {
        endpoint: "https://graph.microsoft.com/v1.0",
        scopes: ["User.Read", "openid"],
        redirectUri: "http://localhost/auth",
    },
    customProtocol: {
        name: "msal{clientId}",
    },
    cache: {
        cacheLocation: "./data/cache.json",
    },
    system: {
        loggerOptions: {
            logLevel: LogLevel.Verbose,
            loggerCallback: (level: any, message: any, containsPii: any) => {
                if (containsPii) {
                    return;
                }
                switch (level) {
                    case LogLevel.Error:
                        console.error(message);
                        return;
                    case LogLevel.Info:
                        console.info(message);
                        return;
                    case LogLevel.Verbose:
                        console.debug(message);
                        return;
                    case LogLevel.Warning:
                        console.warn(message);
                        return;
                    default:
                        console.log(message);
                        return;
                }
            },
        },
    },
};

Relevant Code Snippets

if (process.env.NODE_ENV === "development" && process.platform === "win32") {
    app.setAsDefaultProtocolClient(authConfig.customProtocol.name, process.execPath, [path.resolve(process.argv[1])]);
} else {
    app.setAsDefaultProtocolClient(authConfig.customProtocol.name);
}

export const pca = new PublicClientApplication({
    auth: {
        clientId: authConfig.authOptions.clientId,
        authority: authConfig.authOptions.authority,
    },
    cache: {
        cachePlugin: cachePlugin(CACHE_LOCATION),
    },
    system: authConfig.system,
});

async function getTokenInteractive(tokenRequest: { scopes: string[] }): Promise<AuthenticationResult> {
    try {
        const openBrowser = async (url: any) => {
            log.info("Opening browser with URL:", url);
            await shell.openExternal(url);
        };

        const loopbackClient = await CustomLoopbackClient.initialize(3001);

        const interactiveRequest: InteractiveRequest = {
            scopes: ["User.Read"],
            authority: authConfig.authOptions.authority,
            openBrowser,
            successTemplate: successTemplate,
            errorTemplate: errorTemplate,
            loopbackClient: loopbackClient,
        };

        try {
            const authResponse = await pca.acquireTokenInteractive(interactiveRequest); // This is where production code gets stuck
            return authResponse;
        } catch (error) {
            log.error("Error during interactive authentication:", error, "error type:", typeof error);
            if (error instanceof Error) {
                log.error("Error name:", error.name);
                log.error("Error message:", error.message);
                log.error("Error stack:", error.stack);
            }
            throw error;
        }
    } catch (error) {
        log.error("Interactive authentication failed", error);
        if (error instanceof Error) {
            log.error("Error name:", error.name);
            log.error("Error message:", error.message);
            log.error("Error stack:", error.stack);
        }
        throw error;
    }
}

Reproduction Steps

1. Clone the ElectronSystemBrowserTestApp
2. Replace with application credentials
3. Run npm install
4. Run npm run package
5. Locate the packaged application and start it
6. Try to sign in

Expected Behavior

User gets signed in from the redirect.

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

Chrome, Edge, Safari

Regression

No response

Source

Internal (Microsoft)

[basmithy]

I'm experiencing this too, and cannot get to the bottom of it. Did you ever find out a solution to this?

Update
New to electron, so didn't realise this, but the Electron sample provided here is missing some setup required to make it work once packaged. For me once I addressed these changes it worked: the public folder needs to be included in extraResources, and most importantly, in the AuthProvider you need to reference the cache differently between dev mode and when the app is packaged