createNestablePublicClientApplication configured redirectUri is ignored

[jan-toepper-hornetsecurity-com]

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

4.0.2

Wrapper Library

Not Applicable

Wrapper Library Version

None

Public or Confidential Client?

Public

Description

The provided redirectURI in createNestablePublicClientApplication is ignored and the user gets redirected back to the current page.

Error Message

The redirect URI "brk-multihub://localhost:4200" is set in the auth config and in the returned controller instance from the createNestablePublicClientApplication function.

But the used acquireTokenSilent method from the controller instance ignores this configuration and sets, in the POST request, the redirect URI to the current page (brk-multihub://localhost:3000) instead.

Request: https://login.microsoftonline.com/bf27b2d4-d749-45a5-8306-f33ea11345de/oauth2/v2.0/token?client-request-id=01953d95-ecee-7520-bfdb-ab646cca2b67

Payload:
client_id=2a0bdc00-7caf-4f1d-a0a0-c7f48f3ddf2b redirect_uri=brkmultihub%3A%2F%2Flocalhost%3A3000 scope=Application.Read.All%20MailboxSettings.Read%20Mail.ReadWrite%20Mail.Send%20openid%20profile%20offline_access grant_type=refresh_token client_info=1 x-client-SKU=msal.js.browser x-client-VER=4.0.2 x-ms-lib-capability=retry-after, h429 x-client-current-telemetry=5|61,0,,,|, x-client-last-telemetry=5|0|||0,0 refresh_token=1.AUEB1LInv0nXpUWDBvM-oRNF3iC_mZE_oQdBhdwCEUeH70hCAeRBAQ.AgABAwEAAABVrSpeuWamRam2jAF1XRQEAwDs_wUA9P_ylD0iUNeHkvGmGlqh6kzkf3znfqTsx5RH9DeQ3_UxxHy1jaYSCamatvjHLzy1hk7l3tRckIxnTGYl5XTTYeNABqkusNrvzJPt5YdXd7b7IpS9g_97iHB1X6WpWTzP3vZZXCW5S5DWZ2JNF8NN4d1S8pICsAoMMqMPS2rLOz35KTRsa1RDvRn3v36044hh_v-KLEQ6oCi6FoqdTXv9mP9LfCMUD2Z3IGlmjMGcy2WU3QDNFRySeAb0-5KLstG-MhE5nS3OIIpkZ5VIdNgYQ7rQqU9SWQLILBoTvGQtoBgbvgCXfTmzzE0T44_lt2ByeRCFMGHNI6ctR6R66LUbIiRgS-E03krAisi-6h1vxYf5UWUaXTwpAfKUF4Z1g_qc_TMYUGutDPPwJs2xF6el8Sh5T8UqETwHc4t5vCUsNAIzWnoweFdfKzFQdYgiFjn3gRNJH972mMJt5Gqf6uRR_ashATOHQ9x0D2RNge8B27ZHvvE0U_0eyFAZ4hSKp0wSWed-F-iULZvR1smPi5d6n7bdv-4aa3jg0ZiewdA8V0u908zPa2p0DDCwlRllky6xWPGmjsmKyVPhmQYbyzxR9fLhF4tt5mar_8OIWhJMEFD6A08Mu4dHtymY4TZAPBseQsN7a7A9sZT2ycaSRD4PG1qWKylmgK68sYh4xvy0nSRdnWdBi486k_H1PzuYLByL5EVlFD-Z0PicfdSC3KahF8x5oWOlvJeQaGDv4cBK2Vle9vjlATjKOkRpyEad7iRyv5fmnJ6StExaLyR0OiH-aWrtaaddFQ4s8d_1HEN5jZ0TaYapASgk4Yqb3Zv36BqkbOU4On1EtdY6ECvGyjbgTbUyRF4uz6oi4ras5YWwx3VZFCUug3Wqj-MMRsG1Vk5dsFzMVU6sqm2dS5OEJgvBdfhraw claims=%7B%22access_token%22%3A%7B%22xms_cc%22%3A%7B%22values%22%3A%5B%22CP1%22%5D%7D%7D%7D X-AnchorMailbox=Oid%3Af3228d3f-5321-43fc-a103-2c946cd4ec93%40bf27b2d4-d749-45a5-8306-f33ea11345de brk_client_id=9199bf20-a13f-4107-85dc-02114787ef48 brk_redirect_uri=https://outlook.office.com/mail/oauthRedirect.html

MSAL Logs

Info - [Tue, 25 Feb 2025 14:50:34 GMT] : [] : @azure/msal-browser@4.0.2 : Info - Nested App Auth Bridge available: true

Error - [Tue, 25 Feb 2025 15:19:38 GMT] : [] : @azure/msal-browser@4.0.2 : Error - Cached tokens are not found for the account, proceeding with silent token request.

Info - [Tue, 25 Feb 2025 15:19:38 GMT] : [] : @azure/msal-browser@4.0.2 : Info - BrowserCacheManager: removeTokenKey - attempting to remove accessToken with key: f3228d3f-5321-43fc-a103-2c946cd4ec93.bf27b2d4-d749-45a5-8306-f33ea11345de-login.windows.net-accesstoken-2a0bdc00-7caf-4f1d-a0a0-c7f48f3ddf2b-bf27b2d4-d749-45a5-8306-f33ea11345de-application.read.all files.read mail.read mail.readbasic mail.readwrite mail.readwrite.shared mail.send mail.send.shared mailboxsettings.read openid profile user.read email-- from map

Info - [Tue, 25 Feb 2025 15:19:38 GMT] : [] : @azure/msal-browser@4.0.2 : Info - BrowserCacheManager: removeTokenKey - accessToken removed from map

Info - [Tue, 25 Feb 2025 15:19:38 GMT] : [] : @azure/msal-browser@4.0.2 : Info - BrowserCacheManager: addTokenKey - accessToken added to map

Network Trace (Preferrably Fiddler)

• Sent
• Pending

MSAL Configuration

{
    auth: {
        clientId: "2a0bdc00-7caf-4f1d-a0a0-c7f48f3ddf2b",
        authority: "https://login.microsoftonline.com/organizations",
        redirectUri: "brk-multihub://localhost:4200",
    },
}

Relevant Code Snippets

const pca = await createNestablePublicClientApplication({
    auth: {
        clientId: "<APP_ID_OF_CDX_TENANT>",
        authority: "https://login.microsoftonline.com/organizations",
        redirectUri: "brk-multihub://localhost:4200",
    },
});

const tokenRequestPayload = {
    scopes: [
        "Application.Read.All",
        "MailboxSettings.Read",
        "Mail.ReadWrite",
        "Mail.Send",
     ],
};

await pca.acquireTokenSilent(tokenRequestPayload);

Reproduction Steps

1. Sideload a local test add-in in Outlook OWA
2. Execute the provided code snippet
3. Investigate the network tabs and compare the redirect URL provided in the request with the configured redirect URI

Expected Behavior

The acquireTokenSilent method from the controller instance should provide the configured redirect URI (in this case "brk-multihub://localhost:4200") in the request instead of the current URI (in this case "brk-multihub://localhost:3000").

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

Firefox

Regression

No response

[jan-toepper-hornetsecurity-com]

I've tested it with navigateToLoginRequestUrl: false, but it doesn't change the mentioned behavior.