Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] How to pass AAD auth parameters in MSIX Authentication #625

Open
MoodieG opened this issue Mar 25, 2024 · 4 comments
Open

[Question] How to pass AAD auth parameters in MSIX Authentication #625

MoodieG opened this issue Mar 25, 2024 · 4 comments
Labels
Needs-Triage Issue needs to be triaged by a member of the core team

Comments

@MoodieG
Copy link

MoodieG commented Mar 25, 2024

Hey,

I have published an appinstaller to a custom web application and now I want to add authentication. The documentation says that this can be done by adding &msix=aad to the end of the URI. However, it does not mention how to specify the client ID, tenant ID of the app registration and the required scopes when requesting a bearer token from Azure Active Directory.

Is there a way to specify those parameters?
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs-Triage Issue needs to be triaged by a member of the core team label Mar 25, 2024
@MoodieG
Copy link
Author

MoodieG commented Apr 1, 2024

Hey, just bumping this thread. I tried adding ?msixauth=aad at the end of my Uri for AppInstaller and MainPackage to test the authentication flow. I do get prompted to log in, but the app installer fails to open app package due to

"An error occurred while attempting to authenticate. The user account does not have access to the target resource. Contact your administrator for assistance."

I believe the reason is because no tenant ID, scope and client ID is passed to AAD when retrieving a bearer token.

@MoodieG
Copy link
Author

MoodieG commented Apr 10, 2024
edited
Loading

Bumping this thread again.

I assume app installer is expecting users to perform server side authentication if client side authentication is not supported. It would be great if anyone can point to a sample or documentation of that auth flow.

@florelis
Copy link
Member

There is no way to specify a client ID or scope. App Installer uses its own client ID and sets the scope depending on whether the resource is on SharePoint or Azure Storage.

It may also be worth updating App Installer or testing installing the .msix directly (without using a .appinstaller file). There used to be a bug that caused cryptic errors when using auth for .appinstaller files.

@MoodieG
Copy link
Author

MoodieG commented May 16, 2024

Thanks for the reply. Unfortunately giving access to users to Azure Storage is not encouraged by Microsoft security policies. A web API that can authenticate via a managed service identity is encouraged. Hence why I require the app installer to authenticate with a custom web API.

I have not considered using SharePoint and not familiar with the experience there. Having said that, it would be nice if a user is able to customize the client ID and scope for app installer auth.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs-Triage Issue needs to be triaged by a member of the core team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@florelis @MoodieG