Skip to content

[Bug] AcquireTokenInteractive with loopback address as redirect URI is ignored #539

New issue
New issue
Open
Open
[Bug] AcquireTokenInteractive with loopback address as redirect URI is ignored#539
Labels
bugSomething isn't workingp2public-client
@armbzk

Description

@armbzk
armbzk
opened on Dec 2, 2024

Which version of MSAL Go are you using?

Microsoft Authentication Library for Go 1.3.2

Where is the issue?

  • Public client
    • Device code flow
    • Username/Password (ROPC grant)
    • Authorization code flow
  • Confidential client
    • Authorization code flow
    • Client credentials:
      • client secret
      • client certificate
  • Token cache serialization
    • In-memory cache
  • Other (please describe)

Is this a new or an existing app?

c. This is a new app or an experiment.

What version of Go are you using (go version)?

go version go1.21.1

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=
GOARCH=amd64
GOBIN=
GOCACHE=C:\Users\armbzk\AppData\Local\go-build
GOENV=C:\Users\armbzk\AppData\Roaming\go\env
GOEXE=.exe
GOEXPERIMENT=
GOFLAGS=
GOHOSTARCH=amd64
GOHOSTOS=windows
GOINSECURE=
GOMODCACHE=C:\Users\armbzk\go\pkg\mod
GONOPROXY=
GONOSUMDB=
GOOS=windows
GOPATH=C:\Users\armbzk\go
GOPRIVATE=
GOPROXY=https://proxy.golang.org,direct
GOROOT=C:\Program Files\Go
GOSUMDB=sum.golang.org
GOTMPDIR=
GOTOOLCHAIN=auto
GOTOOLDIR=C:\Program Files\Go\pkg\tool\windows_amd64
GOVCS=
GOVERSION=go1.21.1
GCCGO=gccgo
GOAMD64=v1
AR=ar
CC=gcc
CXX=g++
CGO_ENABLED=1
GOMOD=D:\gitea\armbzk\cli-auth\go.mod
GOWORK=
CGO_CFLAGS=-O2 -g
CGO_CPPFLAGS=
CGO_CXXFLAGS=-O2 -g
CGO_FFLAGS=-O2 -g
CGO_LDFLAGS=-O2 -g
PKG_CONFIG=pkg-config
GOGCCFLAGS=-m64 -mthreads -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=C:\Users\armbzk\AppData\Local\Temp\go-build1100814025=/tmp/go-build -gno-record-gcc-switches

Repro

... acquireOpts := []public.AcquireInteractiveOption{ public.WithRedirectURI("http://127.0.0.1:0"), } authResult, err = client.AcquireTokenInteractive(ctx, c.scopes, acquireOpts...) //make a new request to Azure AD ...

Expected behavior

  • Expect that redirect server listens on http://127.0.0.1:<port>
  • RFC8252 recommends to use loopback IP instead of localhost.

Actual behavior

  • Started redirect server listens on http://localhost:<port>
  • Configuring the Redirect URI in MS AD app to http://127.0.0.1 is not possible with current MSAL

Possible solution
Current default to localhost is fine. If acquireOpts contains public.WithRedirectURI("http://127.0.0.1:0") it should be considered.

Additional context / logs / screenshots
n/a

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingp2public-client

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions