Azure AD B2C bad request when redirecting / using cy.origin()

[mmonteiroc]

Current behavior

We are trying to do a login with cypress, and we tried to use the "cy.origin" command. In local this worked well, as the domain of the login was a complete different one.
Once we launched this in the pipeline, started complaining cypress that the "super domain" was the same one ( same error as this issue ).

As cypress identifies the login domain as the same domain, we assumed that then we could use the cypress commands directly in that page, so we did the following condition so that the code would be executed with origin or without depending of the environment:

 const loginFunction = ({ username, password, emailInput, passwordInput, nextButton }) => {
    cy.get(emailInput, { timeout: 5000 }).should('be.visible').type(username, { log: false });
    cy.get(passwordInput).type(password, { log: false });
    cy.get(nextButton).click();
  };

  // When localhost, we need the "origin command"
  if (Cypress.config('baseUrl').includes('localhost')) {
    cy.origin(
      loginOrigin,
      {
        args: {
          username: usernameForLogin,
          password: passwordForLogin,
          emailInput: LoginPage.emailInput,
          passwordInput: LoginPage.passwordInput,
          nextButton: LoginPage.nextButton
        }
      },
      loginFunction
    );
  } else {
    // When deployed, we don't need the "origin command"
    loginFunction({
      username: usernameForLogin,
      password: passwordForLogin,
      emailInput: LoginPage.emailInput,
      passwordInput: LoginPage.passwordInput,
      nextButton: LoginPage.nextButton
    });
  }

Problem comes that when we are doing the login in the CI ( not using the cy.origin ), one response of loading a page returns a 400 ( usually returns a 302 that page - With cy.origin or by normal usage of the login )

Same code executed in localhost, and using the cy.origin works just perfectly

Desired behavior

That the code works the same with or without origin

Test code to reproduce

Provided in the description

Cypress Version

12.5.1

Node version

18.13.0

Operating System

Windows 10 19042.2486

Debug Logs

No response

Other

SSO for the login used is
Azure AD B2C

Frontend application is
Angular with @azure/msal-angular

[mmonteiroc]

[UPDATE] - This has nothing to do with query params. We found that the params are added by the SSO provider.

Nevertheless, there is still an issue here. When doing the login manually or with cy.origin works properly, and the page load returns a 302 to our app ( redirect with a login status )

But when doing it without the cy.origin but with cypress, the page returns a 400.

Maybe the proxy of cypress is not proxying well the request

[sebastiandenis]

@mmonteiroc we have encountered a similar issue. We also use Azure AD B2C.

Everything works fine for localhost and cy.origin wrapped around B2C SSO page. But when we open the app on an actual domain for example app.domain.xyz and we have our B2C login page on login.domain.xyz, we can't use cy.origin (the same super domain) and we get the AADB2C90255 B2C error (_The claims exchange specified in technical profile '{0}' did not complete as expected. You might want to try starting your session over from the beginning).

I have tried almost everything, still without success :/

[flotwig]

Hey @mmonteiroc and @sebastiandenis - could you please try updating to Cypress 12.7.0? We included some bugfixes related to session, origin, and cookies that may resolve your issues: https://docs.cypress.io/guides/references/changelog#12-7-0

[sebastiandenis]

@flotwig @mmonteiroc I've tried with the 12.7.0 version, the same result.

But today we've made a little test. We've run the same app on a different super domain, so we could use cy.origin(), and it worked. It looks like the whole magic for Azure AD B2C to work fine is somewhere in the cy.origin() method.

Scenario 1: app.domain.xyz -> login.domain.xyz (can't use cy.origin(), the same super domain - B2C doesn't work).
Scenario 2: app.domain2.xyz -> login.domain.xyz (can use cy.orgin(), B2C works fine).

Any ideas on how to force Cypress to let me use cy.origin between different subdomains but the same super domain?

[mmonteiroc]

Same behaviour in our side @flotwig @sebastiandenis

We face the issue only when using same "root domain" ( which is our case so we need to keep it like so ).

When we are outside of the same domain ( localhost for instance ), and we have to use cy.origin works perfectly fine !
So same question as @sebastiandenis, can we force the usage of cy.origin ?? Or maybe tell cypress how to consider a different origin?

/ping @mjhenkes as I see that @flotwig removed it self and added you :)

[mjhenkes]

You guys could try two things:

1. enable experimentalSkipDomainInjection https://docs.cypress.io/guides/references/experiments#Experimental-Skip-Domain-Injection This will allow you use cy.origin on sub domains in the same root domain, though you may see some side effects since all sub domains will be treated as cross origin

2. You could try flexing your test logic depending on if you're localhost or not, i know this isn't ideal but in CI you may not need cy.origin at all since you are in the same super domain.

Overall i think we need to address this ourselves to provide a more user friendly experience but that could take some time.

[mmonteiroc]

Will try that feature. But if you see my example code, i have the code already adapted for CI, and the issue is that fails when not using the cy.origin()
@mjhenkes

[sebastiandenis]

@mjhenkes I've tried with the skip domain injection option, but I can't make it work, Cypress fails with the error message:

cy.origin() requires the first argument to be a different origin than top. You passed app.domain.xyz to the origin command, while top is at https://app.domain.xyz

Either the intended page was not visited prior to running the cy.origin block or the cy.origin block may not be needed at all.

I've tried with different configurations (including visiting domain app.domain.xyz before using cy.origin) but the same result.

For now, as we have a dedicated environment for E2E tests, we want to test the solution that our app is on a different port than the B2C login page: app.domain.xyz:12345 -> login.domain.xyz - as we've observed it may work (Cypress doesn't complain about the same super domain).
We don't want to have a different domain for this E2E environment, but if it is necessary, probably we will do it.

[mjhenkes]

@mmonteiroc @sebastiandenis, could you guys give me a brief overview of your auth flow for both local and in ci? I've been trying to figure it out from the comments above but i'm getting lost somewhere.

I don't need any specifics, just the general flow.
ie

1. user visits www.site.com
2. user is server side redirected to auth.site.com (is it a server side redirect or a browser redirect?)
3. users enters username and password then logs in
4. user is redirected back to www.site.com

Does your site user auth tokens or cookies?

[mmonteiroc]

So on our side the flow is the following:

• User tries to access our angular SPA.
• MSAL Library detects that user is not loged in ( access token overdated / not existing )
• MSAL redirects to the login page of login ( login managed by our SSO Azure AD B2C )
• User puts email / password
• Credentials are validated
• Once validated, azure does a redirection ( 302 ) to our application, in which provides us the token through the URL

The problem on our side, is that when we dont use the cy.origin ( as cypress understands it as a same domain ), this supposed redirection of 302, converts to a 400 Bad request.
With that data, I understand that cypress has some strange issue inside the http proxy that makes this happen 🤷‍♂️

If you need, I am happy to run the tests with some logs enabled and provide you some data to help debug ? Let me know please.

[mmonteiroc]

@mjhenkes FYI, this flow mentioned above is the same one in local / ci .

The only difference is that in local, the redirections happen between localhost and login.whatever.domain.com
And in CI, the redirection is between else.whatever.domain.com