Can MSAL be used with my own authority (e.g. IdentityServer)

Asked 29/8, 2017 at 6:42 Answered 6/9, 2022 at 8:38

Solved azure-active-directory identityserver3 identityserver4 azure-ad-b2c azure-ad-msal

I have my own identity authority set up using the Identity Server.

I'm running a native windows application and currently I'm using IdentityModel's OidcClient library to connect on the authority and obtain the token.

I want to add support for Azure AD and since I haven't been able to set-up the application on the Azure AD to use HybridWithProofKey flow, and found this MSAL I've decided to give it a shot.

In MSAL there is a PublicClientApplication class with accepts the string authority in its constructor (source)

When passing my URL in this constructor I imagined it would use the discovery service and found the correct endpoints and to its job. But to my suprise this dont work.

I get following error message:
AADSTS50049: Unknown or invalid instance. Search on github MSAL for AADSTS50049 returned zero results. I've cloned the project and started with debugging.

I've figured out that the request is sent to my authority url but instead there is a GET request on the
GET https://login.microsoftonline.com/common/discovery/instance?api-version=1.0&authorization_endpoint=https%3A%2F%2Fmyidentityserverhostname%2Fidentityserver%2Foauth2%2Fv2.0%2Fauthorize HTTP/1.1

This request is done in this source and it returns the error above.

So, is MSAL intended to use with non azure authorities?

Faubion answered 29/8, 2017 at 6:42 Comment(0)

No. It's a proprietary client library for their proprietary backend.

Bloodcurdling answered 29/8, 2017 at 12:3 Comment(3)

Any idea if IdentityModel.OidcClient can be used with AzureAD? – Construction 30/8, 2017 at 6:30

A bit nuanced, but the library is open source under the MIT License, but built to only hit the Azure AD service. – Deflected 30/8, 2017 at 20:51

I never tried oidcClient with AAD. OidcClient is certified, AAD isn't. So I doubt it. openid.net/certification – Bloodcurdling 31/8, 2017 at 10:30

Yes it can,

You need to use the Azure B2C library, it can be configured with other identity provideer, like facebook, google, linked in etc.

There is also an option to utilise a custom IDP, if it conforms to openId

See here. https://go.microsoft.com/fwlink/?linkid=854174

Landy answered 27/9, 2019 at 14:39 Comment(0)

Using MSAL.NET with a non-MS OpenID Connect provider is unnecessary, as Microsoft.AspNetCore.Identity provides sufficient support for social logins and other OIDC providers.

Also vendors of custom OpenID Connect servers provide own extensions (see IdentityServer docs and OpenIdDict samples).

As per this official example, MSAL is not required if you're only signing users in. They claim:

MSAL is used for fetching access for accessing protected APIs

BTW, if you're interested in MSAL.JS, then it's a completely different story – https://mcmap.net/q/1105126/-using-msal-with-non-microsoft-identity-providers.

Hannover answered 6/9, 2022 at 8:38 Comment(0)

Recommended topics

Hot tags