Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Using Azure AD Authorize endpoint fails on Windows 10

Copper Contributor

I am facing an issue when using the Authorize endpoint in Windows 10 with Google chrome.

 

When requesting the following:

GET /common/oauth2/v2.0/authorize?response_type=id_token+token&response_mode=fragment&client_id=...&redirect_uri=...&scope=openid+profile+User.Read&state=...&nonce=...&prompt=none&domain_hint=organizations&login_hint=...

 

In any other environment than Windows 10 and Google Chrome (Firefox or Windows 7 for example) the authorization flow completes successfully and the redirection happens to the URL provided in the request, given the id token.

 

But on Windows 10 + Google Chrome combination, the response is instead some HTML containing the following javascript file:

https://secure.aadcdn.microsoftonline-p.com/ests/2.1.8148.16/content/cdnbundles/oldbssointerrupt_cor...

 

The script is executed and launches a new request to the authorize endpoint, with same parameters except that a new parameter is added: `sso_reload=true`

This new request just hangs in the browser with Pending state and never gives back any response. So the authorization flow cannot finish.

 

My current User Agent is `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36`

If I relaunch the same request with another User Agent, it completes normally without any strange behavior.

 

So I have 2 questions:

1. Is there any reason about this specific behavior for Windows 10 and Chrome?
2. What is the purppose of the (undocumented) sso_reload parameter?

 

This sounds like a very specific issue, but I would appreciate any comment or lead. Thank you!

4 Replies
Will it be possible for you to test this scenario on another Windows 10 machine with Chrome installed. Before we investigate, just want to make sure this is not limited to one workstation.

Thank you for your reply.

I have tested on 3 different computers, each of them running on Windows 10 64bit with Chrome 69, and all of them show the same strange behavior described above. I could also test several machines running Windows 7 or Firefox, and none of them had this bug.

Thanks for verifying this for us @Sylvain Balansa. It seems like a bug to me. Please reach out to the Azure AD support (from with-in the Azure Portal) . With the following.

1. A fiddler trace. Use a test account , or change password after capturing the trace. 

2. Your app's coordinates, you can get them from https://developer.microsoft.com/en-us/graph/graph-explorer (REST URI - https://graph.microsoft.com/beta/applications/<The appid as guid>

3. The platform, OS with version (use winver), Browser and its version.

 

Do mention that the issue is reproducible.

This will help queue up a request to the engineering faster for quicker resolution.

I do not seem to have the right support level to open a technical support request from Azure portal. Is there any other way I can report this potential bug?