Can MSAL be used with my own authority (e.g. IdentityServer)

3.3k views Asked by At

I have my own identity authority set up using the Identity Server.

I'm running a native windows application and currently I'm using IdentityModel's OidcClient library to connect on the authority and obtain the token.

I want to add support for Azure AD and since I haven't been able to set-up the application on the Azure AD to use HybridWithProofKey flow, and found this MSAL I've decided to give it a shot.

In MSAL there is a PublicClientApplication class with accepts the string authority in its constructor (source)

When passing my URL in this constructor I imagined it would use the discovery service and found the correct endpoints and to its job. But to my suprise this dont work.

I get following error message:
AADSTS50049: Unknown or invalid instance. Search on github MSAL for AADSTS50049 returned zero results. I've cloned the project and started with debugging.

I've figured out that the request is sent to my authority url but instead there is a GET request on the
GET https://login.microsoftonline.com/common/discovery/instance?api-version=1.0&authorization_endpoint=https%3A%2F%2Fmyidentityserverhostname%2Fidentityserver%2Foauth2%2Fv2.0%2Fauthorize HTTP/1.1

This request is done in this source and it returns the error above.

So, is MSAL intended to use with non azure authorities?

3

There are 3 answers

3
leastprivilege On BEST ANSWER

No. It's a proprietary client library for their proprietary backend.

0
Alex Klaus On

Using MSAL.NET with a non-MS OpenID Connect provider is unnecessary, as Microsoft.AspNetCore.Identity provides sufficient support for social logins and other OIDC providers.

Also vendors of custom OpenID Connect servers provide own extensions (see IdentityServer docs and OpenIdDict samples).

As per this official example, MSAL is not required if you're only signing users in. They claim:

MSAL is used for fetching access for accessing protected APIs

BTW, if you're interested in MSAL.JS, then it's a completely different story – https://stackoverflow.com/a/73618966/968003.

0
BinaryJam On

Yes it can,

You need to use the Azure B2C library, it can be configured with other identity provideer, like facebook, google, linked in etc.

There is also an option to utilise a custom IDP, if it conforms to openId

See here. https://go.microsoft.com/fwlink/?linkid=854174