AADSTS50058: A silent sign-in request was sent but no user is signed in

Question

I am using hello.js to sign in Microsoft Graph.

First I initialized by

hello.init({
    msft: {
      id: myAppId,
      oauth: {
        version: 2,
        auth: 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize'
      },
      scope_delim: ' ',
      form: false
    },
  },
  { redirect_uri: window.location.href }
);

Then I signed in successfully in my app

hello('msft').login({ scope: 'User.Read' })

This is what hello.js saved in localStorage after signing in.

{
  "msft": {
  "access_token":"aLongToken",
    "token_type":"Bearer",
    "expires_in":3599,
    "scope":"basic,User.Read",
    "state":"",
    "session_state":"f034f785-f8d0-4cec-aab4-88559c9d93dd",
    "client_id":"a91e6907-2b6e-4793-848d-633e960e809d",
    "network":"msft",
    "display":"popup",
    "redirect_uri":"http://localhost:3006/login",
    "expires":1501800737.361
  }
}

However, when I try to refresh the access_token

hello('msft').login({
  display: 'none',
  response_type: 'id_token token',
  response_mode: 'fragment',
  nonce: 'my-app',
  prompt: 'none',
  scope: 'User.Read',
  login_hint: 'Rose.Bukater@company.com',
  domain_hint: 'organizations'
})

I got the error

AADSTS50058: A silent sign-in request was sent but no user is signed in. The cookies used to represent the user's session were not sent in the request to Azure AD. This can happen if the user is using Internet Explorer or Edge, and the web app sending the silent sign-in request is in different IE security zone than the Azure AD endpoint (login.microsoftonline.com).

I am using Chrome.

Found this issue on GitHub. But still didn't figure out how to refresh correctly.

UPDATE:

After disable Allow Implicit Flow at https://apps.dev.microsoft.com, now I even failed to log in. So this is not the correct solution. hello.js saved this error in the localStorage:

{
  "msft": {
    "error": {
      "code":"unsupported_response_type",
      "message":"AADSTS70005: response_type 'token' is not enabled for the application\r\nTrace ID: 1dc20dd0-cab3-41b5-9849-2a7e35d60700\r\nCorrelation ID: caacce8f-6763-405d-a840-70c24d5306d4\r\nTimestamp: 2017-08-04 21:56:42Z"
    },
    "error_description":"AADSTS70005: response_type 'token' is not enabled for the application\r\nTrace ID: 1dc20dd0-cab3-41b5-9849-2a7e35d60700\r\nCorrelation ID: caacce8f-6763-405d-a840-70c24d5306d4\r\nTimestamp: 2017-08-04 21:56:42Z",
    "state":"",
    "client_id":"a91e6907-2b6e-4793-848d-633e960e809d",
    "network":"msft",
    "display":"popup",
    "redirect_uri":"http://localhost:3006/login",
    "scope":"basic,User.Read"
  }
}

score 3 · Answer 1 · answered Aug 04 '17 at 01:55

3

It happens when the cookie of the user currently connected for login.microsoftonline.com has expired. The way we handle it is we redirect the user to sign in page with current page as redirecturi parameter.

answered Aug 04 '17 at 01:55

baywet

4,377
4
20
49

hello.js saved the token in localstorage. I didn't see it is using cookies. And actually to test refresh token. I did it just 20s after signing in. So I don't think anything is expired. Maybe something else cause this? – Hongbo Miao Aug 04 '17 at 02:12
If you have a look at the first token you're getting, does it contain a refresh token? Are you leveraging explicit Grant or implicit flow? – baywet Aug 04 '17 at 02:31
I think I only have a refresh token, I added in my question. – Hongbo Miao Aug 04 '17 at 03:01
To me it looks like you're using the implicit flow and this is why you don't get a refresh token and only an access token – baywet Aug 04 '17 at 21:36
After disabling it, now I even cannot log in. This is a single page app, the implicit flow has to be turned on, right? If yes, then any other way I can refresh the token? – Hongbo Miao Aug 04 '17 at 22:07
When it comes to auth for a SPA app you have two choices: - implicit, doesn't require any backend, very simple, doesn't give you a refresh token - authorization code flow, requires a secret and most of the time people rely on a backend to hold that. provides a refresh token. you can read more about that on that blog post https://www.scottbrady91.com/OpenID-Connect/OpenID-Connect-Flows – baywet Aug 04 '17 at 23:17

Hongbo Miao · Accepted Answer · 2017-08-10T05:18:14.370

3

I found the issue. My code in the question is totally correct. The reason causing this issue is because in our company each person has two emails:

one is full name email Rose.Bukater@company.com
one is alias email rosebuk@company.com, which is the property userPrincipalName

For login_hint below, it has to be the alias email.

hello('msft').login({
  display: 'none',
  response_type: 'id_token token',
  response_mode: 'fragment',
  nonce: 'my-app',
  prompt: 'none',
  scope: 'User.Read',
  login_hint: 'Rose.Bukater@company.com',  // <- has to be rosebuk@company.com
  domain_hint: 'organizations'
})

edited Aug 10 '17 at 05:18

answered Aug 05 '17 at 00:34

Hongbo Miao

45,290
60
174
267

1

Did you figure out why and how to know which one is the one to use? Presumably the User object in your case contains both email addresses - which property is the right one? – mike nelson Aug 10 '17 at 05:08
@mikenelson it is `userPrincipalName` – Hongbo Miao Aug 10 '17 at 05:18

AADSTS50058: A silent sign-in request was sent but no user is signed in

2 Answers2