Search code examples
azureauthenticationopenidazure-active-directoryopenid-connect

Azure AD with prompt=none shows Bad Request when user is logged in into another tenant

We have an application that supports seamless login with our Azure AD tenant account via OpenID Connect implicit flow. If user is authorized to access the app providing Azure AD issued evidence - access will be granted automatically, otherwise we show regular application login screen.

Every time when user authentication is required we redirect the user to the Azure AD login page (https://login.microsoftonline.com/xyz) specifying prompt=none.

Respecting the ODIC specification such flag should have the following effect.

The Authorization Server MUST NOT display any authentication or consent user interface pages. An error is returned if an End-User is not already authenticated or the Client does not have pre-configured consent for the requested Claims or does not fulfill other conditions for processing the request. The error code will typically be login_required, interaction_required. This can be used as a method to check for existing authentication and/or consent.

It generally works as expected, however, there is a case where Azure AD login page will show an error screen to the End User and it happens when User logged into another Azure AD tenant.

User account '...' from identity provider 'https://sts.windows.net/.../' does not exist in tenant '...' and cannot access the application '...' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

The questions are:

  1. Does not it violate the ODIC specification?
  2. How to properly handle such cases in seamless for users fashion? (app is not in charge of what is going on after redirect to Azure AD).

screenshot

Solution

  • Though I also agree that this is a violation of the spec, can I offer a workaround?

    I believe you can try specifying domain_hint or login_hint parameter as well to help the system determine valid session. Hope it would give you the right answer regardless of which session user is signed in at the moment.