Error: AADSTS50058: A silent sign-in request was sent but no user is signed in - Angular ADAL authentication issue in mobile safari browser

Question

We have a site developed using Angular 7 and it uses Adal-Angular4 library for Azure Active Directoty authentication. When the site is browsed in safari on iPhone, it runs into below error.

Error: AADSTS50058: A silent sign-in request was sent but no user is signed in. The cookies used to represent the user's session were not sent in the request to Azure AD. This can happen if the user is using Internet Explorer or Edge, and the web app sending the silent sign-in request is in different IE security zone than the Azure AD endpoint (login.microsoftonline.com).

When Prevent Cross-Site Scripting option of Safari browser is off then authentication gets through fine. We also observed that in Chrome browser on one of the Samsung Galaxy S8+ phones this issue occurs. Any idea what exactly is the reason for this issue and what are the ways to remediate it.

Answer 1

I have faced this issue when accessing my angular application through the Chrome browser on incognito mode. By default, it disables third-party cookies with a toggle at the home page. I just disabled it and did not face the error again.

Disabling the option

Answer 2

Reason: The error occurs because a silent sign in is sent to the login.microsoftonline.com endpoint, however the AAD SSO cookie is not being detected. This cookie determines if the user is logged in or not. The silent sign in is only meant to be used if the user is already known to be logged in or has a refresh token to exchange for a new access token.

Possible Resolution #1 Proactively Check for Expiration You can attempt to prevent this error from ever occurring by checking if you have a valid id token. If you're ID token is not valid, you will ask the user to login again.

Possible Resolution #2 Catching the Error and Asking the User to Login Again To resolve this error you will need to catch this error in a callback that you can pass into the acquiretoken ADAL JS function. If the AADSTS50058 error occurs, you'll ask the user to login again.

Possible Resolution #3 Browser Extension Cookie Blockers and Third Party Cookies Disabled Some users may experience this issue due to a browser extension that is blocking cookies for tracking purposes. This will cause this AADSTS50058 error to occur, you will need to whitelist the login.microsoftonline.com endpoint in your browser extension in order to avoid receiving this error again.

This error can also occur if the third party cookies have been disabled in your browser. Re-enable third party cookies in your browser to prevent this error from occurring.

Please refer this link

Answer 3

On top of what "Raghavendra- MSFT Identity" mentioned in his answer (possible resolution #2), we managed to get it working by catching the error of acquireToken call and then acquiring token using acquireTokenRedirect call. It adds up one more redirection but does the job. Please note that either with ADAL or MSAL v1, this is the only option I found from whatever research I could do. MSAL v2 i.e. @azure/msal-browser package specifically which is based on OAuth 2.0 Authorization Code Flow with PKCE eliminates any need of third-party cookies and can be an appropriate option; however, it is currently under Beta so it would take some more time before it can be used for production code.