Unable to use Msal localStorage option on Azure Frontdoor (with WAF) hosted website

[yurnih]

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

4.0.2

Wrapper Library

MSAL Angular (@azure/msal-angular)

Wrapper Library Version

4.0.2

Public or Confidential Client?

Public

Description

When upgrading to MSAL v4 and using localStorage as the backend for caching, MSAL creates a session cookie msal.cache.encryption as described in docs. This cookie stores a JSON string with the following format: {"id":"...uuid...","key":"qQfZ7...oWmXE"}.The contents of this cookie triggers web application firewall rules for sql-injections.

Error Message

No response

MSAL Logs

No response

Network Trace (Preferrably Fiddler)

• Sent
• Pending

MSAL Configuration

{
  auth: {
    clientId: msal.clientId,
    authority: `https://login.microsoftonline.com/${msal.tenantId}`,
    redirectUri: '/account/login',
    navigateToLoginRequestUrl: true,
  },
  cache: {
    cacheLocation: BrowserCacheLocation.LocalStorage,
  }
}

Relevant Code Snippets

private tryMsalLogin(allowRedirect: boolean = true, background: boolean = false) {
  if (this.msal.instance.getAllAccounts().length === 0) {
    if (!allowRedirect) return;
    return this.loginRedirect();
  }
  this.msal
    .acquireTokenSilent({
      scopes: this.env.appScope,
      account: this.msal.instance.getAllAccounts()[0],
    })
    .subscribe({
      next: (value) => this.setToken(value.accessToken, background),
      error: (_) => {
        if (!allowRedirect) return;
        this.loginRedirect();
      },
    });
}

private loginRedirect(): void {
  this.msal.loginRedirect({
    scopes: ['openid', 'email', 'offline_access', ...this.env.appScope],
  });
}

Reproduction Steps

1. Create an application with MSAL v4
2. Deploy behind Azure Front Door with web application firewall rules turned on
3. Login in application
4. After login is finish and local storage / cookies are set all following requests on the domain are blocked (Detects MySQL comment-/space-obfuscated injections and backtick termination / Detects basic SQL authentication bypass attempts / Detects classic SQL injection probings)

Expected Behavior

Similar as MSAL v3

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

Chrome, Firefox, Edge, Safari, Other

Regression

@azure/msal-browser ^3

[plamber]

Hello,
I can confirm that the issue also occurs on our end. Our SPA applications are hosted behind Azure Front Door, and SQL rules 942370, 942200, and 942000 are being triggered, causing the site to stop serving content.

We temporarily disabled the prevention mode in our WAF policies to better understand how to create a proper exclusion rule. Ideally, this should be addressed within the library itself to prevent these false positives from occurring.

We appreciate your support in resolving this. Can maybe @tnorling help us out?

@yurnih: Have you already implemented a workaround for this?

Best regards,
Patrick

[adrianmartinm]

I'm getting blocked too if I use LocalStorage, any news on this?