loginPopup() never returns when redirect page is on another domain

[willlahr]

Core Library

MSAL.js (@azure/msal-browser)

Wrapper Library

Not Applicable

Public or Confidential Client?

Public

Documentation Location

docs.microsoft.com

Description

I've got a single page SPFx app which is aiming to get some api tokens to pass to another app in order to let it access the graph api. My SPFx app calls loginPopup() and everything goes well, to the point where my redirect page (on a different domain from the SPFx app) is rendered and has a code and client_info in the url. I've not found any authorititave docs on how this process is suppsed to be completed. CoPilot has suggested running msalInstance.handleRedirectPromise(window.location.href)
But with extra logging turned on i can see that i get the message: 'msal.js.browser@2.35.0 : Info - handleRedirectPromise called but there is no interaction in progress, returning null.'
I can see that the initial call to loginPopup() is waiting for something, and it correctly throws an error (user_cancelled) if i just close the popup, so it doesn't seem like I'm that far off where I should be. I can't find a page or example in the documents that describes the flow for loginPopup() and I'm not sure if this is even the right approach.

[tnorling]

This is expected behavior as per design. The redirectUri must be on the same domain as where you started the flow. The browser blocks access to the hash fragment and storage in cross-origin contexts for privacy reasons and this is a hard technical blocker even if we wanted to try to support this use case.

For SPFx apps you should be using Sharepoint's auth library instead of MSAL directly