We have an app that is in production for quite some time now. A new developer was added to the project and he is trying to sign-in but he is the only one who can't.
What we have is an webapp running on [email protected], using angular/[email protected]. We use Google Cloud Identity Platform running multi tenants and one of the tenants has Microsoft as a provider that hits a Microsoft Azure AD.
All other users so far, no problem, but this specific user throws the error:
https://redacted.com/__/auth/handler?error=invalid_request&error_description=AADSTS50194: Application 'redacted'(redacted) is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant. // redacted the rest of the message
The code for signin is:
import {
Auth,
OAuthProvider,
SAMLAuthProvider,
signInWithRedirect,
} from '@angular/fire/auth';
export class AuthDomainDataService {
private auth = inject(Auth);
signinWithProvider(
requestParam: PayloadModel.SignInWithProvider
): Promise<never> {
this.auth.tenantId = requestParam.tenantId;
const isSAML = requestParam.provider === 'redacted';
const provider = isSAML
? new SAMLAuthProvider(requestParam.provider)
: new OAuthProvider(requestParam.provider);
if (typeof provider === typeof OAuthProvider) {
(provider as OAuthProvider).addScope('profile');
(provider as OAuthProvider).addScope('email');
}
provider.setCustomParameters({
login_hint: requestParam.email,
tenant: requestParam.microsoftTenantId,
});
return signInWithRedirect(this.auth, provider);
}
}
We have a custom login logic to fetch the tenants information that will be used for signin, some of our tenants are GCP "default" ones (MS, Google, etc) but we have a couple that are OIDC and SAML, thus the implementation of the conditional to check which provider class to use.
The rest of the code above is pretty much standard.
The problem, as mentioned, is that we have a single person at the moment who is unable to login, the Firebase SDK will eventually make a call to https://identitytoolkit.googleapis.com/v1/accounts:signInWithIdp?key=redacted and the response is a status code 400 with the error mentioned above.
Anyone has ever ran through this issue before. At first I though we had a race condition and the code would hit signInWithRedirect without the tenant and/or the microsoftTenantId being there, but that was not it, both are there.
I can't really think on other places to look for a solution, so I would welcome suggestions