[Bug] Authentication using desktop browser sometimes closes http connection without valid response #5474
Description
Library version used
4.77.0
.NET version
.NET 8.0
Scenario
PublicClient - desktop app
Is this a new or an existing app?
The app is in production, I haven't upgraded MSAL, but started seeing this issue
Issue description and reproduction steps
- Try to authorize .NET Windows Destop public client application
- Use your MS credentials in browser window and authorize successfully
- Browser successfully redirected to http://localhost:xxxx/ URL
- Application successfuly receives tokens
- But the browser shows "Connection error" page
Relevant code snippets
Expected behavior
Browser does not show "connection error" window.
Browser shows "Authentication complete. You can return to the application. Feel free to close this browser tab."
Identity provider
Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)
Regression
No response
Solution and workarounds
It seems that in HttpListenerInterceptor class Respond() method does not close respond in gentle way:
private void Respond(Func<Uri, MessageAndHttpCode> responseProducer, HttpListenerContext context)
{
...
switch (messageAndCode.HttpCode)
{
...
case HttpStatusCode.OK:
byte[] buffer = System.Text.Encoding.UTF8.GetBytes(messageAndCode.Message);
context.Response.ContentLength64 = buffer.Length;
context.Response.OutputStream.Write(buffer, 0, buffer.Length);
break;
...
}
// maybe the problem is here?
context.Response.OutputStream.Close();
}
The last line should be context.Response.Close();, not context.Response.OutputStream.Close();
so when HttpListener.Abort() method called immediately after the Response() call, our response can be thrown away and browser gets closed socket without any response.