Rev 02 note from 06.03.2025
Section Default pages with public access is updated.
Rev 01 note
Some parts of this article are updated 09.08.2024 to conform with the RFC3986 Uniform Resource Identifier (URI) standard.
Login process with Azure AD identity provider
When a user navigates to any secured page, the Power Pages redirects the user to the sign in page:
https://your.powerappsportals.com/SignIn
5a0c25a6-4739-ef11-8409-6045bd8728a9 is your Azure AD tenant.
Clicking a button Azure AD on this page will trigger the authentication process redirect which can also be initiated by navigating to the following URL:
https://your.powerappsportals.com/Account/Login/ExternalLogin?provider=https://login.windows.net/5a0c25a6-4739-ef11-8409-6045bd8728a9/&ReturnUrl=%2F
After successful authentication, the user will be taken to the page from the ReturnUrl route. In this case it's the Home page as %2F is the URI-encoded /.
Default pages with public access
Even if you set Page Permissions of all your pages to Authenticated Users web role only, there are some inbuilt pages which will by default be available publicly, ie. for users that are not authenticated:
https://your.powerappsportals.com/_layout/tokenhtml
https://your.powerappsportals.com/_services/about
https://your.powerappsportals.com/SignIn
https://your.powerappsportals.com/Account/Login
https://your.powerappsportals.com/Account/Login/Logoff
https://your.powerappsportals.com/Account/Login/Register
https://your.powerappsportals.com/Account/Login/ExternalAuthenticationFailed
https://your.powerappsportals.com/page-not-found - we will use for MSAL token redirect.
If some other pages are used for the token redirect, MSAL will likely return error block_iframe_reload or hash_empty_error since hash with token is manipulated by the flow.
MSAL recommends:
Our recommended mitigation for this is to set your redirectUri to a blank page that does not implement MSAL when invoking silent APIs.
For this reason the only page we can control, i.e. setup web/page templates with msal scipt is ../page-not-found.
Navigation to a specific hash (fragment) after login
Let's say that I want to go directly to the following route:
https://your.powerappsportals.com/?name=valves&status=active#suppliers
If my user session is active, I may just paste this link to the url bar and see the results I wanted. Since I'm already authenticated, no login redirect is required.
But if I'm not authenticated or my session is expired, the login redirect will be triggered with the following ReturnUrl:
https://your.powerappsportals.com/Account/Login/ExternalLogin?provider=https://login.windows.net/5a0c25a6-4739-ef11-8409-6045bd8728a9/
&ReturnUrl=%2F?name=valves&status=active#suppliers
And... after successful authentication I will be redirected to the Home page instead of the requested route. This happens due to the hash sign and all that comes after it is lost during redirect.
How to fix
In the ReturnUrl the hash sign # shall be replaced with %23 so that this part of the redirect url:
...ReturnUrl=%2F?name=valves&status=active#suppliers
becomes:
...ReturnUrl=%2F?name=valves&status=active%23suppliers
How to automate this is in the next post...
Top comments (0)