#"error deserializing scope: `localhost` is not a valid URL pattern"

When returning an authentication request from microsoft entra i get this logged. i using msal/browser pacakge and providing a custom network client using tauri http plugin to be able to make the network requests. all was going well until i got this error.

"error deserializing scope: localhost is not a valid URL pattern: a relative input without a base URL is not valid"

i assume this is about the remote property in your capabilities file? Can you show that config?

{
"$schema": "../gen/schemas/desktop-schema.json",
"identifier": "default",
"description": "Capability for the main window",
"windows": ["main"],
"permissions": [
"core:default",
"opener:default",
{
"identifier": "http:default",
"allow": [
{
"url": "https://.tauri.app"
},
{
"url": "https://login.microsoftonline.com/"
},
{
"url": "https://.msauth.net/"
},
{
"url": "localhost"
}
],
"deny": [
{
"url": "https://private.tauri.app"
}
]
}
]
}

it could be a very azure specific thing also. attempting to use msal browser package to implement sso

I've tried the https://github.com/FabianLars/tauri-plugin-oauth but keep getting:
Failed to load resource: Could not connect to the server. http://localhost:<port>/cb

with this printed in the window:
Please return to the app.

which i've been attempting to invoke using:
const loginRedirect = async () => {
if (!port.value) {
console.log("Starting OAuth server...")

  port.value = await start()
  console.log("server started on " + port.value)
}

if (!port.value) {
  console.error("OAuth server failed to start.")
  return
}

const redirectRequest: RedirectRequest = {
  scopes: ["openid", "profile", "User.Read"],
  redirectUri: `http://localhost:${port.value}`
}
try {
  console.log("Calling loginRedirect...")
  await onUrl(async (url) => {
    console.log("Received OAuth URL:", url)
    // Handle the OAuth redirect
  })

  const test = await msalInstance.acquireTokenRedirect(redirectRequest)
  console.log("TEST:: ", test)
} catch (error) {
  console.error("Login redirect failed:", error)
}

}

i used your example/vanilla/main.ts file and made this, with the same result:

const msalConfig = {
auth: {
clientId: "<client-id>", // Replace with your Azure app client ID
authority: "https://login.microsoftonline.com/<tenant-id>", // Replace with your tenant ID
redirectUri: "http://localhost",
},
};

async function startServerTS() {
const msalInstance =
await PublicClientApplication.createPublicClientApplication(msalConfig);
if (resultEl) {
await stopCurrentServer();
try {
// Start the OAuth server
const port = await start();
currentPort = port;
isRustServer = false;
resultEl.textContent = OAuth slerver started on port ${port};

  const unlistenUrl = await onUrl(async (url: string) => {
    console.log("Received OAuth URL:", url);

    try {
      const response = await msalInstance.handleRedirectPromise();
      if (response) {
        console.log("Authentication successful:", response);
        resultEl!.textContent += `\nAuthentication successful: ${response}`;
      } else {
        console.warn("No response");
      }
    } catch (error) {
      console.error("Error", error);
    } finally {
      await stopCurrentServer();
    }
  });


  const unlistenInvalidUrl = await onInvalidUrl((error: any) => {
    resultEl!.textContent += `\nReceived invalid OAuth URL: ${error}`;
  });

  const redirectRequest: RedirectRequest = {
    scopes: ["openid", "profile", "User.Read"],
    redirectUri: `http://localhost:${port}`,
  };

  try {
    console.log("Calling loginRedirect...");
    await msalInstance.loginRedirect(redirectRequest);
  } catch (error) {
    console.error("Login redirect failed:", error);
  }

  // Store unlisten functions to call them when stopping the server
  (window as any).unlistenFunctions = [unlistenUrl, unlistenInvalidUrl];
} catch (error) {
  resultEl.textContent = `Error starting OAuth server (TypeScript): ${error}`;
}

}
}

so i got it to work by fixing:
"permissions": [
"core:default",
"opener:default",
{
"identifier": "http:default",
"allow": [
{
"url": "https://.tauri.app"
},
{
"url": "https://login.microsoftonline.com/"
},
{
"url": "https://.msauth.net/"
},
{
"url": "localhost" --> "http://localhost"
}
],
"deny": [
{
"url": "https://private.tauri.app"
}
]
}
]

but this only works with a SPA flow and not a desktop client setup in azure.. feel like its not the best solution tbh

but this only works with a SPA flow and not a desktop client setup in azure.. feel like its not the best solution tbh
hmm yeah, that's kinda what the oauth plugin you linked was created for (but for google oauth). The alternative are deep links if azure supports that.
Both kinda expect you to do the auth in the user's actual browser and then redirecting back to the app. They may work for an in-app flow too but then using the on_navigation api in rust is probably better suited.

Thanks mate, i got it sorted 🙂

I used an azure app registration > authentication > Mobile & Desktop registration > redirecturi > http://localhost

then I realised that the config.response paramter was what was being rendered to the screen, so I ported your plugin code over to my project and instead handled the different tauri OS enviornments (based on if dev) e.g. custom protocol http://localhost or tauri://localhost and then returned a http redirect 302 and js redirect back to "/" and was able to successfully authenticate and return to the frontend application 🙂

appreciate the help

Azure does support deep links but I dev on Mac and I dont want to mess around with building the app everytime inbetween changes

Oh yeah, understandable. really so annoying

but glad you figured it all out now :)