ADAL JS and zones in IE and Edge

Active Directory Authentication Library for JavaScript (ADAL JS) is actually a very nice library to take care of your authentication against Azure Active Directory. Unfortunately the library doesn’t work with IE or Edge as soon as the web application that is using the ADAL JS library is in a different security zone than “https://login.microsoftonline.com”. The reason for this is that IE and Edge don’t allow cookie sharing between zones. Since “https://login.microsoftonline.com” should not reside in any security zone this means that your application cannot be in any zone either. Now why is this such a huge problem?

Most of the applications you register in Azure Active Directory will in fact be internal applications. And most of these applications will reside in the “Local intranet” zone or “Trusted sites” zone. And exactly those applications won’t work with the ADAL JS library if the client is using IE or Edge, unless you add “https://login.microsoftonline.com” to that same zone.

Adding “https://login.microsoftonline.com” to a specific zone, might solve you issue for one application, but if you have applications in both the “Local intranet” zone and the “Trusted sites” zone, you are out of luck as sites (including “https://login.microsoftonline.com”) cannot be part of multiple zones.

In each and every other browser you will not encounter any of these issues as the don’t have this cookie sharing limitation.

I wonder if when they will solve this issue, because the advice to just remove “protected mode” for the “Internet zone” on the ADAL JS GitHub site, makes me shiver when I realize that these same people wrote this authentication library.

Reliable Microsoft

Microsoft has released a new future proof development method, with the last 3 versions of SharePoint. We’ve seen Sandboxed solutions, CAM applications (or should I say Add-ins?) and now they are about to release the ‘SharePoint Framework’. SharePoint is responsive now and our enterprise collaboration platform will work much better on mobile devices.

Public sites, like WordPress, must be response and mobile first nowadays, but collaboration sites for office workers can and should definitely focus on desktop (only?). If you want to add a limited, search driven, mobile view on top, sure, go ahead, but not mobile first. Weird as it may seem, in the enterprises I visit, most employees still use a desktop or laptop for office work. I don’t see a lot of employees with an empty desk, writing Word documents with their thumbs.

The funny part is that in January 2015 Microsoft discontinued the “SharePoint Online Public Website feature” for the following reason: “As part of the evolution of the Office 365 service, we periodically evaluate the capabilities of the service to make sure that we’re delivering the utmost value to customers. After careful consideration, we concluded that for public websites, Office 365 customers would be better served by third-party providers whose core competency is public websites. Therefore, we’ve made the difficult decision to discontinue the SharePoint Online Public Website feature so that we can focus our efforts and investments on delivering capabilities in Office 365 that will bring more value to our customers.”

So they first acknowledge that they have no real understanding of public web sites, and now they change the collaboration UI so it will behave more like public web sites? Okay…

The real problem I – as a consultant – face however, is that they’ve become a completely unreliable partner. The biggest laugh I had is when they suddenly shutdown coded Sandboxed solutions a few weeks ago. Yes, they’ve been telling us not to use coded Sandboxed solutions anymore because they are deprecated, but unfortunately the CAM model is still not up to par yet. Sometimes it is simply not possible to update or upgrade your coded Sandbox solution towards the CAM model. The reason they gave for stopping these coded Sandboxed solution now, is that they are not able to maintain this infrastructure as it does not scale. However…
When several migration tools stopped working, they somehow could make an exception for just those tools. These exceptions are however not available for paying customers. So not alone the infrastructure is still in place – even though they said they cannot do that anymore – but we now know who Microsoft values more, and it is apparently not its paying customers.

Now what can I advice my clients? I cannot tell them to use the “Yet Another Dev Method” for their future proof customizations. We’ve seen that these new development methods are as future proof as whip cream. So maybe the only honest advice I can give them is to either change their processes so they fit OOTB SharePoint, or not to use SharePoint at all anymore.

One last thing. I’m going to be bold here and make an prediction on when and what the new future proof development method for SharePoint web parts will be. In 2019 the new future proof development method for SharePoint web parts is: Web Components!

Unobtrusive HTML

Long, long time ago, I can still remember it. We had HTML without JavaScript. Slowly but steadily we started to include JavaScript into our HTML. At a certain moment, we noticed that a page with a lot embedded JavaScript was difficult to maintain. We apparently all decided it was time for a change. And with that we separated the JavaScript from the HTML. Hurray! We now had unobtrusive JavaScript. This meant that we first created the working and proper HTML and after we were done, we added some JavaScript goodness to the page. All good and well!

Nah, not all. We were all struggling with the different JavaScript engines and their intrinsic details. So along came jQuery. jQuery allowed us to use a single codebase for all browsers which is awesome. At the same time I started to notice something else. People started to write jQuery plug-ins and a lot of these plug-ins output HTML. And at that moment I started wondering. We moved from embedded JavaScript, which was bad, to embedded HTML. Not alone we were back to where we started, but now we lost all intellisense, tag completion, and refactoring as we edited the HTML inside JavaScript strings. With JavaScript inside HTML script tags, like we had before, we at least had some intellisense. So some people noticed that rendering HTML inside JavaScript, mostly used for some kind of databinding, is bad. And luckily for us, AngularJS version 1 came along.

AngularJS version 1 allowed us to write a controller in JavaScript, a view with binding tags in HTML, and fetch our data from a RESTful API. We now had a real MVC framework! All loosely coupled. We could in effect create several HTML files targeted to different outputs and reuse the controllers. No need to change a single line of code. Awesome! And then AngularJS version 2 was announced.

Angular JS version 2 is supposed to be faster and much better than version 1. Everybody is hyping it. But, when I looked at the code samples, I noticed that they are defining HTML views in class decorators. We are back at writing HTML in JavaScript string properties again and by using decorators we have no way to do dependency injection to define a viewengine, which in turn could select the proper view for the device being used. It almost feels like they are implementing ASP.Net Web Forms user controls in a complex client side way. If you do so, at least implement the composite pattern.

We are running past our goal and are circling right back to where we started again. Only difference is that we now have to find a way to embed unobtrusive HTML inside our JavaScript. With that we might get our intellisense, tag completion and refactoring back.

I honestly don’t understand why we keep running in circles. Anybody?