What happened?
When signing into a Rayfin app via the standalone hosting URL (not embedded in Fabric portal), the login popup window appears twice before authentication completes successfully.
Expected behavior: A single login popup opens > user authenticates > popup closes > app receives token.
Actual behavior: First popup opens > user authenticates > popup closes > a second popup immediately opens > either auto-completes or requires another interaction > app finally receives token.
The browser console shows Cross-Origin-Opener-Policy policy would block the window.closed call which indicates the SDK cannot detect the first popup has closed successfully, causing it to retry with a second popup.
Steps to reproduce
- Create a Rayfin app with Fabric auth enabled in rayfin.yml:
- auth enabled: true, fabric enabled: true
- Deploy with
npx rayfin up
- Open the standalone hosting URL directly in browser (NOT inside Fabric portal iframe)
- Click Sign In which triggers
client.auth.signIn()
- First popup opens - authenticate with Microsoft Entra ID
- First popup closes - second popup immediately opens
- Second popup auto-completes or requires user interaction
Note: This does NOT happen when the app is embedded inside the Fabric portal (iframe mode). Only occurs when accessing the hosting URL directly.
Environment
- Node: 24.x
- OS: Windows 11
- Rayfin CLI: latest (npm)
- Browser: Microsoft Edge / Google Chrome
- Auth mode: Fabric brokered auth (standalone, not embedded in portal)
- Hosting region: West Central US
- Hosting URL:
https://total-alder-ff0fb9a7a5-westcentralus.webapp.msit.fabricapps.net
- Workspace: DPXE-DIS-AccessControlTest
Logs or screenshots
Console output during sign-in:
[FabricAuth] postMessage from origin=https://total-alder-ff0fb9a7a5-westcentralus.webapp.msit.fabricapps.net (expected portal=https://app.fabric.microsoft.com) - continuing (secured by state + PKCE)
[FabricAuth] brokeredAuth.ready from origin=https://msitpbiabd.powerbi.com (expected portal=https://app.fabric.microsoft.com) - continuing (secured by state + PKCE)
Cross-Origin-Opener-Policy policy would block the window.closed call.
Cross-Origin-Opener-Policy policy would block the window.closed call.
POST Success: .../api/auth/v1/token {accessToken: ..., tokenType: Bearer, expiresIn: 3600}
Key observations:
- Origin mismatch warnings - SDK expects app.fabric.microsoft.com but receives messages from the app own origin and msitpbiabd.powerbi.com
- COOP blocking window.closed - prevents the SDK from detecting popup completion
- Auth ultimately succeeds - the token is received correctly after the second popup
What happened?
When signing into a Rayfin app via the standalone hosting URL (not embedded in Fabric portal), the login popup window appears twice before authentication completes successfully.
Expected behavior: A single login popup opens > user authenticates > popup closes > app receives token.
Actual behavior: First popup opens > user authenticates > popup closes > a second popup immediately opens > either auto-completes or requires another interaction > app finally receives token.
The browser console shows
Cross-Origin-Opener-Policy policy would block the window.closed callwhich indicates the SDK cannot detect the first popup has closed successfully, causing it to retry with a second popup.Steps to reproduce
npx rayfin upclient.auth.signIn()Note: This does NOT happen when the app is embedded inside the Fabric portal (iframe mode). Only occurs when accessing the hosting URL directly.
Environment
https://total-alder-ff0fb9a7a5-westcentralus.webapp.msit.fabricapps.netLogs or screenshots
Console output during sign-in:
Key observations: