Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] Regression in 4.55.0 - MSAL fails interactive sign-in flows with ADFS when saving token response in .withTenantId(...) #4272

Closed
2 of 8 tasks
keystroke opened this issue Jul 25, 2023 · 8 comments · Fixed by #4275
Labels
bug P2 regression Behavior that worked in a previous release that no longer works in a newer release scenario:Desktop
Milestone

Comments

@keystroke
Copy link

Which version of MSAL.NET are you using?
Issue occurs upgrading to 4.55.0 from 4.54.1

Platform
.NET 6.0

What authentication flow has the issue?

  • Desktop / Mobile
    • Interactive (broker)
    • Interactive (embedded or system browser)
    • Integrated Windows Authentication
    • Username / Password
    • Device code (browserless)
  • Web app
    • Authorization code
    • On-Behalf-Of
  • Daemon app
    • Client credentials (service-to-service calls)

Other?
I see this issue with authorization code and device code flow when using an ADFS authority; perhaps all flows with user interaction. Note that other flows like service principal auth when using an ADFS authority are working fine:

image

Note that above failures occur whether we use MSAL .WithAuthority() or .WithAdfsAuthority() when cosntructing the client. We never call .withTenantId(...) directly.

Is this a new or existing app?
The app is in production, I haven't upgraded MSAL, but started seeing this issue.

Repro

var builder = PublicClientApplicationBuilder
    .Create(clientId)
    // same result from using WithAdfsAuthority
    .WithAuthority(authority, validateAuthority: false)
    .WithInstanceDiscoveryMetadata(GetInstanceDiscoveryMetadata(authority))
    .WithRedirectUri(redirectUri);

var client = builder.Build();

var result = await client 
    .AcquireTokenInteractive(scopes)
    .ExecuteAsync();

Actual behavior
Exception is thrown after receiving token response:

Message: 
Microsoft.Identity.Client.MsalClientException : WithTenantId can only be used when an AAD authority is specified at the application level.

Stack Trace: 
Authority.GetTenantedAuthority(String tenantId, Boolean forceSpecifiedTenant)
Authority.CreateAuthorityWithTenant(AuthorityInfo authorityInfo, String tenantId)
TokenResponseHelper.GetTenantId(IdToken idToken, AuthenticationRequestParameters requestParams)
ITokenCacheInternal.SaveTokenResponseAsync(AuthenticationRequestParameters requestParams, MsalTokenResponse response)
CacheSessionManager.SaveTokenResponseAsync(MsalTokenResponse tokenResponse)
RequestBase.CacheTokenResponseAndCreateAuthenticationResultAsync(MsalTokenResponse msalTokenResponse)
InteractiveRequest.ExecuteAsync(CancellationToken cancellationToken)
RequestBase.RunAsync(CancellationToken cancellationToken)
PublicClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenInteractiveParameters interactiveParameters, CancellationToken cancellationToken)
MsalTests.CanAcquireToken_UsingAuthorizationCode_Core(String authority) line 359
MsalTests.CanAcquireToken_UsingAuthorizationCode(String authority) line 303
--- End of stack trace from previous location ---

Expected behavior
Should return the token.

Possible solution

Additional context / logs / screenshots / links to code
Logs (edited to remove secrets; contains fake PII):

 Microsoft.AzureStack.Identity.Web.Tests.MsalTests.CanAcquireToken_UsingAuthorizationCode(authority: "https://localhost:3001/adfs")
 Source: MsalTests.cs line 301
 Duration: 5 sec

Message: 
Microsoft.Identity.Client.MsalClientException : WithTenantId can only be used when an AAD authority is specified at the application level.

Stack Trace: 
Authority.GetTenantedAuthority(String tenantId, Boolean forceSpecifiedTenant)
Authority.CreateAuthorityWithTenant(AuthorityInfo authorityInfo, String tenantId)
TokenResponseHelper.GetTenantId(IdToken idToken, AuthenticationRequestParameters requestParams)
ITokenCacheInternal.SaveTokenResponseAsync(AuthenticationRequestParameters requestParams, MsalTokenResponse response)
CacheSessionManager.SaveTokenResponseAsync(MsalTokenResponse tokenResponse)
RequestBase.CacheTokenResponseAndCreateAuthenticationResultAsync(MsalTokenResponse msalTokenResponse)
InteractiveRequest.ExecuteAsync(CancellationToken cancellationToken)
RequestBase.RunAsync(CancellationToken cancellationToken)
PublicClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenInteractiveParameters interactiveParameters, CancellationToken cancellationToken)
MsalTests.CanAcquireToken_UsingAuthorizationCode_Core(String authority) line 359
MsalTests.CanAcquireToken_UsingAuthorizationCode(String authority) line 303
--- End of stack trace from previous location ---

Standard Output: 
[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] MSAL MSAL.NetCore with assembly version '4.55.0.0'. CorrelationId(4c14c9ea-13be-4117-8d23-0d5f49c21197)

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] DefaultBrowserOptions configured. HidePrivacyPrompt False

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] HtmlMessageSuccess

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] HtmlMessageError

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] BrowserRedirectSuccess

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] BrowserRedirectError

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: System
ExtraScopesToConsent:
Prompt: not_specified
HasCustomWebUi: False

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197]
=== Request Data ===
Authority Provided? - True
Client Id - e68c40a5-a8e5-4250-bbea-5b43ab18cf0d
Scopes - https://arm.asz/.default
Redirect Uri - http://localhost
Extra Query Params Keys (space separated) -
ClaimsAndClientCapabilities -
Authority - https://localhost:3001/adfs/
ApiId - AcquireTokenInteractive
IsConfidentialClient - False
SendX5C - False
LoginHint -
IsBrokerConfigured - False
HomeAccountId -
CorrelationId - 4c14c9ea-13be-4117-8d23-0d5f49c21197
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] === Token Acquisition (InteractiveRequest) started:
Authority: https://localhost:3001/adfs/
Scope: https://arm.asz/.default
ClientId: e68c40a5-a8e5-4250-bbea-5b43ab18cf0d

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] [Instance Discovery] Skipping Instance discovery for non-AAD authority.

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Using system browser.

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Listening for authorization code on http://localhost:50955/

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Processing a response message to the browser. HttpStatus:OK

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] HttpListner received a message on http://localhost:50955/

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] An authorization code was retrieved from the /authorize endpoint.

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Exchanging the auth code for tokens.

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] DefaultBrowserOptions configured. HidePrivacyPrompt False

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] HtmlMessageSuccess

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] HtmlMessageError

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] BrowserRedirectSuccess

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] BrowserRedirectError

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: System
ExtraScopesToConsent:
Prompt: not_specified
HasCustomWebUi: False

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Starting TokenClient:SendTokenRequestAsync

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] [Token Client] Fetching MsalTokenResponse ....

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Starting [Oauth2Client] Sending POST request

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Starting [HttpManager] ExecuteAsync

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] [HttpManager] Sending request. Method: POST. URI: https://localhost:3001/adfs/oauth2/token.

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] [HttpManager] Received response. Status code: OK.

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Finished [HttpManager] ExecuteAsync in 501 ms

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Finished [Oauth2Client] Sending POST request in 505 ms

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Starting [OAuth2Client] Deserializing response

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Finished [OAuth2Client] Deserializing response in 14 ms

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Finished TokenClient:SendTokenRequestAsync in 531 ms

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Checking client info returned from the server..

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Saving token response to cache..

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197]
[MsalTokenResponse]
Error:
ErrorDescription:
Scopes: https://arm.asz/.default offline_access openid profile
ExpiresIn: 4620
RefreshIn:
AccessToken returned: True
AccessToken Type: bearer
RefreshToken returned: True
IdToken returned: True
ClientInfo:
FamilyId:
WamAccountId exists: False

[MSAL] [Error] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] MSAL.NetCore.4.55.0.0.MsalClientException:
ErrorCode: tenant_override_non_aad
Microsoft.Identity.Client.MsalClientException: WithTenantId can only be used when an AAD authority is specified at the application level.
at Microsoft.Identity.Client.Instance.Authority.GetTenantedAuthority(String tenantId, Boolean forceSpecifiedTenant)
at Microsoft.Identity.Client.Instance.Authority.CreateAuthorityWithTenant(AuthorityInfo authorityInfo, String tenantId)
at Microsoft.Identity.Client.TokenResponseHelper.GetTenantId(IdToken idToken, AuthenticationRequestParameters requestParams)
at Microsoft.Identity.Client.TokenCache.Microsoft.Identity.Client.ITokenCacheInternal.SaveTokenResponseAsync(AuthenticationRequestParameters requestParams, MsalTokenResponse response)
at Microsoft.Identity.Client.Cache.CacheSessionManager.SaveTokenResponseAsync(MsalTokenResponse tokenResponse)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.CacheTokenResponseAndCreateAuthenticationResultAsync(MsalTokenResponse msalTokenResponse)
at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.ExecuteAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)

@keystroke
Copy link
Author

Related to #4191 and #4144

@keystroke
Copy link
Author

If it helps, here are the claims in the ID token that "ADFS" returns. Note that ADFS authority URL does not contain tenantId, but the iss claim appends it:

{
  "alg": "RS256",
  "kid": "[REDACTED]",
  "x5t": "[REDACTED]",
  "typ": "JWT"
}.{
  "ver": "1.0",
  "iat": 1690247050,
  "aud": "e68c40a5-a8e5-4250-bbea-5b43ab18cf0d",
  "iss": "https://localhost:3001/adfs/460afc9d-718d-40c8-8d03-9540fa56cc2c/",
  "name": "[REDACTED]",
  "oid": "[REDACTED]",
  "sub": "[REDACTED]",
  "tid": "460afc9d-718d-40c8-8d03-9540fa56cc2c",
  "unique_name": "[REDACTED]",
  "uti": "ee4c32d7-b110-4214-8132-fb0bbc232785",
  "upn": "[REDACTED]",
  "exp": 1690252449,
  "nbf": 1690247049
}

@keystroke keystroke changed the title [Bug] Regression - MSAL fails interactive sign-in flows with ADFS when saving token response in .withTenantId(...) [Bug] Regression in 4.55.0 - MSAL fails interactive sign-in flows with ADFS when saving token response in .withTenantId(...) Jul 25, 2023
@keystroke
Copy link
Author

Looks like this change in authority setup causing issue: 1c7e4c3

keystroke referenced this issue Jul 25, 2023
* fix

* Fix

* Test fixes

* fix

* Update for WithAuthority + WIthTenant

* Comments and minor fixes

* PR comments

* Relax req.WithTenant as well

* fix test

* Address PR comments
@keystroke
Copy link
Author

Even when I change .WithAuthority to .WithAdfsAuthority, the stack trace doesn't change:

    [MSAL] [Error] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:46:47Z - 94f33d85-fd02-44e5-a545-49f915e1c90e] MSAL.NetCore.4.55.0.0.MsalClientException:
  ErrorCode: tenant_override_non_aad
Microsoft.Identity.Client.MsalClientException: WithTenantId can only be used when an AAD authority is specified at the application level.
   at Microsoft.Identity.Client.Instance.Authority.GetTenantedAuthority(String tenantId, Boolean forceSpecifiedTenant)
   at Microsoft.Identity.Client.Instance.Authority.CreateAuthorityWithTenant(AuthorityInfo authorityInfo, String tenantId)
   at Microsoft.Identity.Client.TokenResponseHelper.GetTenantId(IdToken idToken, AuthenticationRequestParameters requestParams)
   at Microsoft.Identity.Client.TokenCache.Microsoft.Identity.Client.ITokenCacheInternal.SaveTokenResponseAsync(AuthenticationRequestParameters requestParams, MsalTokenResponse response)
   at Microsoft.Identity.Client.Cache.CacheSessionManager.SaveTokenResponseAsync(MsalTokenResponse tokenResponse)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.CacheTokenResponseAndCreateAuthenticationResultAsync(MsalTokenResponse msalTokenResponse)
   at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)

I see from commit that the ADFS authority subclass does not override the base class anymore, probably that would be enough to fix:
1c7e4c3#diff-ef961febb44235ea63633fb173ce3e018a1a6bbb9eaba10c48383a58925591e8

Note that we should not require the use of .WithAdfsAuthority in the builder as that would be another regression (I think previously it was identified that was a bad idea and was only left in place to avoid breaking change, otherwise clients need to have ugly setup to determine how to build MSAL client with parsing authority string first and checking for adfs etc.). So not sure which authority class is "active" in flows I submitted above; hopefully both resolve to the ADFS subclass?

@keystroke
Copy link
Author

Tagging @bgavrilMS, if you want to provide private drop I can verify as well before any hotfix

@bgavrilMS
Copy link
Member

Will provide a drop soon, thanks for picking this up @keystroke

@bgavrilMS bgavrilMS added bug P1 scenario:WebSite regression Behavior that worked in a previous release that no longer works in a newer release labels Jul 25, 2023
@bgavrilMS
Copy link
Member

CC @jmprieur

@bgavrilMS
Copy link
Member

bgavrilMS commented Jul 27, 2023

Does not seem to repro on our test bed, where we use a non-localhost name for the ADFS authority. Will reach out for help repro-ing this. I am not able to repro via unit test with "https://localhost:3000/adfs" as authority.

The error message suggests MSAL mis-parses the authority uri and thinks it's an AAD authority.

bgavrilMS added a commit that referenced this issue Aug 1, 2023
* Fix for #4272 - WithAdfsAuthority when id token has tid

* Fix for #4272 - WithAdfsAuthority when id token has tid

* Fixes

* fix
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug P2 regression Behavior that worked in a previous release that no longer works in a newer release scenario:Desktop
Projects
Archived in project
3 participants