Support Authenticating to National Cloud Deployments

[ellisgeek]

I work for an organization on a GCC High Tenant and would like to be able to use the graph cli for various tasks but it appears that there is no support for authenticating to national cloud deployments at this time. I was unable to locate any referenced to national cloud or microsoft.us in the repository and received the following error and stack trace when attempting to authenticate against my tenant.

PS C:\Users\[REDACTED]> mgc login --tenant-id [REDACTED]
[Error] Azure-Identity: False MSAL 4.56.0.0 MSAL.NetCore .NET 7.0.12 Microsoft Windows 10.0.22000 [2023-11-17 21:49:09Z - [REDACTED]] === Token Acquisition (1008) failed.
        Host: login.microsoftonline.com.
[Error] Azure-Identity: False MSAL 4.56.0.0 MSAL.NetCore .NET 7.0.12 Microsoft Windows 10.0.22000 [2023-11-17 21:49:09Z - [REDACTED]] Exception type: Microsoft.Identity.Client.MsalServiceException
, ErrorCode: invalid_request
HTTP StatusCode 400
CorrelationId [REDACTED]

[Error] Azure-Identity: False MSAL 4.56.0.0 MSAL.NetCore .NET 7.0.12 Microsoft Windows 10.0.22000 [2023-11-17 21:49:09Z - [REDACTED]] Exception type: Microsoft.Identity.Client.MsalServiceException
, ErrorCode: invalid_request
HTTP StatusCode 400
CorrelationId [REDACTED]

   at Microsoft.Identity.Client.OAuth2.OAuth2Client.ThrowServerException(HttpResponse response, RequestContext requestContext)
   at Microsoft.Identity.Client.OAuth2.OAuth2Client.CreateResponse[T](HttpResponse response, RequestContext requestContext)
   at Microsoft.Identity.Client.OAuth2.OAuth2Client.ExecuteRequestAsync[T](Uri endPoint, HttpMethod method, RequestContext requestContext, Boolean expectErrorsOn200OK, Boolean addCommonHeaders, Func`2 onBeforePostRequestData)
   at Microsoft.Identity.Client.Internal.Requests.DeviceCodeRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
Unhandled exception: Azure.Identity.AuthenticationFailedException: DeviceCodeCredential authentication failed: AADSTS900383: Internal error has occurred during a redirect. Please login directly to your National Cloud dedicated portal. Trace ID: [REDACTED] Correlation ID: [REDACTED] Timestamp: 2023-11-17 21:49:09Z
 ---> MSAL.NetCore.4.56.0.0.MsalServiceException:
        ErrorCode: invalid_request
Microsoft.Identity.Client.MsalServiceException: AADSTS900383: Internal error has occurred during a redirect. Please login directly to your National Cloud dedicated portal. Trace ID: [REDACTED] Correlation ID: [REDACTED]c Timestamp: 2023-11-17 21:49:09Z
   at Microsoft.Identity.Client.OAuth2.OAuth2Client.ThrowServerException(HttpResponse response, RequestContext requestContext)
   at Microsoft.Identity.Client.OAuth2.OAuth2Client.CreateResponse[T](HttpResponse response, RequestContext requestContext)
   at Microsoft.Identity.Client.OAuth2.OAuth2Client.ExecuteRequestAsync[T](Uri endPoint, HttpMethod method, RequestContext requestContext, Boolean expectErrorsOn200OK, Boolean addCommonHeaders, Func`2 onBeforePostRequestData)
   at Microsoft.Identity.Client.Internal.Requests.DeviceCodeRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ApiConfig.Executors.PublicClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenWithDeviceCodeParameters deviceCodeParameters, CancellationToken cancellationToken)
   at Azure.Identity.AbstractAcquireTokenParameterBuilderExtensions.ExecuteAsync[T](AbstractAcquireTokenParameterBuilder`1 builder, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.MsalPublicClient.AcquireTokenWithDeviceCodeCoreAsync(String[] scopes, String claims, Func`2 deviceCodeCallback, Boolean enableCae, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.MsalPublicClient.AcquireTokenWithDeviceCodeAsync(String[] scopes, String claims, Func`2 deviceCodeCallback, Boolean enableCae, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.DeviceCodeCredential.GetTokenViaDeviceCodeAsync(TokenRequestContext context, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.DeviceCodeCredential.AuthenticateImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
        StatusCode: 400
        ResponseBody: {"error":"invalid_request","error_description":"AADSTS900383: Internal error has occurred during a redirect. Please login directly to your National Cloud dedicated portal. Trace ID: [REDACTED] Correlation ID: [REDACTED] Timestamp: 2023-11-17 21:49:09Z","error_codes":[900383],"timestamp":"2023-11-17 21:49:09Z","trace_id":"[REDACTED]","correlation_id":"[REDACTED]"}
        Headers: Cache-Control: no-store, no-cache
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
client-request-id: [REDACTED]
x-ms-request-id: [REDACTED]
x-ms-ests-server: 2.1.16729.8 - WUS3 ProdSlices
x-ms-clitelem: 1,900383,0,,
X-XSS-Protection: 0
Set-Cookie: [REDACTED]
Date: Fri, 17 Nov 2023 21:49:08 GMT

   --- End of inner exception stack trace ---
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
   at Azure.Identity.DeviceCodeCredential.AuthenticateImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.DeviceCodeCredential.AuthenticateAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Microsoft.Graph.Cli.Core.Authentication.InteractiveLoginService`1.DoLoginAsync(String[] scopes, CancellationToken cancellationToken) in /_/src/Microsoft.Graph.Cli.Core/Authentication/InteractiveLoginService.cs:line 45
   at Microsoft.Graph.Cli.Core.Authentication.LoginServiceBase.LoginAsync(String[] scopes, CancellationToken cancellationToken) in /_/src/Microsoft.Graph.Cli.Core/Authentication/LoginServiceBase.cs:line 34
   at Microsoft.Graph.Cli.Core.Commands.Authentication.LoginCommand.<.ctor>b__6_0(InvocationContext context) in /_/src/Microsoft.Graph.Cli.Core/Commands/Authentication/LoginCommand.cs:line 54
   at System.CommandLine.Invocation.AnonymousCommandHandler.InvokeAsync(InvocationContext context)
   at System.CommandLine.Invocation.InvocationPipeline.<>c__DisplayClass4_0.<<BuildInvocationChain>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass17_0.<<UseParseErrorReporting>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Kiota.Cli.Commons.Extensions.CommandBuilderExtensions.<>c__DisplayClass0_0.<<UseRequestAdapter>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Graph.Cli.Program.<>c.<<Main>b__2_2>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Hosting.HostingExtensions.<>c__DisplayClass1_0.<<UseHost>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Graph.Cli.Program.<>c__DisplayClass3_0.<<BuildCommandLine>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Kiota.Cli.Commons.Extensions.CommandBuilderExtensions.<>c.<<RegisterCommonServices>b__2_0>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Kiota.Cli.Commons.Extensions.CommandBuilderExtensions.<>c__DisplayClass3_0.<<RegisterHeadersOption>b__1>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass12_0.<<UseHelp>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass22_0.<<UseVersionOption>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass19_0.<<UseTypoCorrections>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<<UseSuggestDirective>b__18_0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass16_0.<<UseParseDirective>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<<RegisterWithDotnetSuggest>b__5_0>d.MoveNext()
--- End of stack trace from previous location ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass8_0.<<UseExceptionHandler>b__0>d.MoveNext()

[CarolKigoonya]

Adding an example of how PowerShell currently supports national clouds https://review.learn.microsoft.com/en-us/graph/sdks/national-clouds?branch=main&tabs=powershell#tabpanel_1_powershell

[sebastienlevert]

We will be implementing this feature by doing the following:

• Add a --environment flag that support all our National Clouds (China, Global, USGov and USGovDoD). We shall validate that the cloud provided is a valid one or fail if not.
• All calls when using an environment should be mapped to the right Graph endpoint.
• When not in use, we use the default (Global).
• The environment is stored as part of the config file.
• We don't do anything special when the cloud doesn't support an endpoint. Returning the workload error is enough.

[calebkiage]

@sebastienlevert, Petr is asking about the acceptance criteria around cloud names. What names should the user type into the CLI for each cloud?

I'd planned on using:

• Global
• US_GOV
• US_GOV_DOD
• China

[sebastienlevert]

I'd go with the same as PowerShell, aka

• China
• Global
• USGov
• USGovDoD

These should be validated and be the only entries avaulabk, like an enum.

Default is Global.

[calebkiage]

Added in #423. Should be part of v1.3.0

[calebkiage]

release 1.3.0 is out.

[calebkiage]

@ellisgeek, could you confirm if this issue is fixed for you?