Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Improve devex for AcquireTokenSilent + MSA-PT #3077

Open
1 task done
mjcheetham opened this issue Dec 16, 2021 · 5 comments
Open
1 task done

[Bug] Improve devex for AcquireTokenSilent + MSA-PT #3077

mjcheetham opened this issue Dec 16, 2021 · 5 comments
Labels
epic Feature Request workaround exists

Comments

@mjcheetham
Copy link
Contributor

mjcheetham commented Dec 16, 2021
edited
Loading

Which version of MSAL.NET are you using?
MSAL.NET 4.37.0

Platform
.NET 5.0 macOS x64

What authentication flow has the issue?

  • Desktop / Mobile
    • Silent

Is this a new or existing app?

a. The app is in production, and I have upgraded to a new version of MSAL.

Repro

const string azDev = "499b84ac-1321-427f-aa17-267ca6975798";
const string clientId = "d735b71b-9eee-4a4f-ad23-421660877ba6";
const string authority = "https://login.microsoftonline.com/organizations";
const string redirectUri = "http://localhost";
string scopes = new[]{ $"{azDev}/vso.code_full" };
var pca = PublicClientApplicationBuilder.Create(clientId)
    .WithAuthority(authority)
    .WithRedirectUri(redirectUri)
    .Build();
RegisterTokenCache(pca.UserTokenCache);

var result1 = await pca.AcquireTokenInteractive(scopes).ExecuteAsync();

string userName = result1.Account.Username;

var result2 = await pca.AcquireTokenSilent(scopes, loginHint: userName).ExecuteAsync();

Expected behavior
The ATS call succeeds.

Actual behavior
An MsalServiceException is thrown:

"Application '499b84ac-1321-427f-aa17-267ca6975798'(Azure DevOps) is configured for use by Azure Active Directory users only. Please do not use the /consumers endpoint to serve this request.

Possible solution

We have worked around this by using the "MSFT Services tenant" to 'exchange' these MSA tokens for use with the MSA-PT resource (Azure DevOps).

IAccount account = result1.Account;

var atsBuilder = app.AcquireTokenSilent(scopes, account);

// If the account is an MSA we must target the special "MSA-PT transfer tenant"
var msaTenantId = new Guid("9188040d-6c67-4c5b-b112-36a304b66dad");
var transferTenantId = new Guid("f8cdef31-a31e-4b4a-93e4-5f571e91255a");
if (Guid.TryParse(account.HomeAccountId.TenantId, out Guid homeTenantId) && homeTenantId == msaTenantId)
{
    atsBuilder = atsBuilder.WithTenantId(transferTenantId.ToString("D"));
}

var result2 = await atsBuilder.ExecuteAsync();

Additional context / logs / screenshots / links to code

We are using MSA-PT (as a first party application) because the resource (Azure DevOps) only accepts AAD & MSA-PT tokens (not MSA native).

Also the workaround we have here only works for the public Azure cloud.

cc: @bgavrilMS
@bgavrilMS
Copy link
Member

bgavrilMS commented Jan 13, 2022
edited
Loading

  • .EnableMsaPassthrough()
  • try to detect if the request comes from MSA. Can we not maintain a mapping?
  • review the proposal from iOS.

@bgavrilMS bgavrilMS changed the title [Bug] AcquireTokenSilent fails for MSA-PT scopes/resources using the organizations authority [Bug] Improve devex for AcquireTokenSilent + MSA-PT Dec 22, 2022
@JohnSchmeichel
Copy link

Also came across this while trying to test a new app registration. Was surprised to see the error on using the consumers tenant when we were explicitly passing the organizations tenant.

@bgavrilMS
Copy link
Member

This is a service issue - https://identitydivision.visualstudio.com/Engineering/_workitems/edit/1800497/?workitem=1848357

@JohnSchmeichel
Copy link

Also hitting this (but with slightly different options and getting additional errors than in the linked bug)

ClientId: d5a56ea4-7369-46b8-a538-c370805301bf
Authority: https://login.microsoftonline.com/organizations
Scopes: 499b84ac-1321-427f-aa17-267ca6975798/.default
MSA-Passthrough: Enabled
Account: [email protected]

Calling AcquireTokenInteractive I can select my MSA and get a token, and when using AcquireTokenInteractive passing the account I get a token without a prompt:

ATI WithAccount for account [email protected]
Account.Username [email protected]
Account.HomeAccountId AccountId: 00000000-0000-0000-c2e8-f34129c9cd3a.9188040d-6c67-4c5b-b112-36a304b66dad
Account.Environment login.microsoftonline.com
TenantId f8cdef31-a31e-4b4a-93e4-5f571e91255a
Expires 4/12/2023 9:26:43 PM -07:00 local time
Source Broker
Scopes 499b84ac-1321-427f-aa17-267ca6975798/user_impersonation 499b84ac-1321-427f-aa17-267ca6975798/.default
AccessToken: ****

However, when using AcquireTokenSilent passing the same account object I get an error:

ATS with IAccount for [email protected]
Exception: MSAL.NetCore.4.52.0.0.MsalServiceException: 
	ErrorCode: WAM_provider_error_2156265473
Microsoft.Identity.Client.MsalServiceException: WAM Error  
 Error Code: 2156265473 
 Error Message: ApiContractViolation 
 WAM Error Message: Error 
 Internal Error Code: 557973635 
 Is Retryable: false 
 Possible causes: 
- Invalid redirect uri - ensure you have configured the following url in the AAD portal App Registration: ms-appx-web://microsoft.aad.brokerplugin/d5a56ea4-7369-46b8-a538-c370805301bf 
- No Internet connection : 
Please see https://aka.ms/msal-net-wam for details about Windows Broker integration

Using the workaround of swapping the MSA tenant with the first party tenant allows AcquireTokenSilent to succeed.

@bgavrilMS bgavrilMS added the epic label Apr 13, 2023
@bgavrilMS
Copy link
Member

@JohnSchmeichel - yes, this is the status quo for MSA-PT for now, you have to add that pretty horrible workaround. We will look at fixing this next quarter, there aren't any easy fixes though.

mjcheetham added a commit to mjcheetham/git-credential-manager that referenced this issue Jul 10, 2023
@mjcheetham
msauth: workaround MSAL.NET issue with MSA-PT accounts
68bcc34 
When we have a Microsoft Account (MSA) in the cache and attempt to do a
silent authentication, if we're an MSA-PT app we need to specify the
special MSA transfer tenant ID to make sure we get the a token silently,
correctly. See the issue [1] in the MSAL repo for more information.

[1] AzureAD/microsoft-authentication-library-for-dotnet#3077
@mjcheetham mjcheetham mentioned this issue Jul 10, 2023
Merged
@bgavrilMS bgavrilMS mentioned this issue Jul 21, 2023
Closed
mjcheetham added a commit to mjcheetham/git-credential-manager that referenced this issue Jul 31, 2023
@mjcheetham
msauth: fix MSA silent auth with MSA-PT
73fae7f 
When using Microsoft Account Passthrough (MSA-PT) we need to use the
special "transfer" or "Microsoft services" tenant ID rather than the
actual MSA tenant ID when doing silent authentication.

This is a shortcoming in the MSAL library that we will need to
workaround until this issue [1] can be fixed in MSAL itself.

Modify the silent auth method such that if we are using MSA-PT, and
the `IAccount` object has the MSA tenant ID, we need explicitly set
the tenant ID to the transfer tenant ID.

Whilst we are in here, also add an extra `catch` block around the silent
auth code to capture any unexpected exceptions and log them.

[1] AzureAD/microsoft-authentication-library-for-dotnet#3077
@mjcheetham mjcheetham mentioned this issue Jul 31, 2023
Closed
mjcheetham added a commit to git-ecosystem/git-credential-manager that referenced this issue Jul 31, 2023
@mjcheetham
Workaround MSAL.NET issue with MSA-PT account silent auth (#1321)
02ba62f 
When we have a Microsoft Account (MSA) in the cache and attempt to do a
silent authentication, if we're an MSA-PT app we need to specify the
special MSA transfer tenant ID to make sure we get the a token silently,
correctly.

See the
[issue](AzureAD/microsoft-authentication-library-for-dotnet#3077)
in the MSAL repo for more information.

Fixes: #1297
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
epic Feature Request workaround exists
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mjcheetham @bgavrilMS @JohnSchmeichel