An ASP.NET Core Web App which lets sign-in users (including in your org, many orgs, orgs + personal accounts, sovereign clouds) and call Web APIs (including Microsoft Graph)
MIT License
1.37k
stars
983
forks
source link
Querying the MS Graph as part of the OnTokenValidated fails with error that "Input id_token cannot be used as ..." #747
I would like to retrieve the member groups for a user as part of authentication process to add claims based on these groups in a Web App. Sample 5-2-Groups does that but fails when it uses the GraphServiceClient in OnTokenValidated. I had actually hoped to use a IClaimsTransformer, but I receive the same errors. Using the GraphServiceClient later on works fine (as the sample does in the UserProfileController).
Querying the MS Graph as part of the OnTokenValidated fails with error that "Input id_token cannot be used as 'urn:ietf:params:oauth:grant-type:jwt-bearer' grant. "
This appears to be related to the workaround used that puts 'context.SecurityToken' into the HttpContext.Items as Cached_Graph_Token_Key, but SecurityToken is an ID token.
Without the workaround the error changes to "No account or login hint was passed to the AcquireTokenSilent call. " (this is the error I have in another project that I hoped to resolve with this sample).
Reproduction steps
Clone samples
Fill in Azure AD configuration for sample 5-2-Groups
Run the sample 5-2-Groups
Login with user for which 'HasOverageOccurred' is true (or change code to always return true)
Login succeeds but console message reports the error 'AADSTS240002: Input id_token cannot be used as ...'
Error message
"AADSTS240002: Input id_token cannot be used as 'urn:ietf:params:oauth:grant-type:jwt-bearer' grant. Trace ID: ff0f8af9-bae1-4edf-8cb5-a1c8970f1800 Correlation ID: 2aad8c5b-9859-46e5-b6d4-3bc63a51f312 Timestamp: 2023-12-06 11:53:57Z"
Without 'JwtSecurityTokenUsedToCallWebAPI' workaround:
"IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user. See https://aka.ms/ms-id-web/ca_incremental-consent. "
Innerexception: "No account or login hint was passed to the AcquireTokenSilent call. " ErrorCode: "user_null"
Id Web logs
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
Microsoft.IdentityModel Version: 7.0.3.0. Date 12/06/2023 12:15:25. PII logging is OFF. See https://aka.ms/IdentityModel/PII for details.
IDX20805: Obtaining information from metadata endpoint: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX21811: Deserializing the string: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' obtained from metadata endpoint into openIdConnectConfiguration object.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX21812: Retrieving json web keys from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX20805: Obtaining information from metadata endpoint: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX21813: Deserializing json web keys: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10806: Deserializing json: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' into 'Microsoft.IdentityModel.Tokens.JsonWebKeySet'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX21328: Generating nonce for openIdConnect message.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX21342: 'RequireStateValidation' = false, not validating the state.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:28Z] ConfidentialClientApplication 17180427 created
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:28Z - 2807160c-e055-4387-bf8a-869015356df1] MSAL MSAL.NetCore with assembly version '4.57.0.0'. CorrelationId(2807160c-e055-4387-bf8a-869015356df1)
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1]
=== Request Data ===
Authority Provided? - True
Scopes - User.Read Group.Read.All
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenByAuthorizationCode
IsConfidentialClient - True
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 2807160c-e055-4387-bf8a-869015356df1
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] === Token Acquisition (ConfidentialAuthCodeRequest) started:
Scopes: User.Read Group.Read.All
Authority Host: login.microsoftonline.com
warn: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Only in-memory caching is used. The cache is not persisted and will be lost if the machine is restarted. It also does not scale for a web app or web API, where the number of users can grow large. In production, web apps and web APIs should use distributed caching like Redis. See https://aka.ms/msal-net-cca-token-cache-serialization
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [Instance Discovery] Instance discovery is enabled and will be performed
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [Region discovery] Not using a regional authority.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? False.
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Fetching instance discovery from the network from host login.microsoftonline.com.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Starting [Oauth2Client] Sending GET request
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Starting [HttpManager] ExecuteAsync
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [HttpManager] Sending request. Method: GET. Host: https://login.microsoftonline.com.
info: System.Net.Http.HttpClient.Default.LogicalHandler[100]
Start processing HTTP request GET https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=https%3A%2F%2Flogin.microsoftonline.com%2FTENANTID%2Foauth2%2Fv2.0%2Fauthorize
info: System.Net.Http.HttpClient.Default.ClientHandler[100]
Sending HTTP request GET https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=https%3A%2F%2Flogin.microsoftonline.com%2FTENANTID%2Foauth2%2Fv2.0%2Fauthorize
info: System.Net.Http.HttpClient.Default.ClientHandler[101]
Received HTTP response headers after 373.2987ms - 200
info: System.Net.Http.HttpClient.Default.LogicalHandler[101]
End processing HTTP request after 388.4963ms - 200
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [HttpManager] Received response. Status code: OK.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Finished [HttpManager] ExecuteAsync in 404 ms
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Finished [Oauth2Client] Sending GET request in 411 ms
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Starting [OAuth2Client] Deserializing response
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Finished [OAuth2Client] Deserializing response in 9 ms
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? True.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [Instance Discovery] After hitting the discovery endpoint, the network provider found an entry for login.microsoftonline.com ? True.
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Authority validation enabled? True.
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Authority validation - is known env? True.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Starting TokenClient:SendTokenRequestAsync
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [TokenClient] Before adding the client assertion / secret
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [TokenClient] After adding the client assertion / secret
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [Token Client] Fetching MsalTokenResponse ....
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Starting [Oauth2Client] Sending POST request
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Starting [HttpManager] ExecuteAsync
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [HttpManager] Sending request. Method: POST. Host: https://login.microsoftonline.com.
info: System.Net.Http.HttpClient.Default.LogicalHandler[100]
Start processing HTTP request POST https://login.microsoftonline.com/TENANTID/oauth2/v2.0/token
info: System.Net.Http.HttpClient.Default.ClientHandler[100]
Sending HTTP request POST https://login.microsoftonline.com/TENANTID/oauth2/v2.0/token
info: System.Net.Http.HttpClient.Default.ClientHandler[101]
Received HTTP response headers after 202.6479ms - 200
info: System.Net.Http.HttpClient.Default.LogicalHandler[101]
End processing HTTP request after 209.044ms - 200
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [HttpManager] Received response. Status code: OK.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Finished [HttpManager] ExecuteAsync in 218 ms
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Finished [Oauth2Client] Sending POST request in 227 ms
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Starting [OAuth2Client] Deserializing response
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Finished [OAuth2Client] Deserializing response in 26 ms
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Finished TokenClient:SendTokenRequestAsync in 281 ms
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Checking client info returned from the server..
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Saving token response to cache..
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1]
[MsalTokenResponse]
Error:
ErrorDescription:
Scopes: Group.Read.All User.Read profile openid email
ExpiresIn: 86399
RefreshIn: 43199
AccessToken returned: True
AccessToken Type: Bearer
RefreshToken returned: True
IdToken returned: True
ClientInfo returned: True
FamilyId:
WamAccountId exists: False
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [Region discovery] Not using a regional authority.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? True.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [SaveTokenResponseAsync] Entering token cache semaphore. Count Real semaphore: True. Count: 1.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [SaveTokenResponseAsync] Entered token cache semaphore.
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [SaveTokenResponseAsync] Saving AT in cache and removing overlapping ATs...
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Looking for scopes for the authority in the cache which intersect with User.Read Group.Read.All
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z] [Internal cache] Total number of cache partitions found while getting access tokens: 0
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Intersecting scope entries count - 0
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Matching entries after filtering by user - 0
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [SaveTokenResponseAsync] Saving Id Token and Account in cache ...
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [SaveTokenResponseAsync] Saving RT in cache...
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Not saving to ADAL legacy cache.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [SaveTokenResponseAsync] Released token cache semaphore.
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1]
=== Token Acquisition finished successfully:
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] AT expiration time: 12/7/2023 12:15:28 PM +00:00, scopes: Group.Read.All User.Read profile openid email. source: IdentityProvider
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Fetched access token from host login.microsoftonline.com.
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1]
[LogMetricsFromAuthResult] Cache Refresh Reason: NotApplicable
[LogMetricsFromAuthResult] DurationInCacheInMs: 0
[LogMetricsFromAuthResult] DurationTotalInMs: 848
[LogMetricsFromAuthResult] DurationInHttpInMs: 604
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] TokenEndpoint: ****
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10242: Security token: '[PII of type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' has a valid signature.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10237: ValidateIssuerSigningKey property on ValidationParameters is set to false. Exiting without validating the issuer signing key.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10239: Lifetime of the token is valid.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10234: Audience Validated.Audience: 'a489f663-32be-439b-a4ea-6c1a4d5fbdc4'
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10246: ValidateTokenReplay property on ValidationParameters is set to false. Exiting without validating the token replay.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10255: TypeValidator property on ValidationParameters is null and ValidTypes is either null or empty. Exiting without validating the token type.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10245: Creating claims identity from the validated token: '[PII of type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10241: Security token validated. token: '[PII of type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] MSAL MSAL.NetCore with assembly version '4.57.0.0'. CorrelationId(00000000-0000-0000-0000-000000000000)
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] === OnBehalfOfParameters ===
SendX5C: False
ForceRefresh: False
UserAssertion set: True
SearchInCacheForLongRunningObo: False
LongRunningOboCacheKey set: False
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] === Token Acquisition (OnBehalfOfRequest) started:
Scopes: user.read
Authority Host: login.microsoftonline.com
warn: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] Only in-memory caching is used. The cache is not persisted and will be lost if the machine is restarted. It also does not scale for a web app or web API, where the number of users can grow large. In production, web apps and web APIs should use distributed caching like Redis. See https://aka.ms/msal-net-cca-token-cache-serialization
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [Instance Discovery] Instance discovery is enabled and will be performed
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [Region discovery] Not using a regional authority.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? True.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [Instance Discovery] The network provider found an entry for login.microsoftonline.com.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] Starting [OBO Request] Looking in the cache for an access token
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [Internal cache] Total number of cache partitions found while getting access tokens: 1
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [FindAccessTokenAsync] Discovered 0 access tokens in cache using partition key: e_O8al3uH5q3u-EWZRke17bMrdxmXW07uF8QhnPnSVE
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [FindAccessTokenAsync] No access tokens found in the cache. Skipping filtering.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] Finished [OBO Request] Looking in the cache for an access token in 11 ms
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [OBO request] Fetching tokens via normal OBO flow.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] Starting TokenClient:SendTokenRequestAsync
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [TokenClient] Before adding the client assertion / secret
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [TokenClient] After adding the client assertion / secret
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [Token Client] Fetching MsalTokenResponse ....
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] Starting [Oauth2Client] Sending POST request
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] Starting [HttpManager] ExecuteAsync
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [HttpManager] Sending request. Method: POST. Host: https://login.microsoftonline.com.
info: System.Net.Http.HttpClient.Default.LogicalHandler[100]
Start processing HTTP request POST https://login.microsoftonline.com/TENANTID/oauth2/v2.0/token
info: System.Net.Http.HttpClient.Default.ClientHandler[100]
Sending HTTP request POST https://login.microsoftonline.com/TENANTID/oauth2/v2.0/token
info: System.Net.Http.HttpClient.Default.ClientHandler[101]
Received HTTP response headers after 89.1471ms - 400
info: System.Net.Http.HttpClient.Default.LogicalHandler[101]
End processing HTTP request after 95.8244ms - 400
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] [HttpManager] Received response. Status code: BadRequest.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Finished [HttpManager] ExecuteAsync in 104 ms
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Response status code does not indicate success: 400 (BadRequest).
warn: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Request retry failed.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Finished [Oauth2Client] Sending POST request in 113 ms
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] [Oauth2Client] Processing error response
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] HttpStatusCode: 400: BadRequest
fail: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] === Token Acquisition (1006) failed.
Host: login.microsoftonline.com.
fail: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Exception type: Microsoft.Identity.Client.MsalServiceException
, ErrorCode: invalid_request
HTTP StatusCode 400
CorrelationId ce33fc66-6de0-460b-8cd1-a3d335b9be4b
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Finished TokenClient:SendTokenRequestAsync in 416 ms
warn: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Fetching a new AT failed. Is exception retry-able? False. Is there an AT in the cache that is usable? False
warn: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Either the exception does not indicate a problem with AAD or the token cache does not have an AT that is usable.
fail: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Exception type: Microsoft.Identity.Client.MsalServiceException
, ErrorCode: invalid_request
HTTP StatusCode 400
CorrelationId ce33fc66-6de0-460b-8cd1-a3d335b9be4b
at Microsoft.Identity.Client.Internal.Requests.RequestBase.HandleTokenRefreshErrorAsync(MsalServiceException e, MsalAccessTokenCacheItem cachedAccessTokenItem)
at Microsoft.Identity.Client.Internal.Requests.OnBehalfOfRequest.ExecuteAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
Call to Microsoft Graph failed: AADSTS240002: Input id_token cannot be used as 'urn:ietf:params:oauth:grant-type:jwt-bearer' grant. Trace ID: b4cfa2a9-388d-4770-9b57-edb3ad4e7400 Correlation ID: ce33fc66-6de0-460b-8cd1-a3d335b9be4b Timestamp: 2023-12-06 12:15:33Z
The access token obtained by the user after login for Microsoft Graph is used correctly to obtain the member groups of the user in either OnTokenValidated or IClaimsTransformer and claims are added to the user principal for these groups.
Microsoft.Identity.Web version
2.16.0
Web app sign-in
Not applicable
Web API (call Graph or downstream APIs)
Not applicable
Deploy to Azure
5-WebApp-AuthZ/5-2-Groups
Auth Z
Not applicable
Description
I would like to retrieve the member groups for a user as part of authentication process to add claims based on these groups in a Web App. Sample 5-2-Groups does that but fails when it uses the GraphServiceClient in OnTokenValidated. I had actually hoped to use a IClaimsTransformer, but I receive the same errors. Using the GraphServiceClient later on works fine (as the sample does in the UserProfileController).
Querying the MS Graph as part of the OnTokenValidated fails with error that "Input id_token cannot be used as 'urn:ietf:params:oauth:grant-type:jwt-bearer' grant. "
This appears to be related to the workaround used that puts 'context.SecurityToken' into the HttpContext.Items as Cached_Graph_Token_Key, but SecurityToken is an ID token.
Without the workaround the error changes to "No account or login hint was passed to the AcquireTokenSilent call. " (this is the error I have in another project that I hoped to resolve with this sample).
Reproduction steps
Error message
"AADSTS240002: Input id_token cannot be used as 'urn:ietf:params:oauth:grant-type:jwt-bearer' grant. Trace ID: ff0f8af9-bae1-4edf-8cb5-a1c8970f1800 Correlation ID: 2aad8c5b-9859-46e5-b6d4-3bc63a51f312 Timestamp: 2023-12-06 11:53:57Z"
Without 'JwtSecurityTokenUsedToCallWebAPI' workaround: "IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user. See https://aka.ms/ms-id-web/ca_incremental-consent. " Innerexception: "No account or login hint was passed to the AcquireTokenSilent call. " ErrorCode: "user_null"
Id Web logs
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0] Microsoft.IdentityModel Version: 7.0.3.0. Date 12/06/2023 12:15:25. PII logging is OFF. See https://aka.ms/IdentityModel/PII for details. IDX20805: Obtaining information from metadata endpoint: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0] IDX21811: Deserializing the string: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' obtained from metadata endpoint into openIdConnectConfiguration object. dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0] IDX21812: Retrieving json web keys from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0] IDX20805: Obtaining information from metadata endpoint: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0] IDX21813: Deserializing json web keys: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0] IDX10806: Deserializing json: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' into 'Microsoft.IdentityModel.Tokens.JsonWebKeySet'. dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0] IDX21328: Generating nonce for openIdConnect message. dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0] IDX21342: 'RequireStateValidation' = false, not validating the state. dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:28Z] ConfidentialClientApplication 17180427 created info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:28Z - 2807160c-e055-4387-bf8a-869015356df1] MSAL MSAL.NetCore with assembly version '4.57.0.0'. CorrelationId(2807160c-e055-4387-bf8a-869015356df1) info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] === Request Data === Authority Provided? - True Scopes - User.Read Group.Read.All Extra Query Params Keys (space separated) - ApiId - AcquireTokenByAuthorizationCode IsConfidentialClient - True SendX5C - False LoginHint ? False IsBrokerConfigured - False HomeAccountId - False CorrelationId - 2807160c-e055-4387-bf8a-869015356df1 UserAssertion set: False LongRunningOboCacheKey set: False Region configured:
info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] === Token Acquisition (ConfidentialAuthCodeRequest) started: Scopes: User.Read Group.Read.All Authority Host: login.microsoftonline.com warn: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Only in-memory caching is used. The cache is not persisted and will be lost if the machine is restarted. It also does not scale for a web app or web API, where the number of users can grow large. In production, web apps and web APIs should use distributed caching like Redis. See https://aka.ms/msal-net-cca-token-cache-serialization info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [Instance Discovery] Instance discovery is enabled and will be performed info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [Region discovery] Not using a regional authority. dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? False. info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Fetching instance discovery from the network from host login.microsoftonline.com. dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Starting [Oauth2Client] Sending GET request dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Starting [HttpManager] ExecuteAsync dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [HttpManager] Sending request. Method: GET. Host: https://login.microsoftonline.com. info: System.Net.Http.HttpClient.Default.LogicalHandler[100] Start processing HTTP request GET https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=https%3A%2F%2Flogin.microsoftonline.com%2FTENANTID%2Foauth2%2Fv2.0%2Fauthorize info: System.Net.Http.HttpClient.Default.ClientHandler[100] Sending HTTP request GET https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=https%3A%2F%2Flogin.microsoftonline.com%2FTENANTID%2Foauth2%2Fv2.0%2Fauthorize info: System.Net.Http.HttpClient.Default.ClientHandler[101] Received HTTP response headers after 373.2987ms - 200 info: System.Net.Http.HttpClient.Default.LogicalHandler[101] End processing HTTP request after 388.4963ms - 200 dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [HttpManager] Received response. Status code: OK. dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Finished [HttpManager] ExecuteAsync in 404 ms dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Finished [Oauth2Client] Sending GET request in 411 ms dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Starting [OAuth2Client] Deserializing response dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Finished [OAuth2Client] Deserializing response in 9 ms dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? True. dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [Instance Discovery] After hitting the discovery endpoint, the network provider found an entry for login.microsoftonline.com ? True. info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Authority validation enabled? True. info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Authority validation - is known env? True. dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Starting TokenClient:SendTokenRequestAsync dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [TokenClient] Before adding the client assertion / secret dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [TokenClient] After adding the client assertion / secret dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [Token Client] Fetching MsalTokenResponse .... dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Starting [Oauth2Client] Sending POST request dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Starting [HttpManager] ExecuteAsync dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [HttpManager] Sending request. Method: POST. Host: https://login.microsoftonline.com. info: System.Net.Http.HttpClient.Default.LogicalHandler[100] Start processing HTTP request POST https://login.microsoftonline.com/TENANTID/oauth2/v2.0/token info: System.Net.Http.HttpClient.Default.ClientHandler[100] Sending HTTP request POST https://login.microsoftonline.com/TENANTID/oauth2/v2.0/token info: System.Net.Http.HttpClient.Default.ClientHandler[101] Received HTTP response headers after 202.6479ms - 200 info: System.Net.Http.HttpClient.Default.LogicalHandler[101] End processing HTTP request after 209.044ms - 200 dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [HttpManager] Received response. Status code: OK. dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Finished [HttpManager] ExecuteAsync in 218 ms dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Finished [Oauth2Client] Sending POST request in 227 ms dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Starting [OAuth2Client] Deserializing response dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Finished [OAuth2Client] Deserializing response in 26 ms dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Finished TokenClient:SendTokenRequestAsync in 281 ms info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Checking client info returned from the server.. info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Saving token response to cache.. dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [MsalTokenResponse] Error: ErrorDescription: Scopes: Group.Read.All User.Read profile openid email ExpiresIn: 86399 RefreshIn: 43199 AccessToken returned: True AccessToken Type: Bearer RefreshToken returned: True IdToken returned: True ClientInfo returned: True FamilyId: WamAccountId exists: False
info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [Region discovery] Not using a regional authority. dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? True. dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [SaveTokenResponseAsync] Entering token cache semaphore. Count Real semaphore: True. Count: 1. dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [SaveTokenResponseAsync] Entered token cache semaphore. info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [SaveTokenResponseAsync] Saving AT in cache and removing overlapping ATs... info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Looking for scopes for the authority in the cache which intersect with User.Read Group.Read.All info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z] [Internal cache] Total number of cache partitions found while getting access tokens: 0 info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Intersecting scope entries count - 0 info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Matching entries after filtering by user - 0 info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [SaveTokenResponseAsync] Saving Id Token and Account in cache ... info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [SaveTokenResponseAsync] Saving RT in cache... dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Not saving to ADAL legacy cache. dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [SaveTokenResponseAsync] Released token cache semaphore. info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] === Token Acquisition finished successfully: info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] AT expiration time: 12/7/2023 12:15:28 PM +00:00, scopes: Group.Read.All User.Read profile openid email. source: IdentityProvider info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Fetched access token from host login.microsoftonline.com. info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [LogMetricsFromAuthResult] Cache Refresh Reason: NotApplicable [LogMetricsFromAuthResult] DurationInCacheInMs: 0 [LogMetricsFromAuthResult] DurationTotalInMs: 848 [LogMetricsFromAuthResult] DurationInHttpInMs: 604
info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] TokenEndpoint: **** info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0] IDX10242: Security token: '[PII of type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' has a valid signature. dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0] IDX10237: ValidateIssuerSigningKey property on ValidationParameters is set to false. Exiting without validating the issuer signing key. info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0] IDX10239: Lifetime of the token is valid. info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0] IDX10234: Audience Validated.Audience: 'a489f663-32be-439b-a4ea-6c1a4d5fbdc4' dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0] IDX10246: ValidateTokenReplay property on ValidationParameters is set to false. Exiting without validating the token replay. dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0] IDX10255: TypeValidator property on ValidationParameters is null and ValidTypes is either null or empty. Exiting without validating the token type. info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0] IDX10245: Creating claims identity from the validated token: '[PII of type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0] IDX10241: Security token validated. token: '[PII of type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] MSAL MSAL.NetCore with assembly version '4.57.0.0'. CorrelationId(00000000-0000-0000-0000-000000000000) info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] === OnBehalfOfParameters === SendX5C: False ForceRefresh: False UserAssertion set: True SearchInCacheForLongRunningObo: False LongRunningOboCacheKey set: False
info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] === Request Data === Authority Provided? - True Scopes - user.read Extra Query Params Keys (space separated) - ApiId - AcquireTokenOnBehalfOf IsConfidentialClient - True SendX5C - False LoginHint ? False IsBrokerConfigured - False HomeAccountId - False CorrelationId - 00000000-0000-0000-0000-000000000000 UserAssertion set: True LongRunningOboCacheKey set: False Region configured:
info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] === Token Acquisition (OnBehalfOfRequest) started: Scopes: user.read Authority Host: login.microsoftonline.com warn: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] Only in-memory caching is used. The cache is not persisted and will be lost if the machine is restarted. It also does not scale for a web app or web API, where the number of users can grow large. In production, web apps and web APIs should use distributed caching like Redis. See https://aka.ms/msal-net-cca-token-cache-serialization info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [Instance Discovery] Instance discovery is enabled and will be performed info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [Region discovery] Not using a regional authority. dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? True. dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [Instance Discovery] The network provider found an entry for login.microsoftonline.com. dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] Starting [OBO Request] Looking in the cache for an access token info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [Internal cache] Total number of cache partitions found while getting access tokens: 1 info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [FindAccessTokenAsync] Discovered 0 access tokens in cache using partition key: e_O8al3uH5q3u-EWZRke17bMrdxmXW07uF8QhnPnSVE dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [FindAccessTokenAsync] No access tokens found in the cache. Skipping filtering. dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] Finished [OBO Request] Looking in the cache for an access token in 11 ms info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [OBO request] Fetching tokens via normal OBO flow. dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] Starting TokenClient:SendTokenRequestAsync dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [TokenClient] Before adding the client assertion / secret dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [TokenClient] After adding the client assertion / secret dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [Token Client] Fetching MsalTokenResponse .... dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] Starting [Oauth2Client] Sending POST request dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] Starting [HttpManager] ExecuteAsync dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [HttpManager] Sending request. Method: POST. Host: https://login.microsoftonline.com. info: System.Net.Http.HttpClient.Default.LogicalHandler[100] Start processing HTTP request POST https://login.microsoftonline.com/TENANTID/oauth2/v2.0/token info: System.Net.Http.HttpClient.Default.ClientHandler[100] Sending HTTP request POST https://login.microsoftonline.com/TENANTID/oauth2/v2.0/token info: System.Net.Http.HttpClient.Default.ClientHandler[101] Received HTTP response headers after 89.1471ms - 400 info: System.Net.Http.HttpClient.Default.LogicalHandler[101] End processing HTTP request after 95.8244ms - 400 dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] [HttpManager] Received response. Status code: BadRequest. dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Finished [HttpManager] ExecuteAsync in 104 ms info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Response status code does not indicate success: 400 (BadRequest). warn: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Request retry failed. dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Finished [Oauth2Client] Sending POST request in 113 ms dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] [Oauth2Client] Processing error response info: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] HttpStatusCode: 400: BadRequest fail: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] === Token Acquisition (1006) failed. Host: login.microsoftonline.com. fail: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Exception type: Microsoft.Identity.Client.MsalServiceException , ErrorCode: invalid_request HTTP StatusCode 400 CorrelationId ce33fc66-6de0-460b-8cd1-a3d335b9be4b
dbug: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Finished TokenClient:SendTokenRequestAsync in 416 ms warn: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Fetching a new AT failed. Is exception retry-able? False. Is there an AT in the cache that is usable? False warn: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Either the exception does not indicate a problem with AAD or the token cache does not have an AT that is usable. fail: Microsoft.Identity.Web.TokenAcquisition[0] False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Exception type: Microsoft.Identity.Client.MsalServiceException , ErrorCode: invalid_request HTTP StatusCode 400 CorrelationId ce33fc66-6de0-460b-8cd1-a3d335b9be4b
Call to Microsoft Graph failed: AADSTS240002: Input id_token cannot be used as 'urn:ietf:params:oauth:grant-type:jwt-bearer' grant. Trace ID: b4cfa2a9-388d-4770-9b57-edb3ad4e7400 Correlation ID: ce33fc66-6de0-460b-8cd1-a3d335b9be4b Timestamp: 2023-12-06 12:15:33Z
Relevant code snippets
Regression
No response
Expected behavior
The access token obtained by the user after login for Microsoft Graph is used correctly to obtain the member groups of the user in either OnTokenValidated or IClaimsTransformer and claims are added to the user principal for these groups.