Execution of class com.microsoft.aad.msal4j.AcquireTokenByAuthorizationGrantSupplier failed

[SkFaraha]

I am using the Username Password flow sample code and getting the below exception while trying to get access token

ERROR com.microsoft.aad.msal4j.PublicClientApplication - [Correlation ID: 7b9d78c0-8f88-4864-81fb-44d5b06adc19] Execution of class com.microsoft.aad.msal4j.AcquireTokenByAuthorizationGrantSupplier failed. java.net.MalformedURLException: no protocol: at java.net.URL.(URL.java:610) at java.net.URL.(URL.java:507) at java.net.URL.(URL.java:456) at com.microsoft.aad.msal4j.HttpHelper.executeHttpRequest(HttpHelper.java:36) at com.microsoft.aad.msal4j.WSTrustRequest.execute(WSTrustRequest.java:65) at com.microsoft.aad.msal4j.AcquireTokenByAuthorizationGrantSupplier.processPasswordGrant(AcquireTokenByAuthorizationGrantSupplier.java:76) at com.microsoft.aad.msal4j.AcquireTokenByAuthorizationGrantSupplier.execute(AcquireTokenByAuthorizationGrantSupplier.java:33) at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:57) at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:17) at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1590) at java.util.concurrent.CompletableFuture$AsyncSupply.exec(CompletableFuture.java:1582) at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:289) at java.util.concurrent.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1056) at java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1692) at java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:157) Exception in thread "main" java.util.concurrent.ExecutionException: java.net.MalformedURLException: no protocol: at java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:357) at java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1895) at PublicClient.getAccessToken(PublicClient.java:74) at PublicClient.main(PublicClient.java:53) Caused by: java.net.MalformedURLException: no protocol: at java.net.URL.(URL.java:610) at java.net.URL.(URL.java:507) at java.net.URL.(URL.java:456) at com.microsoft.aad.msal4j.HttpHelper.executeHttpRequest(HttpHelper.java:36) at com.microsoft.aad.msal4j.WSTrustRequest.execute(WSTrustRequest.java:65) at com.microsoft.aad.msal4j.AcquireTokenByAuthorizationGrantSupplier.processPasswordGrant(AcquireTokenByAuthorizationGrantSupplier.java:76) at com.microsoft.aad.msal4j.AcquireTokenByAuthorizationGrantSupplier.execute(AcquireTokenByAuthorizationGrantSupplier.java:33) at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:57) at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:17) at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1590) at java.util.concurrent.CompletableFuture$AsyncSupply.exec(CompletableFuture.java:1582) at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:289) at java.util.concurrent.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1056) at java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1692) at java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:157)

[Avery-Dunn]

Hello, I'm not able to recreate your error message exactly, but I am able to produce a similar error by setting the value of AUTHORITY to a blank String:

Exception in thread "main" java.net.MalformedURLException: no protocol: /
    at java.net.URL.<init>(URL.java:610)
    at java.net.URL.<init>(URL.java:507)
    at java.net.URL.<init>(URL.java:456)
    at com.microsoft.aad.msal4j.AbstractClientApplicationBase$Builder.authority(AbstractClientApplicationBase.java:212)

Have you made any changes to the sample, other than configuring the client ID, username, and password? In particular, changes/additions/deletions to any URLs?

[SkFaraha]

No I have not changed anything other than these three fields. Is this issue related to the registered app because someone else has registered it. And the redirect url and application Url are not there in the overview section.Please help. I am attaching the screenshot

[SkFaraha]

Also can you please tell me why I am getting AcquireTokenByAuthorizationGrantSupplier failed this exception? I tried to run the particular java class in other project at that time it throw just the 'no protocol' exception and not this one 'Execution of class com.microsoft.aad.msal4j.AcquireTokenByAuthorizationGrantSupplier failed.'

[SkFaraha]

Hello Avery, I digged into the code and found out that the url for http request is becoming null inside AcquireTokenByAuthorizationGrantSupplier.java class of msal4j . Internally it is calling a rest service at line number 69(UserDiscoveryRequest.execute) which is returning the below response

https://login.microsoftonline.com/common/userrealm/******.ApplicationID@****.com?api-version=1.0

{"ver":"1.0", "account_type":"F*d", "domain_name":".com", "federation_protocol":"SAML20", "federation_metadata_url":"", "federation_active_auth_url":"https://*.****.com/o365/ba", "cloud_instance_name":"microsoftonline.com", "cloud_audience_urn":"urn:federation:MicrosoftOnline"}

where federation_metadata_url is null and this is being sent as the url of http request which is causing the no protocol exception

Can you please help me what to do with this.. I am having no clue about this

[Avery-Dunn]

Have a look at either the Authentication or Manifest tabs of the app registration in the Azure portal:

• In Authentication, under Advanced settings at the bottom is the 'Treat application as a public client. button set to Yes? If not, change it to yes, save the settings, and re-try the sample.
• In Manifest, find the allowPublicClient key and is the value set to true? If not, change it to true, save the settings, and re-try the sample.

Doing either of those should have the same result (i.e., toggling the button should change the value in the manifest). I believe setting there's a step in the README about setting the allowPublicClient value to true, but since you said someone else registered the app then that might still be the default 'false'.

[SkFaraha]

Yes I have checked the Manifest ### allowPublicClient is set as ### true. I tried the same url I mentioned before in postman with my personal account and it is producing value for ### federation_metadata_url but while trying for my organization account it is returning empty string. Is that a proxy issue?

[Avery-Dunn]

You said your personal account has a value for federation_metadata_url in Postman, but have you tried using it in the actual sample? And is your personal account also a federated user? (I assume it is, since federation_metadata_url isn't blank)

If your personal account works but your organization account doesn't, then there might be an issue with the configuration on the ADFS side of things, and is disabling/blocking something the username/password flow needs. If you know whoever configured ADFS for the organization that is having issues, they might be able help identify and solve the problem. Depending on your use case, you can also try some of the other samples (such as device code flow) to see if similar problems happen in other flows.

[SkFaraha]

Yes my personal account is federated user. I will check with my organization regarding that ADFS configuration and will update accordingly. I have tried device code flow and it worked perfectly fine for my personal account but for my organization account it was showing the error "Device Code Expired".

[SkFaraha]

One more thing to add my authority type is AAD and not adfs is that anyway related?

[SkFaraha]

Hello Avery, I checked with my organization and came to know that they uses IDP for authentication. Can I still go with this approach or I have to follow some other approach?Please suggest

[Avery-Dunn]

I haven't done much with ADFS myself, so I don't really know what's involved with using a third-party IDP, but I don't think that should be a blocker. However, if device code flow is also having issues with your organization account but not your personal account then my only guess is there is some configuration issue with your organization's ADFS instance (though I haven't configured ADFS myself, so again I'm not sure what that would be).