search

Azure-Samples / ms-identity-java-webapp

A Java web application calling Microsoft graph that is secured using the Microsoft identity platform
MIT License
118 stars 105 forks source link

Execution of class com.microsoft.aad.msal4j.AcquireTokenByAuthorizationGrantSupplier failed. #51

Closed rainbowrain0912 closed 4 years ago

rainbowrain0912 commented 4 years ago

I'm getting this error after deploying to a production environment. It was working on localhost. I already updated the application.properties to reflect the production redirectURIs set in Azure. Please advise.

2020-06-13 08:57:50.045 ERROR 2420 --- [onPool-worker-2] c.m.a.m.ConfidentialClientApplication    : [Correlation ID: 546d57eb-860e-428a-9711-91958c369878] Execution of class com.microsoft.aad.msal4j.AcquireTokenByAuthorizationGrantSupplier failed.

com.microsoft.aad.msal4j.MsalClientException: java.net.ConnectException: Connection timed out: connect
    at com.microsoft.aad.msal4j.HttpHelper.executeHttpRequest(HttpHelper.java:36) ~[msal4j-1.4.0.jar:1.4.0]
    at com.microsoft.aad.msal4j.AadInstanceDiscoveryProvider.sendInstanceDiscoveryRequest(AadInstanceDiscoveryProvider.java:117) ~[msal4j-1.4.0.jar:1.4.0]
    at com.microsoft.aad.msal4j.AadInstanceDiscoveryProvider.doInstanceDiscoveryAndCache(AadInstanceDiscoveryProvider.java:131) ~[msal4j-1.4.0.jar:1.4.0]
    at com.microsoft.aad.msal4j.AadInstanceDiscoveryProvider.getMetadataEntry(AadInstanceDiscoveryProvider.java:42) ~[msal4j-1.4.0.jar:1.4.0]
    at com.microsoft.aad.msal4j.AuthenticationResultSupplier.getAuthorityWithPrefNetworkHost(AuthenticationResultSupplier.java:32) [msal4j-1.4.0.jar:1.4.0]
    at com.microsoft.aad.msal4j.AcquireTokenByAuthorizationGrantSupplier.execute(AcquireTokenByAuthorizationGrantSupplier.java:49) ~[msal4j-1.4.0.jar:1.4.0]
    at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:59) [msal4j-1.4.0.jar:1.4.0]
    at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:17) [msal4j-1.4.0.jar:1.4.0]
    at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1590) [na:1.8.0_221]
    at java.util.concurrent.CompletableFuture$AsyncSupply.exec(CompletableFuture.java:1582) [na:1.8.0_221]
    at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:289) [na:1.8.0_221]
    at java.util.concurrent.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1056) [na:1.8.0_221]
    at java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1692) [na:1.8.0_221]
    at java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:157) [na:1.8.0_221]
Caused by: java.net.ConnectException: Connection timed out: connect
    at java.net.DualStackPlainSocketImpl.connect0(Native Method) ~[na:1.8.0_221]
    at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:79) ~[na:1.8.0_221]
    at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) ~[na:1.8.0_221]
    at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[na:1.8.0_221]
    at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[na:1.8.0_221]
    at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172) ~[na:1.8.0_221]
    at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[na:1.8.0_221]
    at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_221]
    at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:666) ~[na:1.8.0_221]
    at sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173) ~[na:1.8.0_221]
    at sun.net.NetworkClient.doConnect(NetworkClient.java:180) ~[na:1.8.0_221]
    at sun.net.www.http.HttpClient.openServer(HttpClient.java:463) ~[na:1.8.0_221]
    at sun.net.www.http.HttpClient.openServer(HttpClient.java:558) ~[na:1.8.0_221]
    at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264) ~[na:1.8.0_221]
    at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367) ~[na:1.8.0_221]
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191) ~[na:1.8.0_221]
    at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1162) ~[na:1.8.0_221]
    at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1056) ~[na:1.8.0_221]
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177) ~[na:1.8.0_221]
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1570) ~[na:1.8.0_221]
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498) ~[na:1.8.0_221]
    at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480) ~[na:1.8.0_221]
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:352) ~[na:1.8.0_221]
    at com.microsoft.aad.msal4j.DefaultHttpClient.readResponseFromConnection(DefaultHttpClient.java:97) ~[msal4j-1.4.0.jar:1.4.0]
    at com.microsoft.aad.msal4j.DefaultHttpClient.executeHttpGet(DefaultHttpClient.java:40) ~[msal4j-1.4.0.jar:1.4.0]
    at com.microsoft.aad.msal4j.DefaultHttpClient.send(DefaultHttpClient.java:28) ~[msal4j-1.4.0.jar:1.4.0]
    at com.microsoft.aad.msal4j.HttpHelper.executeHttpRequest(HttpHelper.java:33) ~[msal4j-1.4.0.jar:1.4.0]
    ... 13 common frames omitted
rainbowrain0912 commented 4 years ago

I think it may have something to do with the SSL certificate being in the load balancer and not in the server? Do I need any special set up to get this to work?

Avery-Dunn commented 4 years ago

@rainbowrain0912 : Hello, I haven't been able to reproduce your 'Connection timed out' error myself, but since it's a timeout issue it's likely the connection is being blocked at some point in your network. You say that it was working in your local environment but not in the production environment, so my best guess would be an issue with what is being allowed through the load balancer or any firewall specific to the production environment.

I don't believe MSAL uses anything other than the typical HTTP ports (80/443), so depending on your production server are you able to test if any outbound connections to those ports are possible? I.e., do you have any other application that also makes HTTP calls, or are able to use some tool ping some server (such as login.microsoftonline.com)?

rainbowrain0912 commented 4 years ago

I will reach out to network team to check and update.

rainbowrain0912 commented 4 years ago

@Avery-Dunn: Network confirmed that firewall and SSL handshake is fine. It is going through. Port 80/443 are working fine too. How do I configure it in application.properties if the SSL cert is on the load balancer? I think this is the key.

Avery-Dunn commented 4 years ago

@rainbowrain0912 : I'm not sure if there is a way to get a cert on another server, at least not through just the properties file. However, MSAL4J has an HTTP client class used for making connections, and you could implement a custom version of this class which has some way of retrieving the cert from the load balancer. If you aren't able to place the cert on the server that your application is running on, that might be the best way to go.

However, if you're still having issues even after your application gets access to the cert, then I'm not sure what the issue could be other than networking. Maybe connections first have to go through a proxy, or maybe there is some setting on the load balancer that restricts the use of self-signed certificates.

Avery-Dunn commented 4 years ago

Closing due to lack of activity for a while. If you're still having issues, feel free to leave a comment or re-open this thread.

rainbowrain0912 commented 4 years ago

We resolved it by configuring a proxy.

Thank you for your help.