WS-Trust RST request returned http error: 503 and server response: HTTP Error 503. The service is unavailable.

pannonsystems commented 3 years ago

Package Version: 3.0.6

[ ] nodejs
- nodejs version: v14.7.0
- os name/version: Windows 10 / 10.0.19042 Build 19042
[ ] browser
- name/version: Chrome Describe the bug When trying to use the loginWithUsernamePasswordWithAuthResponse or any login other than interactive the result is always an HTTP 503 error.

To Reproduce Steps to reproduce the behavior: I put a sample code below run with "node file.js" command. const msRestNodeAuth = require('@azure/ms-rest-nodeauth'); const { SubscriptionClient, SubscriptionModels, SubscriptionMappers } = require('@azure/arm-subscriptions');

msRestNodeAuth.loginWithUsernamePasswordWithAuthResponse('email@domain.com', "Password", { domain: "TheTenantID-UUID" }).then( // msRestNodeAuth.interactiveLogin().then( function (creds) { const client = new SubscriptionClient(creds); client.subscriptions.list().then( function (subs) { subs.forEach( function (sub) { console.log(Subscription "${sub.displayName}" SubscriptionID: ${sub.subscriptionId} State: ${sub.state}); } ); } ); } ).catch( function (err) { console.log(ERROR: ${err.message} Stack: ${err.stack}) } );

Expected behavior Login to Azure. Then I want to list the subscriptions and then all the resource groups and resources in it. Interactive login works and lists the subscriptions.

Screenshots

Service Unavailable

HTTP Error 503. The service is unavailable.

at Logger.createError (D:\Project\Azure\ResourceRepository\api\node_modules\adal-node\lib\log.js:216:13) at Request._callback (D:\Project\Azure\ResourceRepository\api\node_modules\adal-node\lib\util.js:130:25) at Request.self.callback (D:\Project\Azure\ResourceRepository\api\node_modules\request\request.js:185:22) at Request.emit (events.js:314:20) at Request. (D:\Project\Azure\ResourceRepository\api\node_modules\request\request.js:1154:10) at Request.emit (events.js:314:20) at IncomingMessage. (D:\Project\Azure\ResourceRepository\api\node_modules\request\request.js:1076:12) at Object.onceWrapper (events.js:420:28) at IncomingMessage.emit (events.js:326:22) at endReadableNT (_stream_readable.js:1244:12) ![image](https://user-images.githubusercontent.com/59032918/103484510-5549f500-4dbd-11eb-949a-0172663d0975.png) **Additional context** If I use the interactive log in, it works. But interactive login will not work for a NodeJS REST API background service.

sadasant commented 3 years ago

@pannonsystems

Hello! I'm Daniel. I'll be doing my best to help you.

If you tried with loginWithServicePrincipalSecret, would it fail? Keep in mind that loginWithServicePrincipalSecret receives the domain as the third parameter as a string, and not inside of an object.

In case it helps, here's how to retrieve the parameters to loginWithServicePrincipalSecret, namely the client ID, the secret and the tenant ID:

Follow Documentation to register a new application in the Azure Active Directory (in the Azure portal).
Note down the CLIENT_ID and TENANT_ID.
In the "Certificates & Secrets" tab, create a secret and note that down.

Please let me know as soon as you have more information! Thank you for your time.

sadasant commented 3 years ago

@pannonsystems

I'll be trying more things around this issue today to see if we can spot something on our side.

sadasant commented 3 years ago

@pannonsystems

I'm back with some other questions:

First, a question that I would like to learn from. This is not part of the solution effort, instead think of it as my attempt to learn more about your circumstances. Do you absolutely need to use loginWithUsernamePasswordWithAuthResponse?
Second, is this a consistent error? Have you tried in a different network? I have seen some errors during my tests, but not exactly as the one you shared above.

I am continuing my investigations in the background. Thank you for your time!

pannonsystems commented 3 years ago

@sadasant

Hi Daniel,

The loginWithServicePrincipalSecret works. However, the application does not seem to be able to list the subscriptions as I expect it from the SubscriptionClient using the credential I get back from it.

The 503 error for loginWithUsernamePasswordWithAuthResponse and loginWithUsernamePassword is consistent with a corporate account that is a paid subscription and has on-prem Active Directory and Azure AD sync.

With the free (private) account I get the "'Server returned error in RSTR - ErrorCode: NONE : FaultMessage: NONE'" error. Stack: 'Error: Server returned error in RSTR - ErrorCode: NONE : FaultMessage: NONE\n at Logger.createError (d:\Project\Azure\ResourceRepository\api\node_modules\adal-node\lib\log.js:216:13)\n at WSTrustResponse.parse (d:\Project\Azure\ResourceRepository\api\node_modules\adal-node\lib\wstrust-response.js:278:23)\n at WSTrustRequest._handleRSTR (d:\Project\Azure\ResourceRepository\api\node_modules\adal-node\lib\wstrust-request.js:187:21)\n at d:\Project\Azure\ResourceRepository\api\node_modules\…k (d:\Project\Azure\ResourceRepository\api\node_modules\adal-node\lib\util.js:134:5)\n at Request.self.callback (d:\Project\Azure\ResourceRepository\api\node_modules\request\request.js:185:22)\n at Request.emit (events.js:314:20)\n at Request. (d:\Project\Azure\ResourceRepository\api\node_modules\request\request.js:1154:10)\n at Request.emit (events.js:314:20)\n at IncomingMessage. (d:\Project\Azure\ResourceRepository\api\node_modules\request\request.js:1076:12)'

It is important, that in both cases the accounts have multi factor authentication enabled.

The reason I am trying to use username and password is that I want authenticate the user against Azure AD and then authorize based on group membership. This needs to be done on the back end service not on the client (browser). I need to authenticate and authorize the user, not the application service. This is a NodeJS web application, that will run in Azure as an App Service and have a web user interface (currently running on my local machine).

The goal is to have an AssetReader Azure AD group. Then its members will be allowed to read all the Azure resources list them by subscription and resource group and load it into a hierarchical data structure that later can be combined with the topology built by NetworkWatcher and build a diagram, etc.

I am suspecting that I might be approaching the authentication and authorization the wrong way for Azure AD accounts.

Thanks for looking into this.

Laszlo

sadasant commented 3 years ago

@pannonsystems I need to spend some time trying to reproduce this on different settings. In case I'm unable to do this soon, I'll try to find somebody in my team who can. We'll get back at you as soon as possible.

sadasant commented 3 years ago

Based on what I'm able to see on common issues on other repositories, Server returned error in RSTR indicates that a personal account cannot be used for this purpose, but only an organization account.

I'm still investigating the 503 on the organization account.

sadasant commented 3 years ago

@pannonsystems I'm not very familiar with on-premises Active Directory. While I learn more about this, could it be that there needs to be a special setting regarding the Active Directory Endpoint URL? The default one is https://login.microsoftonline.com/

sadasant commented 3 years ago

@pannonsystems

I had a conversation with my team and here's a more extensive answer.

The issue with username/password authentication

If your setup has Multi Factor authentication enabled, username/password will most likely not work. We could provide a more detailed review of what's going on if you provide more information of your setup.

Is your setup using ADFS?

A network trace of that 503 can help us see who's generating it.

You might have a solution through an on-behalf-flow

The OAuth 2.0 On-Behalf-Of flow (OBO) serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API. More info on on-behalf-flows.

Our team also suggests the use of Group memberships or role assignments to reduce the number of API calls on the backend side. More info on AAD permissions.

Some samples that might help:

If it's a single page application with a Node backend: Tutorial: Sign in users and call the Microsoft Graph API from a JavaScript single-page application (SPA).
If it's for a web application with a server running behind it (meaning not a single page application), the web server needs still to make another API call. There are some samples with MSAL here: link.

While ms-rest-nodeauth uses MSAL, and MSAL is being used directly in those samples, depending on the authentication flow type, ms-rest-nodeauth might not work because of what version of MSAL we're currently using. ms-rest-nodeauth library will require your AAD app to be allowed to authenticate using the implicit grant flow. More information on the implicit grant flow can be found here: link.

That's what I have for now! I'll loop my team through this issue as the following days come to see if I can get more information in the background. Please let us know as soon as you can provide us more information, or if you decide to go with any of the approaches we've mentioned.

Thank you for your time so far!

sadasant commented 3 years ago

For this issue I've been getting pointers from @jpda (thanks!)

ramya-rao-a commented 3 years ago

Hey @pannonsystems

We hope the above clarifications from @sadasant and @jpda have helped. We will be closing this issue as we have not heard back from you in a while. Please open a new issue if you are still having problems

Azure / ms-rest-nodeauth