search

AzureAD / MSAL.PS

MIT License
159 stars 29 forks source link

Unable to generate tokens after updating to 4.16.0.1 #12

Closed ThomasJanosek closed 3 years ago

ThomasJanosek commented 4 years ago

I just updated my module from version 4.8.2.1 to the latest version after users reported errors, and scripts I have been using to authenticate users for delegated permissions with the authorization code flow have stopped working. I've tried running get-msaltoken with both a certificate and a secret and it sends the same errors. I've compared the parameter sets I was using in the old version with those in the new version, but I don't see any different requirements.

4.8.2.1 Parameters:

Get-MsalToken -ClientId <String> -ClientSecret <SecureString> -AuthorizationCode <String> 
[-RedirectUri <Uri>] [-TenantId <String>] [-Authority <Uri>]  
[-Scopes <String[]>] [-CorrelationId <Guid>] [-extraQueryParameters <String>] [<CommonParameters>]

4.16.0.1 Parameters:

Get-MsalToken [-ClientId] <String> -ClientSecret <SecureString> -AuthorizationCode <String> [-RedirectUri <Uri>] 
[-AzureCloudInstance {None | AzurePublic | AzureChina | AzureGermany | AzureUsGovernment}] [-TenantId <String>] 
[-Authority <Uri>] [-Scopes <String[]>] [-CorrelationId <Guid>] [-ExtraQueryParameters <Hashtable>] [<CommonParameters>]

The authorization code is received by calling the login.microsoftonline authorize endpoints with a prompt using .Net Windows objects. The code returned is then fed into the "AuthorizationCode" parameter.

Code:

$bodySplat = @{
    "ClientId" = $clientId
    "ClientSecret" = $secret
    "AuthorizationCode" = $oauth.code
    "TenantId" = $tenant
    "Authority" = $authority
    "Scopes" = $scopeAll
    "RedirectUri" = $redirectUri
}
$access = get-msaltoken @bodySplat

Error responses:

You cannot call a method on a null-valued expression.
At C:\Program Files\WindowsPowerShell\Modules\MSAL.PS\4.16.0.1\Get-MsalToken.ps1:299 char:21
+ ...             $AquireTokenParameters = $ConfidentialClientApplication.A ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

The variable '$AquireTokenParameters' cannot be retrieved because it has not been set.
At C:\Program Files\WindowsPowerShell\Modules\MSAL.PS\4.16.0.1\Get-MsalToken.ps1:315 char:45
+ ...            elseif ($TenantId) { [void] $AquireTokenParameters.WithAut ...
+                                            ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (AquireTokenParameters:String) [], RuntimeException
    + FullyQualifiedErrorId : VariableIsUndefined

The variable '$AquireTokenParameters' cannot be retrieved because it has not been set.
At C:\Program Files\WindowsPowerShell\Modules\MSAL.PS\4.16.0.1\Get-MsalToken.ps1:316 char:42
+ ...               if ($Authority) { [void] $AquireTokenParameters.WithAut ...
+                                            ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (AquireTokenParameters:String) [], RuntimeException
    + FullyQualifiedErrorId : VariableIsUndefined

The variable '$ClientApplication' cannot be retrieved because it has not been set.
At C:\Program Files\WindowsPowerShell\Modules\MSAL.PS\4.16.0.1\Get-MsalToken.ps1:319 char:86
+ ... en for Application with ClientId [{0}]' -f $ClientApplication.ClientI ...
+                                                ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (ClientApplication:String) [], RuntimeException
    + FullyQualifiedErrorId : VariableIsUndefined

The variable '$AquireTokenParameters' cannot be retrieved because it has not been set.
At C:\Program Files\WindowsPowerShell\Modules\MSAL.PS\4.16.0.1\Get-MsalToken.ps1:324 char:256
+ ... lureAuthenticationError' -TargetObject $AquireTokenParameters -ErrorA ...
+                                            ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (AquireTokenParameters:String) [], RuntimeException
    + FullyQualifiedErrorId : VariableIsUndefined

Invoke-RestMethod : {
  "error": {
    "code": "InvalidAuthenticationToken",
    "message": "CompactToken parsing failed with error code: 80049217",
    "innerError": {
      "date": "2020-07-08T23:55:14",
      "request-id": "6553ddab-5e6e-4b93-8ed1-12d7c7cbd916"
    }
  }
}
At H:\AppRegistration\New-TestAppGraph.ps1:75 char:5
+     Invoke-RestMethod -uri $meUri -Headers $header
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

If there's another method I should be using for the authorization code flow or something I should be doing differently, please let me know.

jazuntee commented 3 years ago

Thanks for the details. I found the issue and published a new version 4.16.0.2 with the fix.