AzureAD / azure-activedirectory-library-for-java

MIT License
161 stars 126 forks source link

"AADSTS700003: Device object was not found in the tenant" issue started since the beginning of September #294

Closed slavag closed 4 years ago

slavag commented 4 years ago

Hi, We see lot of issues (and it's increasing) across many tenants, when we're trying to acquire token : AuthenticationContext.acquireTokenByRefreshToken : Sep 13 13:55:26 Caused by: com.microsoft.aad.adal4j.AuthenticationException: {"error_description":"AADSTS700003: Device object was not found in the tenant 'xxxx' directory.\r\nTrace ID: 154e5983-63d2-4c61-bcc1-717dc2169400\r\nCorrelation ID: f8666b39-307e-4230-b6e5-64ee68c8e86c\r\nTimestamp: 2020-09-13 13:55:25Z","error":"invalid_grant","error_uri":"https:\/\/login.microsoftonline.com\/error?code=700003"} Sep 13 13:55:26 at com.microsoft.aad.adal4j.AdalTokenRequest.executeOAuthRequestAndProcessResponse(AdalTokenRequest.java:128) Sep 13 13:55:26 at com.microsoft.aad.adal4j.AuthenticationContext.acquireTokenCommon(AuthenticationContext.java:913) Sep 13 13:55:26 at com.microsoft.aad.adal4j.AcquireTokenCallable.execute(AcquireTokenCallable.java:70) Sep 13 13:55:26 at com.microsoft.aad.adal4j.AcquireTokenCallable.execute(AcquireTokenCallable.java:38) Sep 13 13:55:26 at com.microsoft.aad.adal4j.AdalCallable.call(AdalCallable.java:47) Sep 13 13:55:26 ... 4 more

And it's increasing across another tenants, and nothing with change in our side (code or app configuration). Please advise what can be possible solution for that issue ? Thanks

sangonzal commented 4 years ago

Hi @slavag, there have been no changes in the library, so I suspect this might be related to changes happening on the service. Could you please share the configuration values for applications where you are seeing issues so we can investigate further? Value for authority, tenant id, client id, and resource would be a good start. Feel free to email them via email to sagonzal @ microsoft if you would like to avoid posting that information here.

slavag commented 4 years ago

@sangonzal Thanks, will send you in private.

sangonzal commented 4 years ago

Discussed via email. Posting answer here in case anyone runs into this issue in the future:

The AAD service has shipped a security fix to validate that a device that matches the deviceId claim from a token is actually read from directory and is enabled irrespective of device based conditional access policies.

The reason that the tokens are rejected is because the presence of the deviceId claim indicates a binding to that device and when this device is not found in the directory it indicates a revocation action where the device was deleted or disabled and tokens for that device will no longer be valid.

You can either: