AzureAD / azure-activedirectory-library-for-js

The code for ADAL.js and ADAL Angular has been moved to the MSAL.js repo. Please open any issues or PRs at the link below.
https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/maintenance/adal-angular
Apache License 2.0
627 stars 372 forks source link

AADSTS16000: User account 'XXX' from identity provider 'live.com' does not exist in tenant #829

Closed rdkleine closed 4 years ago

rdkleine commented 6 years ago

Library Name

Library version

Library version: 1.0.17

Current behavior

When the Token is expired and the _renewIdToken is called I get the error below. When I log in there is no problem but .. I just don't understand what seems to be wrong?

"AADSTS16000: User account 'XXX' from identity provider 'live.com' does not exist in tenant 'TENANTNAME' and cannot access the application '4101a745-7d14-44a7-bd64-e901b6c63fe4' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account. Trace ID: f3202d86-0ebd-42e6-a77f-7d2d0b4e3200 Correlation ID: 9b19e5c7-82f2-4edb-b2dd-488393a1f0ed Timestamp: 2018-11-07 19:28:44Z"

This is the request url: https://login.microsoftonline.com/TENANTNAME.onmicrosoft.com/oauth2/authorize ?response_type=id_token &client_id=4101a745-7d14-44a7-bd64-e901b6c63fe4 &redirect_uri=https%3A%2F%2Flocalhost%3A44300%2FIndex2.html &state=3afc1b26-f133-4a91-89b2-8ff227275913%7C4101a745-7d14-44a7-bd64-e901b6c63fe4 &client-request-id=a126a5c8-617f-4d83-86d6-71cddeb1d7cd &x-client-SKU=Js &x-client-Ver=1.0.17 &prompt=none &nonce=de7da6d3-bc3c-45d5-a34f-ad7b5a0bceb1

navyasric commented 5 years ago

@rdkleine Can you please provide some code snippet or repro of how you are using the library to login, acquire the token and to renew it?

rdkleine commented 5 years ago

Hi Navya,

I've identified the problem. There are multiple user identities available for the current request. When providing a 'login_hint' using the extraQueryParameter - which feels a bit hacky - this is circumvented.

A better solution would be to add the username in the _addHintParameters method when the upn is not available. (see issue 580)

var config: AuthenticationContext.Options = {
    instance: 'https://login.microsoftonline.com/',
    tenant: process.env.tenant,
    clientId: process.env.clientId,
    cacheLocation: 'sessionStorage',
    navigateToLoginRequestUrl: false,
    popUp: false
};

// >> Add login_hint based on cached user <<
var context = new AuthenticationContext(config);
var user = context.getCachedUser();
if (user) {
    context.config.extraQueryParameter = 'login_hint=' + user.userName;
}

adalAuthenticationServiceProvider.init(config, $httpProvider);
jmckennon commented 4 years ago

Closing this issue as it seems this is no longer a problem.

Additionally, all current authentication work from Microsoft is delivered through the msal js library here. adal js is still supported only for security fixes. We recommend moving to msal js for any advanced feature requests and bugfixes.