search

AzureAD / microsoft-authentication-library-for-dotnet

Microsoft Authentication Library (MSAL) for .NET
https://aka.ms/msal-net
MIT License
1.36k stars 331 forks source link

[Bug] Unable to authenticate using WAM Broker with enabled system proxy #4385

Open peter1155 opened 8 months ago

peter1155 commented 8 months ago

Library version used

4.56.0

.NET version

net6.0-windows10.0.17763.0

Scenario

PublicClient - desktop app

Is this a new or an existing app?

The app is in production, and I have upgraded to a new version of MSAL

Issue description and reproduction steps

We are developing WPF application running on net6.0-windows10.0.17763.0. Some of our users use proxy to access resources on the web and are not able to login using WAM broker. (We have implemented some basic support for proxy set-up which is working with system browser login but not with WAM) The easiest way to simulate the issue for me was to install Fidler Classic and set-up as a system proxy than I tried to authenticate using provided code snippet. And got following exception: Message: WAM Error
Error Code: 3399942148 Error Message: NoNetwork WAM Error Message: (pii) Internal Error Code: 557973641 Possible cause: no Internet connection

Stack trace: at Microsoft.Identity.Client.Platforms.Features.RuntimeBroker.WamAdapters.HandleResponse(AuthResult authResult, AuthenticationRequestParameters authenticationRequestParameters, ILoggerAdapter logger, String errorMessage) at Microsoft.Identity.Client.Platforms.Features.RuntimeBroker.RuntimeBroker.d13.MoveNext() at Microsoft.Identity.Client.Platforms.Features.RuntimeBroker.RuntimeBroker.d12.MoveNext() at Microsoft.Identity.Client.Internal.Broker.BrokerInteractiveRequestComponent.d9.MoveNext() at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.d10.MoveNext() at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.d11.MoveNext() at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.d9.MoveNext() at Microsoft.Identity.Client.Internal.Requests.RequestBase.d12.MoveNext() at Microsoft.Identity.Client.ApiConfig.Executors.PublicClientExecutor.d2.MoveNext() .....

Is there a way how to configure WAM to support proxy ?

Relevant code snippets

...
    async () =>
    {
        try
        {
            var builder = PublicClient.AcquireTokenInteractive(scopes);
            builder = builder
                        .WithLoginHint(email)
                        .WithParentActivityOrWindow(appWindowHandleProvider.GetAppWindowHandle())
                        .WithPrompt(Prompt.ForceLogin)
                        .WithCorrelationId(CorrelationContext.Current.CorrelationId);

            if(!accountServiceOptions.UseMsalWindowsBroker)
            {
                builder.WithUseEmbeddedWebView(false);
            }

            if (consentScopes.Any())
            {
                builder = builder.WithExtraScopesToConsent(consentScopes);
            }

            var authResponse = await builder.ExecuteAsync(CancellationToken.None);
            var wasAccountSwitched = authResponse?.Account?.Username != email;

            if (wasAccountSwitched && !accountSwitchAllowed)
            {
                throw new AccountSwitchDeniedException(email);
            }

            return Parse(authResponse, wasAccountSwitched);
        }
        catch (MsalClientException ex) when (ex.ErrorCode?.Equals("authentication_canceled") ?? false)
        {
            throw new OperationCanceledException(ex.Message, ex);
        }
        catch (MsalServiceException ex) when (ex.ErrorCode?.Equals("access_denied") ?? false)
        {
            throw new OperationCanceledException(ex.Message, ex);
        }
        catch (Exception ex)
        {
            throw;
        }
    },
....

Expected behavior

Users should be able to authenticate using WAM even when they use system proxy.

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

We currently end up with following workaround: When user doesn't use proxy we are using WAM broker when user has some custom proxy settings we are using system browser to authenticate user.

bgavrilMS commented 8 months ago

As far as I know there is no way to configure proxy in WAM, but WAM should use the Windows proxy settings. How are you configuring the proxy?

peter1155 commented 8 months ago

Thanks for answer @bgavrilMS I am trying to simulate the proxy settings with Fidler Classic. When Fiddler starts to capture traffic, it registers itself with the Windows Internet (WinINet) networking component and requests that all applications begin directing their requests to Fiddler.

So when I start Fiddler Classic I can see in windows network settings there is enabled option use a proxy server with following proxy ip address: http=127.0.0.1:8888;https=127.0.0.1:8888. (The loopback is excluded)

iulico-1 commented 7 months ago

Assuming this is for test purposes, WAM requires a device wide proxy to be used and one way of doing that is to disable per user proxy settings:

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\InternetSettings ProxySettingsPerUser, type: REG DWORD, 0: per-machine proxy 1 (or key doesn’t exist) : per-user (account) proxy

Setting the Fiddler proxy: In the admin console configure proxy by running netsh winhttp set proxy proxy-server="http=127.0.0.1:8888;https=127.0.0.1:8888"

To verify settings run netsh winhttp show proxy.