search

AzureAD / microsoft-authentication-library-for-dotnet

Microsoft Authentication Library (MSAL) for .NET
https://aka.ms/msal-net
MIT License
1.39k stars 340 forks source link

[Bug] #4989

Open ggroves opened 5 days ago

ggroves commented 5 days ago

Library version used

4.66.1.0

.NET version

8.0.10

Scenario

ConfidentialClient - web api (AcquireTokenOnBehalfOf)

Is this a new or an existing app?

The app is in production, I haven't upgraded MSAL, but started seeing this issue

Issue description and reproduction steps

We were asked to open this issue by Microsoft support. We have three identically configured Azure web apps (development, test, production). On development and production, calls to MS Graph fail. Here is what we log: dbug: UnifiedSmartPortal.Services.UserService[0] [CallMicrosoftGraph] Calling Microsoft Graph... info: UnifiedSmartPortal.Networking.GraphLoggingHandler[0] MSAL Request: Method: GET, RequestUri: 'https://graph.microsoft.com/v1.0/me?$select=companyName,department,displayName,employeeType,givenName,jobTitle,mail,manager,officeLocation,preferredName,userPrincipalName', Version: 1.1, Content: , Headers: { Accept: application/json Authorization: Bearer FeatureFlag: 00000003 Cache-Control: no-store, no-cache User-Agent: kiota-dotnet/1.3.4 SdkVersion: graph-dotnet-core/3.1.6 (featureUsage=00000003; hostOS=Microsoft Windows NT 10.0.20348.0; hostArch=X64; runtimeEnvironment=.NET 8.0.8;) client-request-id: 48a0999b-d24a-49ee-ae01-bb62021e097d }

  MSAL Response: StatusCode: 401, ReasonPhrase: 'Unauthorized', Version: 1.1, Content: System.Net.Http.HttpConnectionResponseContent, Headers:
  {
    Transfer-Encoding: chunked
    Strict-Transport-Security: max-age=31536000
    request-id: 5fd97559-d114-4ae3-b81b-9049ca68083c
    client-request-id: 48a0999b-d24a-49ee-ae01-bb62021e097d
    x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"East US","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"BL02EPF0002E9D5"}}
    WWW-Authenticate: Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000"
    WWW-Authenticate: PoP realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", nonce="****"
    Date: Wed, 06 Nov 2024 16:35:40 GMT
    Content-Type: application/json
  }

  {"error":{"code":"InvalidAuthenticationToken","message":"ArgumentNull","innerError":{"date":"2024-11-06T16:35:40","request-id":"5fd97559-d114-4ae3-b81b-9049ca68083c","client-request-id":"48a0999b-d24a-49ee-ae01-bb62021e097d"}}}

warn: UnifiedSmartPortal.Services.UserService[0] [CallMicrosoftGraph] MSGraph is unavailable - ArgumentNull

The same code works on the test instance, and multiple development machines. We have verified that test is set up the same as development and production.

Packages: Microsoft.Identity.Web 3.3.1, Microsoft.Identity.Web.GraphServiceClient 3.31, Microsoft.Kiota.Authentication.Azure 1.14.0

Relevant code snippets

private static readonly string[] UserProps = new string[] { "companyName", "department", "displayName", "employeeType",
            "givenName", "jobTitle", "mail", "manager", "officeLocation", "preferredName", "userPrincipalName" };

...
                    _logger.LogDebug("[CallMicrosoftGraph] Calling Microsoft Graph...");
                    userInfo = await _graphServiceClient.Me
                                            .GetAsync((requestConfiguration) =>
                                            {
                                                requestConfiguration.QueryParameters.Select = UserProps;
                                            });
                }

Expected behavior

This is what is logged from the same call on localhost: info: UnifiedSmartPortal.Networking.GraphLoggingHandler[0] MSAL Request: Method: GET, RequestUri: 'https://graph.microsoft.com/v1.0/me?$select=companyName,department,displayName,employeeType,givenName,jobTitle,mail,manager,officeLocation,preferredName,userPrincipalName', Version: 1.1, Content: , Headers: { Accept: application/json Authorization: Bearer **** FeatureFlag: 00000003 Cache-Control: no-store, no-cache User-Agent: kiota-dotnet/1.3.4 SdkVersion: graph-dotnet-core/3.1.6 (featureUsage=00000003; hostOS=Microsoft Windows NT 10.0.22631.0; hostArch=X64; runtimeEnvironment=.NET 8.0.10;) client-request-id: 5f1ff492-4dfc-4077-8a59-37804945e114 }

  MSAL Response: StatusCode: 200, ReasonPhrase: 'OK', Version: 1.1, Content: System.Net.Http.HttpConnectionResponseContent, Headers:
  {
    Cache-Control: max-age=0, private
    Transfer-Encoding: chunked
    Strict-Transport-Security: max-age=31536000
    request-id: 3c5ddd01-1b4e-4dcb-8325-7727160e8aba
    client-request-id: 5f1ff492-4dfc-4077-8a59-37804945e114
    x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"West US","Slice":"E","Ring":"4","ScaleUnit":"005","RoleInstance":"SJ1PEPF00001C68"}}
    x-ms-resource-unit: 1
    OData-Version: 4.0
    Date: Wed, 06 Nov 2024 13:17:10 GMT
    Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8
  }

  {"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#users(companyName,department,displayName,employeeType,givenName,jobTitle,mail,manager,officeLocation,preferredName,userPrincipalName)/$entity","companyName":"CP AHS VIRTUAL","department":"IT Clinical System Architectur","displayName":"Groves, Greg","employeeType":null,"givenName":"Greg","jobTitle":"IT-EMR Data Engineer Senior I","mail":"********@AdventHealth.com","officeLocation":"ALTAMONTE SPRINGS","userPrincipalName":"******@multihosp.net","preferredName":""}

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

bgavrilMS commented 4 days ago

Hi @ggroves - you pasted a signed token on a public website. Can you please confirm that the token was expired at the moment you pasted it? (I had a look at the exp claim in it and it does seem so). I recommend that you change the password for the user in the token and invalidate all their sessions, just to be safe.

MSAL deals with token acquisition. You seem to have acquired a token.

The problem seems around token validation. Graph performs token validation. Please open a bug on Graph SDK - https://github.com/microsoftgraph/msgraph-sdk-dotnet for talk to support to accelerate your ask

ggroves commented 4 days ago

Thank you. Opened an issue with Graph. https://github.com/microsoftgraph/msgraph-sdk-dotnet/issues/2736