search

AzureAD / microsoft-authentication-library-for-go

The MSAL library for Go is part of the Microsoft identity platform for developers (formerly named Azure AD) v2.0. It enables you to acquire security tokens to call protected APIs. It uses industry standard OAuth2 and OpenID Connect.
MIT License
225 stars 87 forks source link

[Bug] Impossible to Login into External Identities #505

Closed MatteoCalabro-TomTom closed 1 day ago

MatteoCalabro-TomTom commented 2 days ago

Which version of MSAL Go are you using?

github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2

Where is the issue?

Is this a new or an existing app? New App

What version of Go are you using (go version)?

1.23, this is irrelevant.

What operating system and processor architecture are you using (go env)?

MacOS Arm

Expected behavior

A successful login using the correct authority for External Identities: https://<name>.ciamlogin.com

Actual behavior

Trying to use the actual authority, doesn't even start the authorization flow:

http call(https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=https%3A%2F%2F<name>.ciamlogin.com%2F<tenant-id>%2Foauth2%2Fv2.0%2Fauthorize)(GET) error: reply status code was 400:
{
  "error": "invalid_instance",
  "error_description": "AADSTS50049: Unknown or invalid instance. Trace ID: *** Correlation ID: *** Timestamp: 2024-09-18 14:47:11Z",
  "error_codes": [
    50049
  ],
  "timestamp": "2024-09-18 14:47:11Z",
  "trace_id": "***",
  "correlation_id": "***",
  "error_uri": "https://login.microsoftonline.com/error?code=50049"
}

Replacing the authority https://<name>.ciamlogin.com/<tenant-id> with the more common https://login.microsoftonline.com/<tenant-id> brings forth the authentication screen (browser) but fails with:

could not retrieve token from auth code: http call(https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token)(POST) error: reply status code was 401:
{
  "error": "invalid_client",
  "error_description": "AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'. Trace ID: *** Correlation ID: *** Timestamp: 2024-09-18 14:50:18Z",
  "error_codes": [
    7000218
  ],
  "timestamp": "2024-09-18 14:50:18Z",
  "trace_id": "***",
  "correlation_id": "***",
  "error_uri": "https://login.microsoftonline.com/error?code=7000218"
}

Possible solution

Still investigating...

Additional context / logs / screenshots Add any other context about the problem here, such as logs and screenshots.

MatteoCalabro-TomTom commented 2 days ago

Additional info: disabling instance discovery (public.WithInstanceDiscovery(false)) seems to work better, but still ends in an error:

could not retrieve token from auth code: http call(https://***.ciamlogin.com/***/oauth2/v2.0/token)(POST) error: reply status code was 401:
{
  "error": "invalid_client",
  "error_description": "AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'. Trace ID: *** Correlation ID: *** Timestamp: 2024-09-18 15:17:48Z",
  "error_codes": [
    7000218
  ],
  "timestamp": "2024-09-18 15:17:48Z",
  "trace_id": "***",
  "correlation_id": "***",
  "error_uri": "https://***.ciamlogin.com/error?code=7000218"
}
MatteoCalabro-TomTom commented 1 day ago

I am closing the issue as I think I solved it but will leave my findings for the records.

Adding public.WithInstanceDiscovery(false) client option indeed fixes the MSAL issue, but as of today there are other issues on External Identities side.

So far, I have found that: