Closed MatteoCalabro-TomTom closed 1 day ago
Additional info: disabling instance discovery (public.WithInstanceDiscovery(false)
) seems to work better, but still ends in an error:
could not retrieve token from auth code: http call(https://***.ciamlogin.com/***/oauth2/v2.0/token)(POST) error: reply status code was 401:
{
"error": "invalid_client",
"error_description": "AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'. Trace ID: *** Correlation ID: *** Timestamp: 2024-09-18 15:17:48Z",
"error_codes": [
7000218
],
"timestamp": "2024-09-18 15:17:48Z",
"trace_id": "***",
"correlation_id": "***",
"error_uri": "https://***.ciamlogin.com/error?code=7000218"
}
I am closing the issue as I think I solved it but will leave my findings for the records.
Adding public.WithInstanceDiscovery(false)
client option indeed fixes the MSAL issue, but as of today there are other issues on External Identities side.
So far, I have found that:
offline_access
in the scopes (although supported and configured in the app registration), breaks authentication flow - ExtIDhttps://<name>.ciamlogin.com/organizations
) does not work - ExtID
http call(https://<name>.ciamlogin.com/organizations/v2.0/.well-known/openid-configuration)(GET) error: reply status code was 400: AADSTS500209: Unspecific Tenant is not supported in this domain.
Note: still MUST have instance discovery disabled.
AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
error was quite erratic yesterday.
Which version of MSAL Go are you using?
github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2
Where is the issue?
Is this a new or an existing app? New App
What version of Go are you using (
go version
)?1.23
, this is irrelevant.What operating system and processor architecture are you using (
go env
)?MacOS Arm
Expected behavior
A successful login using the correct authority for External Identities:
https://<name>.ciamlogin.com
Actual behavior
Trying to use the actual authority, doesn't even start the authorization flow:
Replacing the authority
https://<name>.ciamlogin.com/<tenant-id>
with the more commonhttps://login.microsoftonline.com/<tenant-id>
brings forth the authentication screen (browser) but fails with:Possible solution
Still investigating...
Additional context / logs / screenshots Add any other context about the problem here, such as logs and screenshots.