Open marbon87 opened 3 days ago
Hello @marbon87 : Just to clarify a couple of things:
"sub"
claim that matches what is in the "xms_st"
claim of the access token. Is the "sub"
in the working ID token the same as the "sub"
in ID token you get from MSAL? (and the access token from MSAL is just missing "xms_st"
)After some testing I'm having trouble reproducing your exact issue, my tokens either correctly have that "xms_st"
claim or I run into a different issue before getting the token.
However, my initial thought is that by default we will set the authority to https://login.microsoftonline.com/common/
, and I noticed that your working URL has https://login.microsoftonline.com/my-tenant/
. So, you may need to specify an authority in your PublicClientApplication
such as https://login.microsoftonline.com/your-tenant-id/
in order for the access token to be created with the right ID token info.
- When you say that you can get working tokens in the browser you mean you're getting them from that URL manually, right? Not from MSAL's interactive/browser-based flow?
Correct.
- For the working tokens, I assume the ID token has a
"sub"
claim that matches what is in the"xms_st"
claim of the access token.
Correct.
- Is the
"sub"
in the working ID token the same as the"sub"
in ID token you get from MSAL? (and the access token from MSAL is just missing"xms_st"
)
Correct: Both id tokens have the same sub-claim, starting with -qr...
. This value is equal to the xms_st.sub-Claim in the working acsess-token.
The sub-claim of the workin access-token matches the sub-claim from MSAL. The MSAL-access-token totally misses the xms_st.sub-Claim.
After some testing I'm having trouble reproducing your exact issue, my tokens either correctly have that
"xms_st"
claim or I run into a different issue before getting the token.However, my initial thought is that by default we will set the authority to
https://login.microsoftonline.com/common/
, and I noticed that your working URL hashttps://login.microsoftonline.com/my-tenant/
. So, you may need to specify an authority in yourPublicClientApplication
such ashttps://login.microsoftonline.com/your-tenant-id/
in order for the access token to be created with the right ID token info.
I set the authority but get the same error:
PublicClientApplication pca = PublicClientApplication.builder(clientId)
.broker(broker)
.authority("https://login.microsoftonline.com/tenant-id")
.build();
Library version used
1.16.0
Java version
21
Scenario
Other - please specify
Is this a new or an existing app?
This is a new app or experiment
Issue description and reproduction steps
We are using keycloak as an internal idp and want to use the external to internal token exchange feature.
Therefor i acquire a token silently with MSAL4j and post the access token to keycloak. The problem is that keycloak call the MS Graph userinfo-Endpoint but get's the error: "Token must contain sub claim."
When i acquire an access token by calling the following uri in the browser and use the access-token from the redirect, the token exchange is working:
https://login.microsoftonline.com/my-tenant/oauth2/v2.0/authorize?client_id=my-client-id&response_type=token+id_token&redirect_uri=https://localhost&scope=user.read+openid+profile+email&response_mode=fragment&state=12345&nonce=678910
I compared the two access tokens from MSAL4j and in the browser and guess that the problem in the MSAL4j-access token is the missing xms_st.sub-Claim in the access token.
What do i have to configure, to get that scope in the access token from MSAL4j?
Relevant code snippets
Expected behavior
MS Graph API Userinfo-Endpoint should respond with status code 200.
Identity provider
Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)
Regression
No response
Solution and workarounds
No response