search

AzureAD / microsoft-authentication-library-for-js

Microsoft Authentication Library (MSAL) for JS
http://aka.ms/aadv2
MIT License
3.64k stars 2.65k forks source link

Client Authentication Failed: MSAL with Protocol Mode : OIDC for ADFS IDP #6915

Closed jaik-s closed 6 months ago

jaik-s commented 7 months ago

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

3.3.0

Wrapper Library

MSAL Angular (@azure/msal-angular)

Wrapper Library Version

3.0.6

Public or Confidential Client?

Public

Description

I've configured MSAL with angular application with ProtocolMode OIDC for ADFS Authentication.

As soon as I open the application, ADFS Authentication will be prompted after with valid credentials I get redirected to application URI but I get loginFailure, POST https://sso9.example.com/adfs/oauth2/token/ 400 (Bad Request) and also ERROR ServerError: invalid_client: undefined - [undefined]: MSIS9622: Client authentication failed. Please verify the credential provided for client authentication is valid. - Correlation ID: undefined - Trace ID: undefined

ADFS is configured with client ID and secret for this application.

Need your assistance to know if I've missed anything

Error Message

No response

MSAL Logs

[webpack-dev-server] Server started: Hot Module Replacement disabled, Live Reloading enabled, Progress disabled, Overlay enabled. app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - BrowserCrypto: modern crypto interface available app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - Event callback registered with id: 38f717fe-c95c-4930-b48b-5d345d124378 app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - getAllAccounts called app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - BrowserCacheManager.getAccountKeys - No account keys found app.component.ts:265 [] app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - getAllAccounts called app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - BrowserCacheManager.getAccountKeys - No account keys found app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - Adding account storage listener. app.component.ts:257 logged user core.mjs:26546 Angular is running in development mode. app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-angular@3.0.9 : Verbose - MsalRedirectComponent activated app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Info - Emitting event: msal:initializeStart app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - Emitting event to callback 38f717fe-c95c-4930-b48b-5d345d124378: msal:initializeStart app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - Claims-based caching is disabled. Clearing the previous cache with claims app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - BrowserCacheManager.getTokenKeys - No token keys found core.mjs:26546 Angular is running in development mode. app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Info - Emitting event: msal:initializeEnd app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - Emitting event to callback 38f717fe-c95c-4930-b48b-5d345d124378: msal:initializeEnd app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - handleRedirectPromise called app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - getAllAccounts called app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - BrowserCacheManager.getAccountKeys - No account keys found app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Info - Emitting event: msal:handleRedirectStart app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - Emitting event to callback 38f717fe-c95c-4930-b48b-5d345d124378: msal:handleRedirectStart app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-angular@3.0.9 : Verbose - BroadcastService - msal:handleRedirectStart results in setting inProgress from startup to handleRedirect app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - handleRedirectPromise has been called for the first time, storing the promise app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [f15d8bc0-b8fd-469b-8287-893c927d00ec] : msal.js.browser@3.6.0 : Verbose - initializeServerTelemetryManager called app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [f15d8bc0-b8fd-469b-8287-893c927d00ec] : msal.js.browser@3.6.0 : Verbose - getRedirectResponseHash called app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [f15d8bc0-b8fd-469b-8287-893c927d00ec] : msal.js.browser@3.6.0 : Verbose - Hash contains known properties, returning response hash app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [f15d8bc0-b8fd-469b-8287-893c927d00ec] : msal.js.browser@3.6.0 : Verbose - Current page is loginRequestUrl, handling response app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [f15d8bc0-b8fd-469b-8287-893c927d00ec] : msal.js.browser@3.6.0 : Verbose - handleResponse called, retrieved cached request app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [f15d8bc0-b8fd-469b-8287-893c927d00ec] : msal.js.browser@3.6.0 : Verbose - Attempting to get cloud discovery metadata from authority configuration app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [f15d8bc0-b8fd-469b-8287-893c927d00ec] : msal.js.browser@3.6.0 : Verbose - The host is included in knownAuthorities. Creating new cloud discovery metadata from the host. app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [f15d8bc0-b8fd-469b-8287-893c927d00ec] : msal.js.browser@3.6.0 : Verbose - Found cloud discovery metadata in authority configuration app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [f15d8bc0-b8fd-469b-8287-893c927d00ec] : msal.js.browser@3.6.0 : Verbose - Attempting to get endpoint metadata from authority configuration app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [f15d8bc0-b8fd-469b-8287-893c927d00ec] : msal.js.browser@3.6.0 : Verbose - Did not find endpoint metadata in the config... Attempting to get endpoint metadata from the hardcoded values. app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [f15d8bc0-b8fd-469b-8287-893c927d00ec] : msal.js.browser@3.6.0 : Verbose - Did not find endpoint metadata in hardcoded values... Attempting to get endpoint metadata from the network metadata cache. app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [f15d8bc0-b8fd-469b-8287-893c927d00ec] : msal.js.browser@3.6.0 : Verbose - Authority.getEndpointMetadataFromNetwork: attempting to retrieve OAuth endpoints from https://sso9.example.com/adfs/.well-known/openid-configuration app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-angular@3.0.9 : Verbose - Guard - canActivate app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-angular@3.0.9 : Verbose - MSAL Guard activated app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Info - initialize has already been called, exiting early. app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Info - initialize has already been called, exiting early. app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - handleRedirectPromise called app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - getAllAccounts called app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - BrowserCacheManager.getAccountKeys - No account keys found app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - handleRedirectPromise has been called previously, returning the result from the first call app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-angular@3.0.9 : Verbose - Guard - canActivate app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-angular@3.0.9 : Verbose - MSAL Guard activated app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Info - initialize has already been called, exiting early. app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Info - initialize has already been called, exiting early. app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - handleRedirectPromise called app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - getAllAccounts called app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - BrowserCacheManager.getAccountKeys - No account keys found app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - handleRedirectPromise has been called previously, returning the result from the first call :3000/#/:1 Refused to apply style from 'https://fonts.googleapis.com/css2?family=Roboto:wght@300;400[_ngcontent-ng-c1050399927];500&display=swap' because its MIME type ('text/html') is not a supported stylesheet MIME type, and strict MIME checking is enabled. :3000/#/:1 Refused to apply style from 'https://fonts.googleapis.com/css2?family=Poppins:wght@300;400[_ngcontent-ng-c1050399927];500[_ngcontent-ng-c1050399927];600[_ngcontent-ng-c1050399927];700[_ngcontent-ng-c1050399927];800&display=swap' because its MIME type ('text/html') is not a supported stylesheet MIME type, and strict MIME checking is enabled. 8Third-party cookie will be blocked. Learn more in the Issues tab. app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [f15d8bc0-b8fd-469b-8287-893c927d00ec] : msal.js.browser@3.6.0 : Verbose - RedirectHandler.handleCodeResponse called zone.js:1498 

   POST https://sso9.example.com/adfs/oauth2/token/ 400 (Bad Request)

(anonymous) @ zone.js:1498 app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Info - Emitting event: msal:loginFailure app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - Emitting event to callback 38f717fe-c95c-4930-b48b-5d345d124378: msal:loginFailure app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Info - Emitting event: msal:handleRedirectEnd app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - Emitting event to callback 38f717fe-c95c-4930-b48b-5d345d124378: msal:handleRedirectEnd app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-angular@3.0.9 : Verbose - BroadcastService - msal:handleRedirectEnd results in setting inProgress from handleRedirect to none app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - getAllAccounts called app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - BrowserCacheManager.getAccountKeys - No account keys found app.component.ts:265 [] app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - getAllAccounts called app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - BrowserCacheManager.getAccountKeys - No account keys found app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - getAllAccounts called app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-browser@3.6.0 : Verbose - BrowserCacheManager.getAccountKeys - No account keys found app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-angular@3.0.9 : Error - Guard - error while logging in, unable to activate app.module.ts:62 [Thu, 22 Feb 2024 09:49:37 GMT] : [] : @azure/msal-angular@3.0.9 : Verbose - Guard - loginFailedRoute set, redirecting :3000/#/lov:1 [Intervention] Slow network is detected. See https://www.chromestatus.com/feature/5636954674692096 for more details. Fallback font will be used while loading: https://fonts.gstatic.com/s/oxygen/v15/2sDfZG1Wl4LcnbuKjk0m.woff2 core.mjs:11483 ERROR ServerError: invalid_client: undefined - [undefined]: MSIS9622: Client authentication failed. Please verify the credential provided for client authentication is valid. - Correlation ID: undefined - Trace ID: undefined at ResponseHandler.validateTokenResponse (ResponseHandler.mjs:89:33) at AuthorizationCodeClient.mjs:70:25 at Generator.next () at asyncGeneratorStep (asyncToGenerator.js:3:1) at _next (asyncToGenerator.js:22:1) at _ZoneDelegate.invoke (zone.js:368:26) at Object.onInvoke (core.mjs:11018:33) at _ZoneDelegate.invoke (zone.js:367:52) at Zone.run (zone.js:129:43) at zone.js:1257:36

Network Trace (Preferrably Fiddler)

MSAL Configuration

export function MSALInstanceFactory(): IPublicClientApplication {
    return new PublicClientApplication({
      auth: {
        clientId: environment.clientId,
        authority: environment.issuer,
        redirectUri: environment.redirectUrl,
        postLogoutRedirectUri: environment.redirectUrl,
        knownAuthorities: [environment.domain],
        protocolMode: ProtocolMode.OIDC
      },
      cache: {
        cacheLocation: BrowserCacheLocation.LocalStorage,
        storeAuthStateInCookie: isIE,
      },
      system: {
        allowNativeBroker: false, // Disables WAM Broker
        loggerOptions: {
          loggerCallback,
          logLevel: LogLevel.Verbose,
          piiLoggingEnabled: false
        }
      }
    });
  }

  export function MSALInterceptorConfigFactory(): MsalInterceptorConfiguration {
    const protectedResourceMap = new Map<string, Array<string>>();
    protectedResourceMap.set(environment.userinfoURL, ['user.read']);

    return {
      interactionType: InteractionType.Redirect,
      protectedResourceMap
    };
  }

  export function MSALGuardConfigFactory(): MsalGuardConfiguration {
    return {
      interactionType: InteractionType.Redirect,
      authRequest: {
        scopes: ['user.read']
      },
      loginFailedRoute: '/lov'
    };
  }

Relevant Code Snippets

ngOnInit() {
    this.isIframe = window !== window.parent && !window.opener;
    this.setLoginDisplay();

    this.authService.instance.enableAccountStorageEvents(); // Optional - This will enable ACCOUNT_ADDED and ACCOUNT_REMOVED events emitted when a user logs in or out of another tab or window

    this.msalBroadcastService.msalSubject$
      .pipe(
        filter((msg: EventMessage) => msg.eventType === EventType.ACCOUNT_ADDED || msg.eventType === EventType.ACCOUNT_REMOVED),
      )
      .subscribe((result: EventMessage) => {
        if (this.authService.instance.getAllAccounts().length === 0) {
          window.location.pathname = "/";
        } else {
          this.setLoginDisplay();
        }
      });

    this.msalBroadcastService.inProgress$
      .pipe(
        filter((status: InteractionStatus) => status === InteractionStatus.None),
        takeUntil(this._destroying$)
      )
      .subscribe(() => {
        this.setLoginDisplay();
        this.checkAndSetActiveAccount();
      })

      this.msalBroadcastService.msalSubject$
      .pipe(
          filter((msg: EventMessage) => msg.eventType === EventType.LOGIN_SUCCESS 
              || msg.eventType === EventType.ACQUIRE_TOKEN_SUCCESS 
              || msg.eventType === EventType.SSO_SILENT_SUCCESS),
          takeUntil(this._destroying$)
      )
      .subscribe((result: EventMessage) => {
          let payload = result.payload as AuthenticationResult;
          let idtoken = payload.idTokenClaims as IdTokenClaimsWithPolicyId;
          return result;
      });

  this.msalBroadcastService.msalSubject$
      .pipe(
          filter((msg: EventMessage) => msg.eventType === EventType.LOGIN_FAILURE || msg.eventType === EventType.ACQUIRE_TOKEN_FAILURE),
          takeUntil(this._destroying$)
      )
      .subscribe((result: EventMessage) => {
          // Check for forgot password error
          // Learn more about AAD error codes at https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-aadsts-error-codes
          if (result.error && result.error.message.indexOf('AADB2C90118') > -1) {
              let resetPasswordFlowRequest: RedirectRequest | PopupRequest  = {
                  authority: environment.issuer,
                  scopes: [],
              };

              this.adfslogin(resetPasswordFlowRequest);
          };
      });
  }

Reproduction Steps

  1. use the url of the application.
  2. the application redirects to the ADFS authorization url
  3. Enter Valid User Credentials and enter

Expected Behavior

The expected behaviour is to have loginSuccess without any other issues and come to home page with logged in user info

Identity Provider

ADFS

Browsers Affected (Select all that apply)

Chrome, Firefox, Edge, Safari

Regression

No response

Source

External (Customer)

tnorling commented 7 months ago

We unfortunately don't provide support or debugging assistance for ADFS - if you're able to find a little more information to determine why the ADFS server is throwing e.g. wrong or missing parameter we can provide guidance to help unblock. I would suggest looking at the network trace to see specifically what is being sent in the POST

microsoft-github-policy-service[bot] commented 7 months ago

@jaik-s This issue has been automatically marked as stale because it is marked as requiring author feedback but has not had any activity for 5 days. If your issue has been resolved please let us know by closing the issue. If your issue has not been resolved please leave a comment to keep this open. It will be closed automatically in 7 days if it remains stale.