search

AzureAD / microsoft-authentication-library-for-js

Microsoft Authentication Library (MSAL) for JS
http://aka.ms/aadv2
MIT License
3.62k stars 2.64k forks source link

MSAL Angular authentication issue for user in Azure Government Cloud #6967

Closed sivaraman-27 closed 5 months ago

sivaraman-27 commented 6 months ago

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

2.15.0

Wrapper Library

MSAL Angular (@azure/msal-angular)

Wrapper Library Version

2.0.1

Public or Confidential Client?

Public

Description

We have implemented MSAL Angular @ 2.0.1 in our SaaS product.

We have registered the application in Azure Commercial Cloud and authentication works fine for users in Azure Commercial Cloud.

Facing authentication issue for users in Azure Government Cloud.

Error Message

Failed to load resource: the server responded with a status of 400 () ServerError: invalid_request: 900434 - [2024-03-19 14:30:35Z]: AADSTS900434: National Cloud request processing failed: CallNationalCloud: http request failed with errorcode: Unauthorized, Content:{"error":"invalid_client","error_description":"AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'. Trace ID: 9c96d248-ce24-4338-84ce-0ddb016c3f00 Correlation ID: 7630f191-4689-4cf4-ab5c-737a85e0b8e9 Timestamp: 2024-03-19 14:30:35Z", "error_codes":[7000218],"timestamp":"2024-03-19 14:30:35Z","trace_id":"9c96d248-ce24-4338-84ce-0ddb016c3f00", "correlation_id":"7630f191-4689-4cf4-ab5c-737a85e0b8e9","error_uri":https://login.microsoftonline.us/error?code=7000218, "claims":"{\"access_token\":{\"capolids\":{\"essential\":true,}}}"}. Trace ID: d3b376fc-e4e7-4309-8f53-7704ea075900 Correlation ID: 7630f191-4689-4cf4-ab5c-737a85e0b8e9 Timestamp: 2024-03-19 14:30:35Z - Correlation ID: 7630f191-4689-4cf4-ab5c-737a85e0b8e9 - Trace ID: d3b376fc-e4e7-4309-8f53-7704ea075900

MSAL Logs

Log is not appropriate for this

Network Trace (Preferrably Fiddler)

MSAL Configuration

MsalModule.forRoot(new PublicClientApplication({
  auth: {
    clientId: <MSAL_APPLICATION_ID>,
    authority: 'https://login.microsoftonline.com/common',
    redirectUri: <REDIRECT_URL>
  },
    cache: {
      cacheLocation: 'localStorage',
      storeAuthStateInCookie: false,
    }
  }),
  null,
  {
  interactionType: InteractionType.Popup,
  protectedResourceMap: new Map([
      ['https://graph.microsoft.com/v1.0/me', ['user.read']]
  ])
})

Relevant Code Snippets

//MSAL Popup called like below

      import { MsalService } from "@azure/msal-angular";

      const scopes = [<MSAL_APPLICATION_ID> + "/.default"];
      this.msalService.loginPopup({ scopes: scopes }).subscribe({
        next : (response) => {
          //Process response
        },
        error : (error) => {}
      })

Reproduction Steps

We have followed this implementation: https://learn.microsoft.com/en-us/entra/identity-platform/tutorial-v2-angular-auth-code

Expected Behavior

Authentication for users in Azure Government Cloud should also work (just like for rest of the users)

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

Chrome, Firefox, Edge, Safari, None (Server), Other

Regression

No response

Source

External (Customer)

sivaraman-27 commented 6 months ago

Hi, @tnorling If you could provide any assistance regarding this bug, we'll greatly appreciate it.

sivaraman-27 commented 6 months ago

Hi guys, @jo-arroyo @jasonnutter @sameerag @pkanher617 @hectormmg @samuelkubai @derisen Basically, I can see issues created in the last 2 weeks not getting any reply at all (may be you all are busy/this repo has a long min response time).

We have a big client facing this issue and I couldn't find any thing related to this.

Any way, if you could provide any guidance for this specific issue, we would really really appreciate it.

sameerag commented 6 months ago

@sivaraman-27 The error indicates it is a confidential client. Can you confirm it is the same application in both the clients?

sivaraman-27 commented 6 months ago

Hi @sameerag, It's a public client (Angular app doing authentication with the below libraries)

Called in angular app as "Public Client" (see below):

MsalModule.forRoot(new PublicClientApplication({
  auth: {
    clientId: <MSAL_APPLICATION_ID>,
    authority: 'https://login.microsoftonline.com/common',
    redirectUri: <REDIRECT_URL>
  },
    cache: {
      cacheLocation: 'localStorage',
      storeAuthStateInCookie: false,
    }
  }),
  null,
  {
  interactionType: InteractionType.Popup,
  protectedResourceMap: new Map([
      ['https://graph.microsoft.com/v1.0/me', ['user.read']]
  ])
})

But in Azure Portal > App registrations > Authentication > Advanced Settings --> Allow public client flows is "NO"

allowPublicClient

We haven't enabled "Allow Public Client to YES" because, it's working fine for all accounts in Azure Commercial Cloud.

But it fails with error only for Azure Government Cloud users

We really appreciate your reply. Thank you for your kind guidance.

sivaraman-27 commented 6 months ago

@sameerag , I have provided the requested information. Kindly provide guidance.

sivaraman-27 commented 6 months ago

@Robbie-Microsoft , @bgavrilMS @Avery-Dunn

If you guys have any feedback regarding this, please provide any guidance.

bgavrilMS commented 6 months ago

@sivaraman-27 - @Robbie-Microsoft @Avery-Dunn and myself work on confidential client scenarios only, not auth in the browser, so we don't have the expertise to help :(

sameerag commented 6 months ago

@sivaraman-27 all SPA scenarios are public clients, however, they are marked as SPA and you need not allow public client configuration in the app registration, unless you are looking for a desktop or mobile app too.

Having said that, let me check the correlationId provided above and see if we can infer any info.

sivaraman-27 commented 5 months ago

@danieldobalian @iambmelt From this request: https://github.com/AzureAD/microsoft-authentication-library-for-android/issues/232

Do I have to create another app in Government Azure Portal for supporting government users?

sivaraman-27 commented 5 months ago

Hi @sameerag , I have also enabled and tried "Allow Public Client Flows" to "YES" but still the same issue happens

Having said that, let me check the correlationId provided above and see if we can infer any info. -- Did you find anything?

Also, do you think if I have to create another app in Government Azure Portal for supporting government users?

sivaraman-27 commented 5 months ago

Hi @sameerag , From this: https://github.com/AzureAD/microsoft-authentication-library-for-android/issues/232

"The MSAL for android support authentication for Government users also (Initially not there, but implemented later). But the MSAL for javascript doesn't implemented this feature yet."

Is the above statement correct?

sivaraman-27 commented 5 months ago

Hi @sameerag , Sorry for pinging you so many times.

I found this article: https://learn.microsoft.com/en-us/entra/identity-platform/msal-national-cloud?tabs=javascript

Does it means separate MSAL app registration in Azure Government Portal for government users?

sivaraman-27 commented 5 months ago

Hi, Just confirmed with Azure Identify Team that if an app is registered in Azure Commercial Cloud, then only users in Azure Commercial Cloud can authenticate with this library (This is the current Microsoft's implementation).

So, in order to authenticate users from Azure Government Cloud, we need to register an application in Azure Government Cloud.

Thanks for everyone involved in this thread for helping us out!