Closed sivaraman-27 closed 5 months ago
Hi, @tnorling If you could provide any assistance regarding this bug, we'll greatly appreciate it.
Hi guys, @jo-arroyo @jasonnutter @sameerag @pkanher617 @hectormmg @samuelkubai @derisen Basically, I can see issues created in the last 2 weeks not getting any reply at all (may be you all are busy/this repo has a long min response time).
We have a big client facing this issue and I couldn't find any thing related to this.
Any way, if you could provide any guidance for this specific issue, we would really really appreciate it.
@sivaraman-27 The error indicates it is a confidential client. Can you confirm it is the same application in both the clients?
Hi @sameerag, It's a public client (Angular app doing authentication with the below libraries)
Called in angular app as "Public Client" (see below):
MsalModule.forRoot(new PublicClientApplication({
auth: {
clientId: <MSAL_APPLICATION_ID>,
authority: 'https://login.microsoftonline.com/common',
redirectUri: <REDIRECT_URL>
},
cache: {
cacheLocation: 'localStorage',
storeAuthStateInCookie: false,
}
}),
null,
{
interactionType: InteractionType.Popup,
protectedResourceMap: new Map([
['https://graph.microsoft.com/v1.0/me', ['user.read']]
])
})
But in Azure Portal > App registrations > Authentication > Advanced Settings --> Allow public client flows is "NO"
We haven't enabled "Allow Public Client to YES" because, it's working fine for all accounts in Azure Commercial Cloud.
We really appreciate your reply. Thank you for your kind guidance.
@sameerag , I have provided the requested information. Kindly provide guidance.
@Robbie-Microsoft , @bgavrilMS @Avery-Dunn
If you guys have any feedback regarding this, please provide any guidance.
@sivaraman-27 - @Robbie-Microsoft @Avery-Dunn and myself work on confidential client scenarios only, not auth in the browser, so we don't have the expertise to help :(
@sivaraman-27 all SPA scenarios are public clients, however, they are marked as SPA
and you need not allow public client configuration in the app registration, unless you are looking for a desktop or mobile app too.
Having said that, let me check the correlationId provided above and see if we can infer any info.
@danieldobalian @iambmelt From this request: https://github.com/AzureAD/microsoft-authentication-library-for-android/issues/232
Do I have to create another app in Government Azure Portal for supporting government users?
Hi @sameerag , I have also enabled and tried "Allow Public Client Flows" to "YES" but still the same issue happens
Having said that, let me check the correlationId provided above and see if we can infer any info. -- Did you find anything?
Also, do you think if I have to create another app in Government Azure Portal for supporting government users?
Hi @sameerag , From this: https://github.com/AzureAD/microsoft-authentication-library-for-android/issues/232
"The MSAL for android support authentication for Government users also (Initially not there, but implemented later). But the MSAL for javascript doesn't implemented this feature yet."
Is the above statement correct?
Hi @sameerag , Sorry for pinging you so many times.
I found this article: https://learn.microsoft.com/en-us/entra/identity-platform/msal-national-cloud?tabs=javascript
Does it means separate MSAL app registration in Azure Government Portal for government users?
Hi, Just confirmed with Azure Identify Team that if an app is registered in Azure Commercial Cloud, then only users in Azure Commercial Cloud can authenticate with this library (This is the current Microsoft's implementation).
So, in order to authenticate users from Azure Government Cloud, we need to register an application in Azure Government Cloud.
Thanks for everyone involved in this thread for helping us out!
Core Library
MSAL.js (@azure/msal-browser)
Core Library Version
2.15.0
Wrapper Library
MSAL Angular (@azure/msal-angular)
Wrapper Library Version
2.0.1
Public or Confidential Client?
Public
Description
We have implemented MSAL Angular @ 2.0.1 in our SaaS product.
We have registered the application in Azure Commercial Cloud and authentication works fine for users in Azure Commercial Cloud.
Facing authentication issue for users in Azure Government Cloud.
Error Message
Failed to load resource: the server responded with a status of 400 () ServerError: invalid_request: 900434 - [2024-03-19 14:30:35Z]: AADSTS900434: National Cloud request processing failed: CallNationalCloud: http request failed with errorcode: Unauthorized, Content:{"error":"invalid_client","error_description":"AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'. Trace ID: 9c96d248-ce24-4338-84ce-0ddb016c3f00 Correlation ID: 7630f191-4689-4cf4-ab5c-737a85e0b8e9 Timestamp: 2024-03-19 14:30:35Z", "error_codes":[7000218],"timestamp":"2024-03-19 14:30:35Z","trace_id":"9c96d248-ce24-4338-84ce-0ddb016c3f00", "correlation_id":"7630f191-4689-4cf4-ab5c-737a85e0b8e9","error_uri":https://login.microsoftonline.us/error?code=7000218, "claims":"{\"access_token\":{\"capolids\":{\"essential\":true,}}}"}. Trace ID: d3b376fc-e4e7-4309-8f53-7704ea075900 Correlation ID: 7630f191-4689-4cf4-ab5c-737a85e0b8e9 Timestamp: 2024-03-19 14:30:35Z - Correlation ID: 7630f191-4689-4cf4-ab5c-737a85e0b8e9 - Trace ID: d3b376fc-e4e7-4309-8f53-7704ea075900
MSAL Logs
Log is not appropriate for this
Network Trace (Preferrably Fiddler)
MSAL Configuration
Relevant Code Snippets
Reproduction Steps
We have followed this implementation: https://learn.microsoft.com/en-us/entra/identity-platform/tutorial-v2-angular-auth-code
Expected Behavior
Authentication for users in Azure Government Cloud should also work (just like for rest of the users)
Identity Provider
Entra ID (formerly Azure AD) / MSA
Browsers Affected (Select all that apply)
Chrome, Firefox, Edge, Safari, None (Server), Other
Regression
No response
Source
External (Customer)