Closed riteshbhoi closed 1 month ago
Can you please post your verbose logs here?
Here is the verbose log. If you see at the end, auth is routed to https://westus.login.microsoftonline.us/5b750121-f135-44ef-b08e-61da0ff7c4d6/oauth2/v2.0/token/ endpoint and this endpoint is not valid.
MSAL log [level: 2]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/msal-node@2.9.2 : Info - acquireTokenByClientCredential called MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/msal-node@2.9.2 : Verbose - initializeRequestScopes called MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [d4d14c2d-dbaa-4801-8ea2-96c275fa9031] : @azure/msal-node@2.9.2 : Verbose - buildOauthClientConfiguration called MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [d4d14c2d-dbaa-4801-8ea2-96c275fa9031] : @azure/msal-node@2.9.2 : Verbose - createAuthority called MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/msal-node@2.9.2 : Verbose - Attempting to get cloud discovery metadata from authority configuration MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/msal-node@2.9.2 : Verbose - Did not find cloud discovery metadata in the config... Attempting to get cloud discovery metadata from the hardcoded values. MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/msal-node@2.9.2 : Verbose - Found cloud discovery metadata from hardcoded values. MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/msal-node@2.9.2 : Verbose - Attempting to get endpoint metadata from authority configuration MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/msal-node@2.9.2 : Verbose - Did not find endpoint metadata in the config... Attempting to get endpoint metadata from the hardcoded values. MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/msal-node@2.9.2 : Verbose - Replacing tenant domain name 5b750121-f135-44ef-b08e-61da0ff7c4d6 with id {tenantid} MSAL log [level: 2]: [Wed, 07 Aug 2024 01:22:18 GMT] : [d4d14c2d-dbaa-4801-8ea2-96c275fa9031] : @azure/msal-node@2.9.2 : Info - Building oauth client configuration with the following authority: https://westus.login.microsoftonline.us/5b750121-f135-44ef-b08e-61da0ff7c4d6/oauth2/v2.0/token/. MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/msal-node@2.9.2 : Verbose - Replacing tenant domain name 5b750121-f135-44ef-b08e-61da0ff7c4d6 with id {tenantid} MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [d4d14c2d-dbaa-4801-8ea2-96c275fa9031] : @azure/msal-node@2.9.2 : Verbose - Client credential client created MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/msal-node@2.9.2 : Verbose - Replacing tenant domain name 5b750121-f135-44ef-b08e-61da0ff7c4d6 with id {tenantid} MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/msal-node@2.9.2 : Verbose - Replacing tenant domain name 5b750121-f135-44ef-b08e-61da0ff7c4d6 with id {tenantid} MSAL log [level: 2]: [Wed, 07 Aug 2024 01:22:18 GMT] : [d4d14c2d-dbaa-4801-8ea2-96c275fa9031] : @azure/msal-common@14.12.0 : Info - Sending token request to endpoint: https://westus.login.microsoftonline.us/5b750121-f135-44ef-b08e-61da0ff7c4d6/oauth2/v2.0/token/
@Robbie-Microsoft let me know if you need any other information
@riteshbhoi - the authority seems correct. You tell MSAL that the region is "westus" and the authority is "login.microsoftonline.us/tenant" and MSAL computes the authority as being "westus.login.microsoftonline.us/tenant".
Maybe you got your region wrong? Sovereign cloud regions are not the same as public cloud regions.
@bgavrilMS Thing is when we are trying to access https://westus.login.microsoftonline.us/<tenant>
. This URL is not resolving, and we are getting response code 0. My questions - is this the right and expected URL? And in that case, why this URL is not resolving from our azure function apps hosted in PME?
Let's continue over email @riteshbhoi - bogavril
Outcome of offline discussion was to manually inject regions for nonglobal cloud authorities. Also nonglobal cloud authorities regions doesn't align with global azure regions such as west us2, west us 3 etc, so make sure you validate the availability of the authorities in these clouds before manual injection.
Core Library
MSAL Node (@azure/msal-node)
Core Library Version
2.9.2
Wrapper Library
Not Applicable
Wrapper Library Version
None
Public or Confidential Client?
Confidential
Description
We implemented a ConfidentialClientApplication and used it to call acquireTokenByClientCredential(clientCredentialRequest) with clientCredentialRequest being identical to the example in the docs for the purpose of using regional auth.
We added the region (westus in our case) to the azureRegion field just like in the example, but the request wasn't routed to a regional endpoint.
Authentication call (for tenant id
5b750121-f135-44ef-b08e-61da0ff7c4d6
) is routed to below URL which doesn't exist.https://westus.login.microsoftonline.us/5b750121-f135-44ef-b08e-61da0ff7c4d6/oauth2/v2.0/token/
Same issue is happening for
https://login.partner.microsoftonline.cn/
authority as well.Error Message
No response
MSAL Logs
No response
Network Trace (Preferrably Fiddler)
MSAL Configuration
Relevant Code Snippets
Reproduction Steps
Expected Behavior
Auth call should be routed to a valid auth URL
Identity Provider
Entra ID (formerly Azure AD) / MSA
Browsers Affected (Select all that apply)
None (Server)
Regression
No response
Source
Internal (Microsoft)