search

AzureAD / microsoft-authentication-library-for-js

Microsoft Authentication Library (MSAL) for JS
http://aka.ms/aadv2
MIT License
3.61k stars 2.64k forks source link

Regional Auth routing to invalid auth url #7229

Closed riteshbhoi closed 1 month ago

riteshbhoi commented 1 month ago

Core Library

MSAL Node (@azure/msal-node)

Core Library Version

2.9.2

Wrapper Library

Not Applicable

Wrapper Library Version

None

Public or Confidential Client?

Confidential

Description

We implemented a ConfidentialClientApplication and used it to call acquireTokenByClientCredential(clientCredentialRequest) with clientCredentialRequest being identical to the example in the docs for the purpose of using regional auth.

We added the region (westus in our case) to the azureRegion field just like in the example, but the request wasn't routed to a regional endpoint.

const privateClient = new ConfidentialClientApplication({
    auth: {
      clientId: clientId,
      authority: `https://login.microsoftonline.us/${tenantId}`,
      clientCertificate: {
        thumbprint: clientCertificateData.thumbprint,
        privateKey: clientCertificateData.privateKey,
        x5c: clientCertificateData.x5c
      }
    }
  });

response = await privateClient.acquireTokenByClientCredential({
  scopes: ['https://graph.microsoft.us/.default'],
  azureRegion: 'westus'
});

Authentication call (for tenant id 5b750121-f135-44ef-b08e-61da0ff7c4d6) is routed to below URL which doesn't exist. https://westus.login.microsoftonline.us/5b750121-f135-44ef-b08e-61da0ff7c4d6/oauth2/v2.0/token/

Same issue is happening for https://login.partner.microsoftonline.cn/ authority as well.

Error Message

No response

MSAL Logs

No response

Network Trace (Preferrably Fiddler)

MSAL Configuration

auth: {
clientId: clientId,
authority: `https://login.microsoftonline.us/${tenantId}`,
clientCertificate: {
    thumbprint: clientCertificateData.thumbprint,
    privateKey: clientCertificateData.privateKey,
    x5c: clientCertificateData.x5c
  }
}

Relevant Code Snippets

const privateClient = new ConfidentialClientApplication({
    auth: {
      clientId: clientId,
      authority: `https://login.microsoftonline.us/${tenantId}`,
      clientCertificate: {
        thumbprint: clientCertificateData.thumbprint,
        privateKey: clientCertificateData.privateKey,
        x5c: clientCertificateData.x5c
      }
    }
  });

response = await privateClient.acquireTokenByClientCredential({
  scopes: ['https://graph.microsoft.us/.default'],
  azureRegion: 'westus'
});

Reproduction Steps

  1. Run the code snippet with the provided msal config (substituting the values with the ones found in the logs)
  2. Check the logs to see which endpoints the request is routed to

Expected Behavior

Auth call should be routed to a valid auth URL

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

None (Server)

Regression

No response

Source

Internal (Microsoft)

Robbie-Microsoft commented 1 month ago

Can you please post your verbose logs here?

riteshbhoi commented 1 month ago

Here is the verbose log. If you see at the end, auth is routed to https://westus.login.microsoftonline.us/5b750121-f135-44ef-b08e-61da0ff7c4d6/oauth2/v2.0/token/ endpoint and this endpoint is not valid.

MSAL log [level: 2]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/msal-node@2.9.2 : Info - acquireTokenByClientCredential called MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/msal-node@2.9.2 : Verbose - initializeRequestScopes called MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [d4d14c2d-dbaa-4801-8ea2-96c275fa9031] : @azure/msal-node@2.9.2 : Verbose - buildOauthClientConfiguration called MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [d4d14c2d-dbaa-4801-8ea2-96c275fa9031] : @azure/msal-node@2.9.2 : Verbose - createAuthority called MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/msal-node@2.9.2 : Verbose - Attempting to get cloud discovery metadata  from authority configuration MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/msal-node@2.9.2 : Verbose - Did not find cloud discovery metadata in the config... Attempting to get cloud discovery metadata from the hardcoded values. MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/msal-node@2.9.2 : Verbose - Found cloud discovery metadata from hardcoded values. MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/msal-node@2.9.2 : Verbose - Attempting to get endpoint metadata from authority configuration MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/msal-node@2.9.2 : Verbose - Did not find endpoint metadata in the config... Attempting to get endpoint metadata from the hardcoded values. MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/msal-node@2.9.2 : Verbose - Replacing tenant domain name 5b750121-f135-44ef-b08e-61da0ff7c4d6 with id {tenantid} MSAL log [level: 2]: [Wed, 07 Aug 2024 01:22:18 GMT] : [d4d14c2d-dbaa-4801-8ea2-96c275fa9031] : @azure/msal-node@2.9.2 : Info - Building oauth client configuration with the following authority: https://westus.login.microsoftonline.us/5b750121-f135-44ef-b08e-61da0ff7c4d6/oauth2/v2.0/token/. MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/msal-node@2.9.2 : Verbose - Replacing tenant domain name 5b750121-f135-44ef-b08e-61da0ff7c4d6 with id {tenantid} MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [d4d14c2d-dbaa-4801-8ea2-96c275fa9031] : @azure/msal-node@2.9.2 : Verbose - Client credential client created MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/msal-node@2.9.2 : Verbose - Replacing tenant domain name 5b750121-f135-44ef-b08e-61da0ff7c4d6 with id {tenantid} MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/msal-node@2.9.2 : Verbose - Replacing tenant domain name 5b750121-f135-44ef-b08e-61da0ff7c4d6 with id {tenantid} MSAL log [level: 2]: [Wed, 07 Aug 2024 01:22:18 GMT] : [d4d14c2d-dbaa-4801-8ea2-96c275fa9031] : @azure/msal-common@14.12.0 : Info - Sending token request to endpoint: https://westus.login.microsoftonline.us/5b750121-f135-44ef-b08e-61da0ff7c4d6/oauth2/v2.0/token/

riteshbhoi commented 1 month ago

@Robbie-Microsoft let me know if you need any other information

bgavrilMS commented 1 month ago

@riteshbhoi - the authority seems correct. You tell MSAL that the region is "westus" and the authority is "login.microsoftonline.us/tenant" and MSAL computes the authority as being "westus.login.microsoftonline.us/tenant".

Maybe you got your region wrong? Sovereign cloud regions are not the same as public cloud regions.

riteshbhoi commented 1 month ago

@bgavrilMS Thing is when we are trying to access https://westus.login.microsoftonline.us/<tenant>. This URL is not resolving, and we are getting response code 0. My questions - is this the right and expected URL? And in that case, why this URL is not resolving from our azure function apps hosted in PME?

bgavrilMS commented 1 month ago

Let's continue over email @riteshbhoi - bogavril

riteshbhoi commented 1 month ago

Outcome of offline discussion was to manually inject regions for nonglobal cloud authorities. Also nonglobal cloud authorities regions doesn't align with global azure regions such as west us2, west us 3 etc, so make sure you validate the availability of the authorities in these clouds before manual injection.