search

AzureAD / microsoft-authentication-library-for-python

Microsoft Authentication Library (MSAL) for Python makes it easy to authenticate to Microsoft Entra ID. General docs are available here https://learn.microsoft.com/entra/msal/python/ Stable APIs are documented here https://msal-python.readthedocs.io. Questions can be asked on www.stackoverflow.com with tag "msal" + "python".
https://stackoverflow.com/questions/tagged/azure-ad-msal+python
Other
795 stars 200 forks source link

Broker doesn't support hybrid Azure AD-joined devices #609

Open mike-osirium opened 11 months ago

mike-osirium commented 11 months ago

Describe the bug Hi, loving the MSAL broker support so far. If the user is logged onto a hybrid azure-ad-joined device, and opting into MSAL broker, the broker is unable to get a token for the user and acquire_token_interactive fails with StatusInternal::InteractionRequired. When only Azure AD-joined (not hybrid), this works without user interaction.

To Reproduce This minimal script reproduces the behaviour on a hybrid azure AD-joined device:

authority = AuthorityBuilder(AZURE_PUBLIC, tenant_id)

app = PublicClientApplication(
    client_id, authority=authority, allow_broker=True
)

scopes = [f"{client_id}/.default"]

app.acquire_token_interactive(
    scopes=scopes,
    prompt="none",
    parent_window_handle=app.CONSOLE_WINDOW_HANDLE,
)

Expected behavior Similarly to when only Azure-joined, MSAL gets the token via broker without user interaction

What you see instead

2023-10-20 12:49:27,313 - msal.application:567 - DEBUG - Broker enabled? True
2023-10-20 12:49:27,313 - msal.application:1885 - DEBUG - Calling broker._signin_silently()
2023-10-20 12:49:27,315 - msal.broker:14 - DEBUG - [MSAL:0001]  INFO    SetCorrelationId:220    Set correlation ID: redacted
2023-10-20 12:49:27,319 - msal.broker:14 - DEBUG - [MSAL:0001]  INFO    ModifyAndValidateAuthParameters:164     Authority Realm: redacted
2023-10-20 12:49:27,413 - msal.broker:14 - DEBUG - [MSAL:0002]  ERROR   ErrorInternalImpl:134   Created an error: 513z4, StatusInternal::InteractionRequired, InternalEvent::None, Error Code 3400073236, Context 'The requested resource requires user authentication.'
2023-10-20 12:49:27,414 - msal.broker:14 - DEBUG - [MSAL:0002]  INFO    LogTelemetryData:299    Printing Telemetry for Correlation ID: e2110d6f-3f12-4ef0-ae8f-2ee17e17dc99
2023-10-20 12:49:27,414 - msal.broker:14 - DEBUG - [MSAL:0002]  INFO    LogTelemetryData:307    Key: start_time, Value: 2023-10-20T11:49:27.000Z
2023-10-20 12:49:27,415 - msal.broker:14 - DEBUG - [MSAL:0002]  INFO    LogTelemetryData:307    Key: api_name, Value: SignInSilently
2023-10-20 12:49:27,415 - msal.broker:14 - DEBUG - [MSAL:0002]  INFO    LogTelemetryData:307    Key: was_request_throttled, Value: false
2023-10-20 12:49:27,415 - msal.broker:14 - DEBUG - [MSAL:0002]  INFO    LogTelemetryData:307    Key: authority_type, Value: Unknown
2023-10-20 12:49:27,415 - msal.broker:14 - DEBUG - [MSAL:0002]  INFO    LogTelemetryData:307    Key: msal_version, Value: 1.0.0+local
2023-10-20 12:49:27,416 - msal.broker:14 - DEBUG - [MSAL:0002]  INFO    LogTelemetryData:307    Key: api_status_code, Value: StatusInternal::InteractionRequired
2023-10-20 12:49:27,416 - msal.broker:14 - DEBUG - [MSAL:0002]  INFO    LogTelemetryData:307    Key: client_id, Value: redacted
2023-10-20 12:49:27,416 - msal.broker:14 - DEBUG - [MSAL:0002]  INFO    LogTelemetryData:307    Key: correlation_id, Value: redacted
2023-10-20 12:49:27,416 - msal.broker:14 - DEBUG - [MSAL:0002]  INFO    LogTelemetryData:307    Key: stop_time, Value: 2023-10-20T11:49:27.000Z
2023-10-20 12:49:27,417 - msal.broker:14 - DEBUG - [MSAL:0002]  INFO    LogTelemetryData:307    Key: all_error_tags, Value: 513z4|513z4
2023-10-20 12:49:27,417 - msal.broker:14 - DEBUG - [MSAL:0002]  INFO    LogTelemetryData:307    Key: msalruntime_version, Value: 0.13.2
2023-10-20 12:49:27,417 - msal.broker:14 - DEBUG - [MSAL:0002]  INFO    LogTelemetryData:307    Key: request_eligible_for_broker, Value: true
2023-10-20 12:49:27,417 - msal.broker:14 - DEBUG - [MSAL:0002]  INFO    LogTelemetryData:307    Key: broker_app_used, Value: true
2023-10-20 12:49:27,417 - msal.broker:14 - DEBUG - [MSAL:0002]  INFO    LogTelemetryData:307    Key: additional_query_parameters_count, Value: 0
2023-10-20 12:49:27,418 - msal.broker:14 - DEBUG - [MSAL:0002]  INFO    LogTelemetryData:307    Key: is_successful, Value: false
2023-10-20 12:49:27,418 - msal.broker:14 - DEBUG - [MSAL:0002]  INFO    LogTelemetryData:307    Key: wam_telemetry, Value: {"ui_visible":false,"scope":"redacted/.default offline_access openid profile","redirect_uri":"ms-appx-web://Microsoft.AAD.BrokerPlugin/redacted","provider_id":"https://login.windows.net","oauth_error_code":"authentication_failed","http_status":401,"http_event_count":3,"device_join":"haadj","correlation_id":"{redacted}","client_id":"redacted","cache_event_count":0,"broker_version":"10.0.19041.3393","authority":"https://login.microsoftonline.com/redacted","api_error_code":-894894060,"account_join_on_start":"not_joined","account_join_on_end":"not_joined","silent_code":0,"silent_bi_sub_code":0,"silent_message":"","silent_status":0,"is_cached":1}
2023-10-20 12:49:27,420 - msal.broker:14 - DEBUG - [MSAL:0002]  INFO    LogTelemetryData:307    Key: api_error_code, Value: 3400073236
2023-10-20 12:49:27,421 - msal.broker:14 - DEBUG - [MSAL:0002]  INFO    LogTelemetryData:307    Key: api_error_tag, Value: 513z4
2023-10-20 12:49:27,423 - msal.broker:14 - DEBUG - [MSAL:0002]  INFO    LogTelemetryData:307    Key: api_error_context, Value: The requested resource requires user authentication.
2023-10-20 12:49:27,425 - msal.broker:14 - DEBUG - [MSAL:0002]  INFO    LogTelemetryData:307    Key: authorization_type, Value: WindowsIntegratedAuth
2023-10-20 12:49:27,427 - msal.broker:14 - DEBUG - [MSAL:0002]  INFO    LogTelemetryData:307    Key: request_duration, Value: 95
2023-10-20 12:49:27,440 - msal.broker:14 - DEBUG - [MSAL:0002]  INFO    LogTelemetryData:312    Printing Execution Flow:
2023-10-20 12:49:27,442 - msal.broker:14 - DEBUG - [MSAL:0002]  INFO    LogTelemetryData:318    {"t":"646u1","tid":1,"ts":0},{"t":"8b2yn","tid":2,"ts":7},{"t":"8dqkx","tid":2,"ts":8},{"t":"8dqik","tid":2,"ts":8},{"t":"8b2hr","tid":2,"ts":8},{"t":"8b2hs","tid":2,"ts":20},{"t":"5b8fg","tid":2,"ts":20},{"t":"694nj","tid":2,"ts":20,"a":10,"ie":0},{"t":"6layj","tid":2,"ts":82},{"t":"58yep","tid":2,"ts":95},{"t":"694nk","tid":2,"ts":95,"a":10,"ie":1},{"t":"8dqk1","tid":2,"ts":95},{"t":"646u1","tid":2,"ts":95}

The MSAL Python version you are using 1.20.0

bgavrilMS commented 11 months ago

It might be by design, I am not sure that on hybrid joined WAM is able to silently provide tokens for the Windows user.

@alextok, do you know?

rayluo commented 11 months ago

Adding more info for @alextok and/or @msamwils 's triage.

In this customer's code snippet, MSAL Python is calling MsalRuntime's SigninSilently(). So, this issue is essentially saying SigninSilently() works on AADJ but not hybrid-joined. Is that expected?