search

AzureAD / microsoft-authentication-library-for-python

Microsoft Authentication Library (MSAL) for Python makes it easy to authenticate to Microsoft Entra ID. General docs are available here https://learn.microsoft.com/entra/msal/python/ Stable APIs are documented here https://msal-python.readthedocs.io. Questions can be asked on www.stackoverflow.com with tag "msal" + "python".
https://stackoverflow.com/questions/tagged/azure-ad-msal+python
Other
795 stars 200 forks source link

[Bug] Original `AADSTS` error is hidden by WAM #698

Open jiasli opened 4 months ago

jiasli commented 4 months ago

Describe the bug Original AADSTS error is hidden by WAM.

To Reproduce Steps to reproduce the behavior:

With browser-based flow, AADSTS error is shown which contains detailed message explaining what happened:

> az config set core.enable_broker_on_windows=false

> az login --scope https://graph.microsoft.com/User.ReadWrite
A web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`.
AADSTS65002: Consent between first party application '04b07795-8ddb-461a-bbee-02f9e1bf7b46' and first party resource '00000003-0000-0000-c000-000000000000' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. Trace ID: 63016864-b8bc-471b-ab7e-0d7905808d00 Correlation ID: 6dcd284f-5691-4e77-a342-29f87f82d0d6 Timestamp: 2024-05-09 07:56:22Z

However, when WAM is used, the original AADSTS error is hidden, leaving a less informative error message:

> az config set core.enable_broker_on_windows=true

> az login --scope https://graph.microsoft.com/User.ReadWrite
Please select the account you want to log in with.
(pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614466, Tag: 557973643

Expected behavior WAM should expose the original AADSTS error.

What you see instead A rephrased, less informative error message.

The MSAL Python version you are using 1.28.0

jiasli commented 4 months ago

This is the raw result returned by acquire_token_interactive() (reformatted):

{
    'error': 'broker_error', 
    'error_description': '(pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614466, Tag: 557973643', 
    'msal_telemetry': '{
        "msalruntime_telemetry": {
            "additional_query_parameters_count": "2",
            "all_error_tags": "7q6cl",
            "api_error_code": "3399614466",
            "api_error_context": "(pii)",
            "api_error_tag": "7q6cl",
            "api_name": "SignInInteractively",
            "api_status_code": "StatusInternal::IncorrectConfiguration",
            "auth_flow": "Broker",
            "authority_type": "Unknown",
            "authorization_type": "Interactive",
            "broker_app_used": "true",
            "client_id": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
            "correlation_id": "45212dc2-d3be-4b17-b6df-cbcd6300adae",
            "is_successful": "false",
            "msal_version": "1.1.0+local",
            "msalruntime_version": "0.14.2-alpha1",
            "original_authority": "https://login.microsoftonline.com/organizations",
            "read_token_last_error": "missing required parameter",
            "request_duration": "3513",
            "request_eligible_for_broker": "true",
            "start_time": "2024-05-09T11:04:16.000Z",
            "stop_time": "2024-05-09T11:04:20.000Z",
            "ui_event_count": "1",
            "was_request_throttled": "false"
        },
        "msal_python_telemetry": null
    }'
}
rayluo commented 4 months ago

MsalRuntime (the component that we used to talk to WAM) shows that error only when the pii logging was enabled. @jiasli you can give it a shot.

That being said, if Azure CLI ends up needing to enable pii all the time, that sounds defeating the purpose of having a pii flag in the first place. Perhaps we can revisit whether the AADSTS error description shall be classified as pii.

CC: @ashok672

jiasli commented 4 months ago

PR that introduced enable_pii_log: https://github.com/AzureAD/microsoft-authentication-library-for-python/pull/590

rayluo commented 4 months ago

PR that introduced enable_pii_log: #590

Did that comment hint that you are satisfied with opting in via that flag, always :scream:? If so, the current github issue can be closed. Otherwise, you may tag and/or assign MsalRuntime folks into this issue.

jiasli commented 2 months ago

Did that comment hint that you are satisfied with opting in via that flag, always 😱?

No. My comment merely provides additional information.

rayluo commented 2 months ago

So, to clarify, the ask here is to have MsalRuntime to expose the "AADSTS xxxxx: details" even when PII is disabled. We will have @ashok672 to weigh in on this topic.