search

AzureAD / microsoft-authentication-library-for-python

Microsoft Authentication Library (MSAL) for Python makes it easy to authenticate to Microsoft Entra ID. General docs are available here https://learn.microsoft.com/entra/msal/python/ Stable APIs are documented here https://msal-python.readthedocs.io. Questions can be asked on www.stackoverflow.com with tag "msal" + "python".
https://stackoverflow.com/questions/tagged/azure-ad-msal+python
Other
754 stars 191 forks source link

[Bug] WAM fails for MSA: AADSTS9002313: Invalid request. Request is malformed or invalid. #700

Closed jiasli closed 2 weeks ago

jiasli commented 1 month ago

Describe the bug WAM fails for MSA (Microsoft Account): AADSTS9002313: Invalid request. Request is malformed or invalid.

To Reproduce With enable_pii_log turned on (https://github.com/Azure/azure-cli/pull/28954):

> az login
...
Failed to authenticate TENANT_ID 'TENANT_NAME' due to error '
V2Error: invalid_grant AADSTS9002313: Invalid request. Request is malformed or invalid. 
Trace ID: 02b37a52-1706-48b9-9578-bcb1c4dc0900 
Correlation ID: 2bca5c76-c7c4-4dc9-a4dc-604f1a276ccb 
Timestamp: 2024-05-13 12:47:28Z. 
Status: Response_Status.Status_InteractionRequired, Error code: 3399614467, Tag: 558133255'

The token request for organizations is successful, but fails for a specific tenant TENANT_ID.

According to https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes, AADSTS9002313 seems to be caused by a request formatting issue on the client side:

InvalidRequest - Request is malformed or invalid. - The issue arises because there was something wrong with the request to a certain endpoint. The suggestion to this issue is to get a fiddler trace of the error occurring and looking to see if the request is properly formatted or not.

Expected behavior WAM should succeed for MSA.

What you see instead WAM fails for MSA

The MSAL Python version you are using

> pip list | Select-String msal

msal                                    1.28.0
msal-extensions                         1.2.0b1
pymsalruntime                           0.14.2

Additional context This issue may be related to https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4696, but the error message is different.

fengga commented 3 weeks ago

@jiasli , I believe the issue has been resolved. Can we mark this as done?

rayluo commented 3 weeks ago

I believe the issue has been resolved. Can we mark this as done?

@fengga , was it fixed in the PyMsalRuntime 0.16.2a1? @jiasli , can you test that, too?

If I can get a confirmation from either of you, this issue will be closed by/after MSAL Python's next release which adopts the PyMsalRuntime 0.16.x

jiasli commented 3 weeks ago

@fengga, could you provide more details on the root cause and how it is fixed?

fengga commented 3 weeks ago

This error is returned from WAM, and our code indicates it should be resolved by make a new interactive call (we are returning Response_Status.Status_InteractionRequired). If a new interactive call cannot resolve the issue, it is an issue in our team or WAM team. If you were asking why we received InteractionRequired, I'd say there would be so many reasons such as have not logged in for a long time or some security considerations. If you can collect WAM logs, WAM team can tell. @jiasli , I remember previously you changed your logic when seeing Status_InteractionRequired you should make a new interactively call, is that working? Are you still receiving such kind of errors?

fengga commented 2 weeks ago

Closing this issue per offline conversation.