search

AzureAD / microsoft-identity-web

Helps creating protected web apps and web APIs with Microsoft identity platform and Azure AD B2C
MIT License
670 stars 205 forks source link

CIAM authorities cause a null ref when using confidential client scenarios (daemon) #2732

Open trwalke opened 4 months ago

trwalke commented 4 months ago

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

2.17.3

Web app

Sign-in users

Web API

Protected web APIs (validating tokens)

Token cache serialization

In-memory caches

Description

For confidential client scenarios in IdWeb, when using the instance and tenant id options (MicrosoftIdentityOptions) to configure a CIAM authority, the flow works fine, However, when using the "Authority" option with a CIAM tenant, it fails. This failure occurs with https://DomainName.ciamlogin.com and https://DomainName.ciamlogin.com/tenant Reproduced using the ChallengeUser_MicrosoftIdFlow_LocalApp_ValidEmailPassword test

Reproduction steps

Reproduced using the ChallengeUser_MicrosoftIdFlow_LocalApp_ValidEmailPassword test.

  1. Update client id to use CIAM app
  2. Remove instance and tenant id options
  3. Add CIAM authority

Error message

No response

Id Web logs

No response

Relevant code snippets

TokenAcquirerFactory tokenAcquirerFactory = TokenAcquirerFactory.GetDefaultInstance();
            IServiceCollection services = tokenAcquirerFactory.Services;

            services.Configure<MicrosoftIdentityApplicationOptions>(s_optionName, option =>
            {
                option.Authority = "https://{CiamDomain}.ciamlogin.com/";
                option.ClientId = "Ciam app id";
                option.ClientCredentials = s_clientCredentials;
            });

            await CreateGraphClientAndAssert(tokenAcquirerFactory, services);

Regression

No response

Expected behavior

Test should pass without error. (Deamon app calls graph)

bgavrilMS commented 4 months ago

Thanks @trwalke , given that CIAM non-CUD works, I'm marking this as a P3.

For Id.Web to support other OIDC authorities, this needs to be fixed.

trwalke commented 3 months ago

Thanks @trwalke , given that CIAM non-CUD works, I'm marking this as a P3.

For Id.Web to support other OIDC authorities, this needs to be fixed.

This is not the case, the issue above is using the non-CUD domain and it is failing, it also fails with the CUD domain

It appeared to be limited to the CUD when testing from the sample because of the api the sample used, but testing the ID.Web api directly reveals that both forms are failing image

bgavrilMS commented 3 months ago

@trwalke - the current CIAM daemon sample advises to use the Authority as

image

https://github.com/Azure-Samples/ms-identity-ciam-dotnet-tutorial/blob/main/2-Authorization/3-call-own-api-dotnet-core-daemon/ToDoListClient/appsettings.json

I believe this works (and there are some tests to cover it in Id.Web)?

trwalke commented 3 months ago

@trwalke - the current CIAM daemon sample advises to use the Authority as

image

https://github.com/Azure-Samples/ms-identity-ciam-dotnet-tutorial/blob/main/2-Authorization/3-call-own-api-dotnet-core-daemon/ToDoListClient/appsettings.json

I believe this works (and there are some tests to cover it in Id.Web)?

@bgavrilMS Yes, it worked when I ran it in the sample but it does not appear to be working with the test. The test is using the options property directly instead of using the appsettings.json so maybe this makes a difference? not sure.

Also, I dont see any other CIAM tests that test the higher level CreateGraphClientAndAssert() api except for mine. The other CIAM tests target very specific helper methods.

bgavrilMS commented 3 months ago

P2 since this is a null ref.