search

microsoft / botbuilder-dotnet

Welcome to the Bot Framework SDK for .NET repository, which is the home for the libraries and packages that enable developers to build sophisticated bot applications using .NET.
https://github.com/Microsoft/botframework
MIT License
872 stars 479 forks source link

Intermittent AADSTS700016 error with 4.20 and above #6691

Closed justin-mellor closed 8 months ago

justin-mellor commented 1 year ago

Version

4.21.0

Describe the bug

After upgrading from 4.19.3 to 4.21.0 we are getting intermittent errors System.AggregateException : Failed to acquire token for client credentials. (AADSTS700016: Application with identifier '4bb039d2-dadb-496c-89b6-77fbe143acd7' was not found in the directory 'Bot Framework'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. Trace ID: bd080058-54ab-4ae4-90b5-6b862c9d0e01 Correlation ID: caf3bde3-1dcb-4358-bcb1-b2ad048a7b19 Timestamp: 2023-09-20 23:02:10Z) Microsoft.Identity.Client.MsalServiceException : AADSTS700016: Application with identifier '4bb039d2-dadb-496c-89b6-77fbe143acd7' was not found in the directory 'Bot Framework'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. Trace ID: bd080058-54ab-4ae4-90b5-6b862c9d0e01 Correlation ID: caf3bde3-1dcb-4358-bcb1-b2ad048a7b19 Timestamp: 2023-09-20 23:02:10Z

This is occurring in the middle of a conversation, so the bot has definitely managed to send a message before so the App must be registered correctly.

In 4.20 the sdk changed to use MSAL so I am assuming this is related to that in some way.

Expected behavior

I expect the bot to be able to send messages all the time.

Additional context

Stack trace is Microsoft.Bot.Connector.Authentication.Retry+d0`1.MoveNext at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification at Microsoft.Bot.Connector.Authentication.MsalAppCredentials+d11.MoveNext at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification at Microsoft.Bot.Connector.Authentication.AppCredentials+d34.MoveNext at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification at Microsoft.Bot.Connector.Authentication.AppCredentials+d33.MoveNext at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification at Microsoft.Bot.Connector.Conversations+d10.MoveNext at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification at Microsoft.Bot.Connector.ConversationsExtensions+d17.MoveNext at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification at Microsoft.Bot.Builder.CloudAdapterBase+d9.MoveNext at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification at Microsoft.Bot.Builder.TurnContext+<>cDisplayClass31_0+<g__SendActivitiesThroughAdapter|1>d.MoveNext

justin-mellor commented 1 year ago

I have been doing some research, and I think the problem is because we are using MicrosoftAppCredentials. The problem is that this creates a new ConfidentialClientApplication each time, and so should be using .WithCacheOptions(CacheOptions.EnableSharedCacheOptions)

This is according to https://learn.microsoft.com/en-us/entra/msal/dotnet/how-to/token-cache-serialization?tabs=aspnetcore#quick-summary

If you want to use an in-memory cache and you're only using AcquireTokenForClient, either reuse the confidential client application instance and don't add a serializer, or create a new confidential client application and enable the shared cache option.

I have managed to work round it by using MsalAppCredentials and creating the ConfidentialClientApplication myself and enabling the shared cache, but I think the EnableSharedCacheOptions should probably be enabled in the MicrosoftAppCredentials.BuildIAuthenticator() method

InfinytRam commented 1 year ago

Thanks for the update @justin-mellor, I'm investigating this issue.

InfinytRam commented 1 year ago

Hi @justin-mellor,

What is your bot type? Ex: MultiTenant, SingleTenant, etc..

image

justin-mellor commented 1 year ago

Hi @ramfattah I don't see that screen in Azure. My bot resource is a Web App Bot not an Azure Bot so the Configuration screen doesn't have Bot Type.

InfinytRam commented 1 year ago

Hi @justin-mellor,

are you able to provide steps to reproduce or attach minimal reproducible .zip sample?

justin-mellor commented 1 year ago

Hi @ramfattah ,

As this is intermittent it is very hard to provide a consistent reproduction. We run a suite of automated tests against our bot, and we get this error in different tests each time. It is reproduceable for is purely because we run enough iterations so that we get an occurrence inside a test run.

tracyboehrer commented 8 months ago

The cache correction was made in 4.21.2

justin-mellor commented 8 months ago

The cache correction was made in 4.21.2

Hi @tracyboehrer This seems to solve it. Thanks