search

microsoftgraph / msgraph-sdk-powershell

Powershell SDK for Microsoft Graph
https://www.powershellgallery.com/packages/Microsoft.Graph
Other
711 stars 171 forks source link

Connect-MgGraph : Invalid JWT access token in Azure Functions #2894

Open rfolkers opened 3 months ago

rfolkers commented 3 months ago

Describe the bug

Connect-MgGraph in Azure Functions (locally with Vs Code) fails with error invalid JWT token regardless of using Accesstoken, certificate of clientsecret

Expected behavior

Succesful authentication

How to reproduce

Create an Azure Function (Powershell) in VsCode and provide connect-mggraph in the script (using accesstoken, client secret of certificate). The connection will fail with error invalid JWT token

The same code runs succesful outside the Azure Functions runtime

SDK Version

Microsoft.Graph.Authentication 2.x

Latest version known to work for scenario above?

1.28

Known Workarounds

Use version 1.x

Debug output

Click to expand log ``` Connect-MgGraph -ClientId {Redacted} -TenantId {Redacted} -Certificate $cert -Debug ClientCertificateCredential.GetToken invoked. Scopes: [ https://graph.microsoft.com/.default ] ParentRequestId: False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] MSAL MSAL.Desktop with assembly version '4.60.1.0'. CorrelationId(c7987f17-f3bf-49e6-8a09-b5be82f2f439) False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] === AcquireTokenForClientParameters === SendX5C: False ForceRefresh: False False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] === Request Data === Authority Provided? - True Scopes - https://graph.microsoft.com/.default Extra Query Params Keys (space separated) - ApiId - AcquireTokenForClient IsConfidentialClient - True SendX5C - False LoginHint ? False IsBrokerConfigured - False HomeAccountId - False CorrelationId - c7987f17-f3bf-49e6-8a09-b5be82f2f439 UserAssertion set: False LongRunningOboCacheKey set: False Region configured: False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] === Token Acquisition (ClientCredentialRequest) started: Scopes: https://graph.microsoft.com/.default Authority Host: login.microsoftonline.com False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] [Instance Discovery] Instance discovery is enabled and will be performed False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] [Region discovery] Not using a regional authority. Request [8c991d47-87d8-420d-af78-bd3cb2b4410b] POST https://login.microsoftonline.com/{redacted}/oauth2/v2.0/token x-client-SKU:REDACTED x-client-Ver:REDACTED x-client-OS:REDACTED x-client-current-telemetry:REDACTED x-client-last-telemetry:REDACTED x-ms-lib-capability:REDACTED client-request-id:REDACTED return-client-request-id:REDACTED x-app-name:REDACTED x-app-ver:REDACTED Content-Type:application/x-www-form-urlencoded x-ms-client-request-id:8c991d47-87d8-420d-af78-bd3cb2b4410b x-ms-return-client-request-id:true User-Agent:azsdk-net-Identity/1.11.0 (.NET Core 3.1.32; Microsoft Windows 10.0.22621) client assembly: Azure.Identity Response [8c991d47-87d8-420d-af78-bd3cb2b4410b] 200 OK (00.1s) Cache-Control:no-store, no-cache Pragma:no-cache Strict-Transport-Security:REDACTED X-Content-Type-Options:REDACTED P3P:REDACTED client-request-id:REDACTED x-ms-request-id:8936197d-304d-4b2c-b6ae-a443f51f2f00 x-ms-ests-server:REDACTED x-ms-clitelem:REDACTED x-ms-srs:REDACTED X-XSS-Protection:REDACTED Content-Length:1828 Content-Length:1828 Content-Length:1828 Content-Length:1828 Content-Length:1828 Content-Length:1828 Content-Length:1828 Content-Length:1828 Content-Length:1828 False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] ScopeSet was missing from the token response, so using developer provided scopes in the result. False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] Checking client info returned from the server.. False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] Saving token response to cache.. False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] [SaveTokenResponseAsync] ID Token not present in response. False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] Cannot determine home account ID - or id token or no client info and no subject False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] [SaveTokenResponseAsync] Saving AT in cache and removing overlapping ATs... False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] Looking for scopes for the authority in the cache which intersect with https://graph.microsoft.com/.default False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] Intersecting scope entries count - 0 False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] === Token Acquisition finished successfully: False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] AT expiration time: 8/8/2024 1:34:32 PM +00:00, scopes: https://graph.microsoft.com/.default. source: IdentityProvider False MSAL 4.60.1.0 MSAL.Desktop 4.8 or later Windows 10 Pro [2024-08-08 12:34:33Z - c7987f17-f3bf-49e6-8a09-b5be82f2f439] Fetched access token from host login.microsoftonline.com. ClientCertificateCredential.GetToken succeeded. Scopes: [ https://graph.microsoft.com/.default ] ParentRequestId: ExpiresOn: 2024-08-08T13:34:32.9833602+00:00 Connect-MgGraph: Invalid JWT access token.

Configuration

Windows 11 X64 - clean install Name Value

PSVersion 7.0.13 PSEdition Core GitCommitId 7.0.13 OS Microsoft Windows 10.0.22621 Platform Win32NT PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0

Other information

No response

rfolkers commented 1 month ago

Since the status of this issue is "needs Investigation" I just did some additional troubleshooting, the problem seems to be some missing dependency in the Function Runtime:

[2024-10-07T13:28:20.337Z] ERROR: Invalid JWT access token. [2024-10-07T13:28:20.338Z] [2024-10-07T13:28:20.339Z] Exception : [2024-10-07T13:28:20.340Z] Type : Microsoft.Graph.PowerShell.AuthenticationException [2024-10-07T13:28:20.341Z] TargetSite : [2024-10-07T13:28:20.342Z] Name : DecodeToObject [2024-10-07T13:28:20.345Z] DeclaringType : Microsoft.Graph.PowerShell.Authentication.Core.Utilities.JwtHelpers, Microsoft.Graph.Authentication.Core, Version=2.9.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 [2024-10-07T13:28:20.347Z] MemberType : Method [2024-10-07T13:28:20.348Z] Module : Microsoft.Graph.Authentication.Core.dll [2024-10-07T13:28:20.350Z] StackTrace : [2024-10-07T13:28:20.351Z] at Microsoft.Graph.PowerShell.Authentication.Core.Utilities.JwtHelpers.DecodeToObject[T](String jwtString) [2024-10-07T13:28:20.352Z] at Microsoft.Graph.PowerShell.Authentication.Core.Utilities.UserProvidedTokenCredential.GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
[2024-10-07T13:28:20.353Z] at Microsoft.Graph.PowerShell.Authentication.Core.Utilities.UserProvidedTokenCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) [2024-10-07T13:28:20.354Z] at Microsoft.Graph.PowerShell.Authentication.Core.Utilities.AuthenticationHelpers.SignInAsync(IAuthContext authContext, CancellationToken cancellationToken) [2024-10-07T13:28:20.355Z] at Microsoft.Graph.PowerShell.Authentication.Core.Utilities.AuthenticationHelpers.AuthenticateAsync(IAuthContext authContext, CancellationToken cancellationToken) [2024-10-07T13:28:20.356Z] at Microsoft.Graph.PowerShell.Authentication.Cmdlets.ConnectMgGraph.ProcessRecordAsync() [2024-10-07T13:28:20.357Z] at Microsoft.Graph.PowerShell.Authentication.Cmdlets.ConnectMgGraph.ProcessRecordAsync() [2024-10-07T13:28:20.358Z] Message : Invalid JWT access token. [2024-10-07T13:28:20.359Z] InnerException : [2024-10-07T13:28:20.359Z] Type : System.IO.FileNotFoundException [2024-10-07T13:28:20.360Z] Message : Could not load file or assembly 'Microsoft.Bcl.AsyncInterfaces, Version=6.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51'. Het systeem kan het opgegeven bestand niet vinden. [2024-10-07T13:28:20.361Z] FileName : Microsoft.Bcl.AsyncInterfaces, Version=6.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51 [2024-10-07T13:28:20.362Z] TargetSite : [2024-10-07T13:28:20.364Z] Name : GetAsyncEnumerableInterface [2024-10-07T13:28:20.365Z] DeclaringType : System.Text.Json.Serialization.IAsyncEnumerableConverterFactory, System.Text.Json, Version=6.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51 [2024-10-07T13:28:20.366Z] Executed 'Functions.Time1' (Succeeded, Id=38a8fd80-611f-409e-b946-dd3d70c23b58, Duration=7203ms) [2024-10-07T13:28:20.366Z] MemberType : Method [2024-10-07T13:28:20.369Z] Module : System.Text.Json.dll

This issue is not new so it seems, but in this case the issue is isolated to only local function runtimes.

https://learn.microsoft.com/en-us/answers/questions/1479392/azure-function-powershell-microsoft-graph-powershe

I tried the solution in that topic (switch to certain module version and ExtensionBundle) but no change.