Bug report: M365 login from behind corp proxy = Error: could not resolve endpoints

mikeparkie commented 3 years ago

Description

I'm attempting to setup and configure M365 CLI on some of our servers which are behind a proxy and I'm running into issues with the setup, probably something I'm missing but I'm not overly familiar with node/npm etc.

Steps to reproduce

Firstly I installed nodejs Then ran npm config set proxy http://proxyname:port npm config set https-proxy http://proxyname:port and then npm install -g @pnp/cli-microsoft365

install took place and m365 status = logged out. So the module installed, just an issue connecting.

Expected results

M365 Login should prompt me to visit Azure to validate my login using the browser.

Actual results

Running m365 login returns: Error: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: Clie tConfigurationError: untrusted_authority: The provided authority is not a trusted authority. Please include this author ty in the knownAuthorities config parameter.

Diagnostics

I've double checked the proxies and they return as the correct values from above npm config get proxy http://proxyname:port npm config get https-proxy https://proxyname:port

CLI for Microsoft 365 version

v3.13.0

nodejs version

v14.17.5

Operating system (environment)

Windows Server 2016 x64 1607

Shell

Windows PowerShell 5.1

cli doctor

Error: Log in to Microsoft 365 first

Additional Info

Some pointers on what I'm missing would be appreciated. TIA

garrytrinder commented 3 years ago

Thanks for raising this @mikeparkie apologies for the trouble, we will need to delve into some more detail to understand the issue more.

As the npm install has been successful, I don't think that the npm configuration is the issue here and that my initial thoughts are that this related is possibly related to the msal-node package which we use for authentication.

Could you execute m365 login --debug and include the response in this issue?

mikeparkie commented 3 years ago

Hey @garrytrinder thanks for the response and no problem at all, probably me anyway 😊 but thanks for the assist in helping me understand.

Here's the debug:

PS C:\Users\USERNAME\m365 login --debug
Executing command login with options {"options":{"debug":true}}
Logging out from Microsoft 365...
Signing in to Microsoft 365...
No token found for resource https://graph.microsoft.com
[Fri, 10 Sep 2021 07:51:38 GMT] : @azure/msal-node@1.3.0 : Info - getTokenCache called
Starting Auth.ensureAccessTokenWithDeviceCode. resource: https://graph.microsoft.com, debug: true
[Fri, 10 Sep 2021 07:51:38 GMT] : @azure/msal-node@1.3.0 : Info - acquireTokenByDeviceCode called
[Fri, 10 Sep 2021 07:51:38 GMT] : @azure/msal-node@1.3.0 : Verbose - initializeRequestScopes called
[Fri, 10 Sep 2021 07:51:38 GMT] : [04dae9f6-d561-4d03-a4ad-2dede097d308] : @azure/msal-node@1.3.0 : Verbose - buildOauth
ClientConfiguration called
[Fri, 10 Sep 2021 07:51:38 GMT] : [04dae9f6-d561-4d03-a4ad-2dede097d308] : @azure/msal-node@1.3.0 : Verbose - building o
auth client configuration with the authority: https://login.microsoftonline.com/common
[Fri, 10 Sep 2021 07:51:38 GMT] : [04dae9f6-d561-4d03-a4ad-2dede097d308] : @azure/msal-node@1.3.0 : Verbose - createAuth
ority called
Error:
ClientAuthError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientConfigurationError: untrusted_authority: The provided authority is not a trusted authority. Please include this authority in the knownAuthorities config parameter.
    at ClientAuthError.AuthError [as constructor] (C:\Users\USERNAME\AppData\Roaming\npm\node_modules\@pnp\cli-microsoft365\node_module
s\@azure\msal-common\dist\index.cjs.js:477:24)
    at new ClientAuthError (C:\Users\USERNAME\AppData\Roaming\npm\node_modules\@pnp\cli-microsoft365\node_modules\@azure\msal-common\dist\index.cjs.js:729:28)
    at Function.ClientAuthError.createEndpointDiscoveryIncompleteError (C:\Users\USERNAME\AppData\Roaming\npm\node_modules\@pnp\cli-mic
rosoft365\node_modules\@azure\msal-common\dist\index.cjs.js:766:16)
    at Function.<anonymous(C:\Users\USERNAME\AppData\Roaming\npm\node_modules\@pnp\cli-microsoft365\node_modules\@azure\msal-common\d
ist\index.cjs.js:6744:47)
    at step (C:\Users\USERNAME\AppData\Roaming\npm\node_modules\@pnp\cli-microsoft365\node_modules\@azure\msal-common\dist\index.cjs.js
:79:23)
    at Object.throw (C:\Users\USERNAME\AppData\Roaming\npm\node_modules\@pnp\cli-microsoft365\node_modules\@azure\msal-common\dist\inde
x.cjs.js:60:53)
    at rejected (C:\Users\USERNAME\AppData\Roaming\npm\node_modules\@pnp\cli-microsoft365\node_modules\@azure\msal-common\dist\index.cj
s.js:51:65)
    at processTicksAndRejections (internal/process/task_queues.js:95:5) {
  errorCode: 'endpoints_resolution_error',
  errorMessage: 'Error: could not resolve endpoints. Please check network and try again. Detail: ClientConfigurationError: untrusted_authority:
 The provided authority is not a trusted authority. Please include this authority in the knownAuthorities config parameter.',
  subError: ''
}

Error: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientConfigurationError: un
trusted_authority: The provided authority is not a trusted authority. Please include this authority in the knownAuthorities config parameter.

Error implies I need to trust the authority, from the debug me thinks it should be npm config set registry="https://login.microsoftonline.com/common" npm config set registry="https://graph.microsoft.com"

Added these ^ and re-ran

PS C:\Users\USERNAME\m365 login --debug
Executing command login with options {"options":{"debug":true}}
Logging out from Microsoft 365...
Signing in to Microsoft 365...
No token found for resource https://graph.microsoft.com
[Fri, 10 Sep 2021 08:19:05 GMT] : @azure/msal-node@1.3.0 : Info - getTokenCache called
Starting Auth.ensureAccessTokenWithDeviceCode. resource: https://graph.microsoft.com, debug: true
[Fri, 10 Sep 2021 08:19:05 GMT] : @azure/msal-node@1.3.0 : Info - acquireTokenByDeviceCode called
[Fri, 10 Sep 2021 08:19:05 GMT] : @azure/msal-node@1.3.0 : Verbose - initializeRequestScopes called
[Fri, 10 Sep 2021 08:19:05 GMT] : [7e3eb758-5d5b-4fc3-821e-374401c8ce46] : @azure/msal-node@1.3.0 : Verbose - buildOauthClientConfiguration cal
led
[Fri, 10 Sep 2021 08:19:05 GMT] : [7e3eb758-5d5b-4fc3-821e-374401c8ce46] : @azure/msal-node@1.3.0 : Verbose - building oauth client configurati
on with the authority: https://login.microsoftonline.com/common
[Fri, 10 Sep 2021 08:19:05 GMT] : [7e3eb758-5d5b-4fc3-821e-374401c8ce46] : @azure/msal-node@1.3.0 : Verbose - createAuthority called
Error:
ClientAuthError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientConfiguratio
nError: untrusted_authority: The provided authority is not a trusted authority. Please include this authority in the knownAuthorities config pa
rameter.
    at ClientAuthError.AuthError [as constructor] (C:\Users\USERNAME\AppData\Roaming\npm\node_modules\@pnp\cli-microsoft365\node_module
s\@azure\msal-common\dist\index.cjs.js:477:24)
    at new ClientAuthError (C:\Users\USERNAME\AppData\Roaming\npm\node_modules\@pnp\cli-microsoft365\node_modules\@azure\msal-common\di
st\index.cjs.js:729:28)
    at Function.ClientAuthError.createEndpointDiscoveryIncompleteError (C:\Users\USERNAME\AppData\Roaming\npm\node_modules\@pnp\cli-mic
rosoft365\node_modules\@azure\msal-common\dist\index.cjs.js:766:16)
    at Function.<anonymous(C:\Users\USERNAME\AppData\Roaming\npm\node_modules\@pnp\cli-microsoft365\node_modules\@azure\msal-common\d
ist\index.cjs.js:6744:47)
    at step (C:\Users\USERNAME\AppData\Roaming\npm\node_modules\@pnp\cli-microsoft365\node_modules\@azure\msal-common\dist\index.cjs.js
:79:23)
    at Object.throw (C:\Users\USERNAME\AppData\Roaming\npm\node_modules\@pnp\cli-microsoft365\node_modules\@azure\msal-common\dist\inde
x.cjs.js:60:53)
    at rejected (C:\Users\USERNAME\AppData\Roaming\npm\node_modules\@pnp\cli-microsoft365\node_modules\@azure\msal-common\dist\index.cj
s.js:51:65)
    at processTicksAndRejections (internal/process/task_queues.js:95:5) {
  errorCode: 'endpoints_resolution_error',
  errorMessage: 'Error: could not resolve endpoints. Please check network and try again. Detail: ClientConfigurationError: untrusted_authority:
 The provided authority is not a trusted authority. Please include this authority in the knownAuthorities config parameter.',
  subError: ''
}

Error: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientConfigurationError: un
trusted_authority: The provided authority is not a trusted authority. Please include this authority in the knownAuthorities config parameter.

mikeparkie commented 3 years ago

Same result using the browser parameter as well for the auth m365 login -t browser

Do I need to do anything with Azure?

garrytrinder commented 3 years ago

trusted_authority: The provided authority is not a trusted authority. Please include this authority in the knownAuthorities config parameter.

This is unexpected as we use the standard multi-tenant authority to authorise your sign in against, https://login.microsoftonline.com/common.

Are you able to use other libraries that would use a similar approach to us? Azure CLI would be a good test.

Do I need to do anything with Azure?

You shouldn't need to do anything in Azure, however I am curious to know if you have any security policies related to third party Azure AD apps applied in your tenant, that may cause this issue.

waldekmastykarz commented 3 years ago

Are you able to use other libraries that would use a similar approach to us? Azure CLI would be a good test.

Bear in mind that Azure CLI is built in Python and it could have a different support for handling proxies. So far, it seems like the issue is with msal-node and that's the first place that we should investigate to see if there are any known issues before we continue.

garrytrinder commented 3 years ago

Are you able to use other libraries that would use a similar approach to us? Azure CLI would be a good test.

Bear in mind that Azure CLI is built in Python and it could have a different support for handling proxies. So far, it seems like the issue is with msal-node and that's the first place that we should investigate to see if there are any known issues before we continue.

Good shout 👍

mikeparkie commented 3 years ago

Typically I'm more of an M365 guy than Azure, so I'll be blocked at some point from a role point of view. But let's see how far I get 😄

Installed the Azure CLI from the MSI from here, ran az login --debug

Full output is:

cli.knack.cli: __init__ debug log:
Enable color in terminal.
Init colorama.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x03B751D8>, <f
unction OutputProducer.on_global_arguments at 0x03CF1070>, <function CLIQuery.on_global_arguments at 0x03D05C40>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Command index version or cloud profile is invalid or doesn't match the current command.
cli.azure.cli.core: Command index has been invalidated.
cli.azure.cli.core: No module found from index for '['login', '--debug']'
cli.azure.cli.core: Loading all modules and extensions
cli.azure.cli.core: Discovered command modules: ['acr', 'acs', 'advisor', 'ams', 'apim', 'appconfig', 'appservice', 'aro
', 'backup', 'batch', 'batchai', 'billing', 'botservice', 'cdn', 'cloud', 'cognitiveservices', 'config', 'configure', 'c
onsumption', 'container', 'cosmosdb', 'databoxedge', 'deploymentmanager', 'dla', 'dls', 'dms', 'eventgrid', 'eventhubs',
 'extension', 'feedback', 'find', 'hdinsight', 'interactive', 'iot', 'keyvault', 'kusto', 'lab', 'managedservices', 'map
s', 'marketplaceordering', 'monitor', 'natgateway', 'netappfiles', 'network', 'policyinsights', 'privatedns', 'profile',
 'rdbms', 'redis', 'relay', 'reservations', 'resource', 'role', 'search', 'security', 'servicebus', 'servicefabric', 'si
gnalr', 'sql', 'sqlvm', 'storage', 'synapse', 'util', 'vm']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: acr                       0.013        27       113
cli.azure.cli.core: acs                       0.127         8        53
cli.azure.cli.core: advisor                   0.009         3         6
cli.azure.cli.core: ams                       0.009        20        90
cli.azure.cli.core: apim                      0.010         9        50
cli.azure.cli.core: appconfig                 0.005         7        33
cli.azure.cli.core: appservice                0.022        64       225
cli.azure.cli.core: aro                       0.048         1         7
cli.azure.cli.core: backup                    0.007        15        55
cli.azure.cli.core: batch                     0.044        31        92
cli.azure.cli.core: batchai                   0.005        10        30
cli.azure.cli.core: billing                   0.014        19        52
cli.azure.cli.core: botservice                0.006        12        42
cli.azure.cli.core: cdn                       0.025        39       132
cli.azure.cli.core: cloud                     0.004         1         7
cli.azure.cli.core: cognitiveservices         0.004         5        21
cli.azure.cli.core: config                    0.003         2         7
cli.azure.cli.core: configure                 0.003         3         9
cli.azure.cli.core: consumption               0.005         8         9
cli.azure.cli.core: container                 0.004         1        11
cli.azure.cli.core: cosmosdb                  0.016        43       150
cli.azure.cli.core: databoxedge               0.009         5        27
cli.azure.cli.core: deploymentmanager         0.005         7        30
cli.azure.cli.core: dla                       0.007        23        62
cli.azure.cli.core: dls                       0.006         7        41
cli.azure.cli.core: dms                       0.004         3        22
cli.azure.cli.core: eventgrid                 0.007        18        61
cli.azure.cli.core: eventhubs                 0.008        14        51
cli.azure.cli.core: extension                 0.002         1         7
cli.azure.cli.core: feedback                  0.002         1         1
cli.azure.cli.core: find                      0.002         1         1
cli.azure.cli.core: hdinsight                 0.005         8        39
cli.azure.cli.core: interactive               0.001         1         1
cli.azure.cli.core: iot                       0.020        16        71
cli.azure.cli.core: keyvault                  0.014        19       118
cli.azure.cli.core: kusto                     0.004         3        14
cli.azure.cli.core: lab                       0.007        11        34
cli.azure.cli.core: managedservices           0.003         3         8
cli.azure.cli.core: maps                      0.003         5        13
cli.azure.cli.core: marketplaceordering       0.006         1         2
cli.azure.cli.core: monitor                   0.014        32       133
cli.azure.cli.core: natgateway                0.004         3         6
cli.azure.cli.core: netappfiles               0.007        13        56
cli.azure.cli.core: network                   0.081       137       630
cli.azure.cli.core: policyinsights            0.004         6        12
cli.azure.cli.core: privatedns                0.008        14        66
cli.azure.cli.core: profile                   0.003         2         9
cli.azure.cli.core: rdbms                     0.141        46       197
cli.azure.cli.core: redis                     0.004         4        24
cli.azure.cli.core: relay                     0.006        10        37
cli.azure.cli.core: reservations              0.004         5        12
cli.azure.cli.core: resource                  0.018        40       186
cli.azure.cli.core: role                      0.005        17        61
cli.azure.cli.core: search                    0.004         7        22
cli.azure.cli.core: security                  0.008        36        81
cli.azure.cli.core: servicebus                0.008        17        64
cli.azure.cli.core: servicefabric             0.007        26        75
cli.azure.cli.core: signalr                   0.004         6        20
cli.azure.cli.core: sql                       0.017        45       179
cli.azure.cli.core: sqlvm                     0.005         4        17
cli.azure.cli.core: storage                   0.056        53       249
cli.azure.cli.core: synapse                   0.013        35       147
cli.azure.cli.core: util                      0.002         2         4
cli.azure.cli.core: vm                        0.034        48       245
cli.azure.cli.core: Total (64)                0.958      1083      4329
cli.azure.cli.core: Loaded 1073 groups, 4329 commands.
cli.azure.cli.core: Updated command index in 0.005 seconds.
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x04
091190>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\USERNAME\.azure\commands
\2021-09-13.09-39-18.login.5008.log'.
az_command_data_logger: command args: login --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_sub
scription_parameter at 0x045D9F58>, <function register_global_query_examples_argument.<locals>.register_query_examples a
t 0x046091D8>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_argument
s at 0x04609220>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x046092B0>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [<function _documentdb_deprecate at 0x051F78E0>]
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x03CF10B8>, <function CLIQuery.handle_query_parameter at 0x03D05C88>, <function register_global_query_examples_argument.<locals>.handl
e_example_parameter at 0x045D9F10>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x04609268>, <functi
on handler at 0x052F5070>]
cli.azure.cli.core._profile: 'C:\Users\USERNAME\.azure\accessTokens.json' is not a file or doesn't exist.
cli.azure.cli.core._profile: Windows is detected. Set HTTPServer.allow_reuse_address to False
cli.azure.cli.core._profile: Open browser with url: https://login.microsoftonline.com/common/oauth2/authorize?response_t
ype=code&client_id=04b07795-8ddb-461a-bbee-02f9e1bf7b46&redirect_uri=http://localhost:8400&state=REMOVED
source=https://management.core.windows.net/&prompt=select_account
cli.azure.cli.core._profile: The default web browser has been opened at https://login.microsoftonline.com/common/oauth2/
authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to o
pen, use device code flow with `az login --use-device-code`.
adal-python: 07e5baba-e29b-4fea-934a-01ba4cef8094 - Authority:Performing instance discovery: ...
adal-python: 07e5baba-e29b-4fea-934a-01ba4cef8094 - Authority:Performing static instance discovery
adal-python: 07e5baba-e29b-4fea-934a-01ba4cef8094 - Authority:Authority validated via static instance discovery
adal-python: 07e5baba-e29b-4fea-934a-01ba4cef8094 - TokenRequest:Getting token with auth code.
urllib3.connectionpool: Starting new HTTPS connection (1): login.microsoftonline.com:443
adal-python: 07e5baba-e29b-4fea-934a-01ba4cef8094 - OAuth2Client:Get Token request failed
Traceback (most recent call last):
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/connectionpool.py", line 696, in urlopen
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/connectionpool.py", line 964, in _prepare
_proxy
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/connection.py", line 359, in connect
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/connection.py", line 500, in _connect_tls
_proxy
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/util/ssl_.py", line 449, in ssl_wrap_sock
et
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/util/ssl_.py", line 493, in _ssl_wrap_soc
ket_impl
  File "ssl.py", line 500, in wrap_socket
  File "ssl.py", line 1040, in _create
  File "ssl.py", line 1309, in do_handshake
ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1125)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\requests/adapters.py", line 439, in send
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/connectionpool.py", line 755, in urlopen
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/util/retry.py", line 574, in increment
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded
with url: /common/oauth2/token (Caused by SSLError(SSLError(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c
:1125)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\adal/oauth2_client.py", line 263, in get_token
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\requests/api.py", line 119, in post
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\requests/api.py", line 61, in request
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\requests/sessions.py", line 542, in request
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\requests/sessions.py", line 655, in send
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\requests/adapters.py", line 514, in send
requests.exceptions.SSLError: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with
 url: /common/oauth2/token (Caused by SSLError(SSLError(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:112
5)')))
cli.azure.cli.core.util: azure.cli.core.util.handle_exception is called with an exception:
cli.azure.cli.core.util: Traceback (most recent call last):
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/connectionpool.py", line 696, in urlopen
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/connectionpool.py", line 964, in _prepare
_proxy
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/connection.py", line 359, in connect
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/connection.py", line 500, in _connect_tls
_proxy
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/util/ssl_.py", line 449, in ssl_wrap_sock
et
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/util/ssl_.py", line 493, in _ssl_wrap_soc
ket_impl
  File "ssl.py", line 500, in wrap_socket
  File "ssl.py", line 1040, in _create
  File "ssl.py", line 1309, in do_handshake
ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1125)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\requests/adapters.py", line 439, in send
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/connectionpool.py", line 755, in urlopen
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\urllib3/util/retry.py", line 574, in increment
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded
with url: /common/oauth2/token (Caused by SSLError(SSLError(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c
:1125)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/custom.py", lin
e 152, in login
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 201, in find_su
bscriptions_on_login
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 924, in find_th
rough_authorization_code_flow
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\adal/authentication_context.py", line 215, in acq
uire_token_with_authorization_code
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\adal/authentication_context.py", line 128, in _ac
quire_token
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\adal/authentication_context.py", line 211, in tok
en_func
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\adal/token_request.py", line 325, in get_token_wi
th_authorization_code
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\adal/token_request.py", line 112, in _oauth_get_t
oken
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\adal/oauth2_client.py", line 263, in get_token
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\requests/api.py", line 119, in post
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\requests/api.py", line 61, in request
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\requests/sessions.py", line 542, in request
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\requests/sessions.py", line 655, in send
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\requests/adapters.py", line 514, in send
requests.exceptions.SSLError: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with
 url: /common/oauth2/token (Caused by SSLError(SSLError(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:112
5)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 231, in invoke
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 657, i
n execute
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 720, i
n _run_jobs_serially
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 691, i
n _run_job
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 328, i
n __call__
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", li
ne 121, in handler
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/custom.py", lin
e 180, in login
knack.util.CLIError: Certificate verification failed. This typically happens when using Azure CLI behind a proxy that in
tercepts traffic with a self-signed certificate. Please add this certificate to the trusted CA bundle. More info: https:
//docs.microsoft.com/cli/azure/use-cli-effectively#work-behind-a-proxy. Error detail: HTTPSConnectionPool(host='login.mi
crosoftonline.com', port=443): Max retries exceeded with url: /common/oauth2/token (Caused by SSLError(SSLError(1, '[SSL
: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1125)')))

cli.azure.cli.core.azclierror: Certificate verification failed. This typically happens when using Azure CLI behind a pro
xy that intercepts traffic with a self-signed certificate. Please add this certificate to the trusted CA bundle. More in
fo: https://docs.microsoft.com/cli/azure/use-cli-effectively#work-behind-a-proxy. Error detail: HTTPSConnectionPool(host
='login.microsoftonline.com', port=443): Max retries exceeded with url: /common/oauth2/token (Caused by SSLError(SSLErro
r(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1125)')))
az_command_data_logger: Certificate verification failed. This typically happens when using Azure CLI behind a proxy that
 intercepts traffic with a self-signed certificate. Please add this certificate to the trusted CA bundle. More info: htt
ps://docs.microsoft.com/cli/azure/use-cli-effectively#work-behind-a-proxy. Error detail: HTTPSConnectionPool(host='login
.microsoftonline.com', port=443): Max retries exceeded with url: /common/oauth2/token (Caused by SSLError(SSLError(1, '[
SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1125)')))
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x040912B0>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 25.979 seconds (init: 0.644, invoke: 25.335)
telemetry.save: Save telemetry record of length 3329 in cache
telemetry.check: Positive: The C:\Users\USERNAME\.azure\telemetry.txt does not exist.
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe C:\Program File
s (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry\__init__.pyc C:\Users\USERNAME\.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

waldekmastykarz commented 3 years ago

Thank you for sharing @mikeparkie. Have you tried to follow the steps outlined at https://docs.microsoft.com/cli/azure/use-cli-effectively#work-behind-a-proxy which is mentioned in the error message?

mikeparkie commented 3 years ago

Thanks... I clearly have SSLError(SSLError(1, '[SSL: WRONG_VERSION_NUMBER] in the logs.

I doubly made sure the proxy authentication was set, so ran:

set HTTP_PROXY=http://proxyserver:port set HTTPS_PROXY=https://proxyserver:port

and then added the environment variable as per the article (with and without specifying the .pem file). Assuming I've not completely mis-understood the instruction:

Append the proxy server's certificate to this file or copy the contents to another certificate file, then set REQUESTS_CA_BUNDLE to it.

= Same error.

waldekmastykarz commented 3 years ago

Have you restarted the terminal after applying the changes?

mikeparkie commented 3 years ago

@waldekmastykarz indeed I have sir. Rebooted it again just in case 😎

mikeparkie commented 3 years ago

I've also taken a copy of our proxy certificate (converted it to .pem) and stored it in the C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi and reflected that in the env variables. Rebooted and still get the same error.

waldekmastykarz commented 3 years ago

Thanks for doing the extra checks @mikeparkie. Unfortunately, I don't have any other suggestions at this moment.

@wictorwilen, does anything else come to your mind based on your past experience with proxies?

wictorwilen commented 3 years ago

According to the error message my guess is that there's an issue with the TLS version.

For instance login.microsoftonline.com requires TLS 1.2 or greater. Can be tested with

curl https://login.microsoftonline.com --verbose --tlsv1.1 --tls-max 1.1

That fails, and the following succeeds:

curl https://login.microsoftonline.com --verbose --tlsv1.2 --tls-max 1.2

@mikeparkie - Can you run the same things but on your proxy address?

wictorwilen commented 3 years ago

Also @mikeparkie - I read that some folks worked around this by specifying the http address in the HTTPS_PROXY environment variable. As in:

set HTTPS_PROXY=http://proxyserver:port

PS: Not something I recommend officially!

anthonywhite commented 3 years ago

I am having the same issue as @mikeparkie, latest CLI, begind corporate proxy. @wictorwilen my http_proxy and https_proxy environment variables are set and recognized fine by most tools in the node chain, so don't quite understand your comment - it's not a workaround?

wictorwilen commented 3 years ago

@anthonywhite - would you mind sharing the results of the TLS version check on your proxy, as mentioned above? We're collectively, and I don't have an environment such as yours to test on, trying to figure out what's going on with your environments. It's obvious to me that something is going on with the proxy configuration that does not work with the M365 CLI setup, and we're trying to pinpoint where things go wrong.

anthonywhite commented 3 years ago

@wictorwilen actually both those commands seem to work for me without error. Here's the 1.1 output (the 1.2 output was very similar):

CURL TEST

curl https://login.microsoftonline.com --verbose --tlsv1.1 --tls-max 1.1
* Rebuilt URL to: https://login.microsoftonline.com/
*   Trying 10.216.190.6...
* TCP_NODELAY set
* Connected to inetproxy.uk.kworld.kpmg.com (10.216.190.6) port 80 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to login.microsoftonline.com:443
> CONNECT login.microsoftonline.com:443 HTTP/1.1
> Host: login.microsoftonline.com:443
> User-Agent: curl/7.55.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* CONNECT phase completed!
* schannel: SSL/TLS connection with login.microsoftonline.com port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 138 bytes...
* schannel: sent initial handshake data: sent 138 bytes
* schannel: SSL/TLS connection with login.microsoftonline.com port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* CONNECT phase completed!
* CONNECT phase completed!
* schannel: SSL/TLS connection with login.microsoftonline.com port 443 (step 2/3)
* schannel: encrypted data got 3640
* schannel: encrypted data buffer: offset 3640 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with login.microsoftonline.com port 443 (step 2/3)
* schannel: encrypted data got 583
* schannel: encrypted data buffer: offset 4223 length 4664
* schannel: sending next handshake data: sending 182 bytes...
* schannel: SSL/TLS connection with login.microsoftonline.com port 443 (step 2/3)
* schannel: encrypted data got 75
* schannel: encrypted data buffer: offset 75 length 4664
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with login.microsoftonline.com port 443 (step 3/3)
* schannel: stored credential handle in session cache
> GET / HTTP/1.1
> Host: login.microsoftonline.com
> User-Agent: curl/7.55.1
> Accept: */*
>
* schannel: client wants to read 102400 bytes
* schannel: encdata_buffer resized 103424
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 1253
* schannel: encrypted data buffer: offset 1253 length 103424
* schannel: decrypted data length: 1199
* schannel: decrypted data added: 1199
* schannel: decrypted data cached: offset 1199 length 102400
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: decrypted data buffer: offset 1199 length 102400
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 1199
* schannel: decrypted data buffer: offset 0 length 102400
< HTTP/1.1 302 Found
< Cache-Control: no-store, no-cache
< Pragma: no-cache
< Content-Type: text/html; charset=utf-8
< Expires: -1
< Location: https://www.office.com/login#
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Content-Type-Options: nosniff
< P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
< x-ms-request-id: c9e660b2-dd62-4a20-a855-e3900341bb00
< x-ms-ests-server: 2.1.12025.15 - NEULR2 ProdSlices
< Set-Cookie: fpc=AniTBVXPVehHkZReuWJVc6A; expires=Sat, 16-Oct-2021 11:36:10 GMT; path=/; secure; HttpOnly; SameSite=None
< Set-Cookie: esctx=AQABAAAAAAD--DLA3VO7QrddgJg7WevrLwqYzB3dBtbYQ2Wk-bKMdQMpuoGvmwzMJcVMMvUXJI5j1SxuKrk8x7dKd-gflXq-5vvC1DG5MoEbVsjCIEjpcJaJrej0jyb4RWtIhZxKQJgn3l8p5FQdPkB7lD2HiBGQzVGYd2qTfDx3ZaUL4W2qVUAuZ4zYCu9SiiSR63WPzXAgAA; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None
< Set-Cookie: x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly
< Set-Cookie: stsservicecookie=estsfd; path=/; secure; samesite=none; httponly
< Date: Thu, 16 Sep 2021 11:36:09 GMT
< Content-Length: 146
<
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="https://www.office.com/login#">here</a>.</h2>
</body></html>
* Connection #0 to host inetproxy.uk.kworld.kpmg.com left intact

M365 LOGIN

m365 login --debug
Executing command login with options {"options":{"debug":true}}
Logging out from Microsoft 365...
Signing in to Microsoft 365...
No token found for resource https://graph.microsoft.com
[Thu, 16 Sep 2021 12:31:31 GMT] : @azure/msal-node@1.3.0 : Info - getTokenCache called
Starting Auth.ensureAccessTokenWithDeviceCode. resource: https://graph.microsoft.com, debug: true
[Thu, 16 Sep 2021 12:31:31 GMT] : @azure/msal-node@1.3.0 : Info - acquireTokenByDeviceCode called
[Thu, 16 Sep 2021 12:31:31 GMT] : @azure/msal-node@1.3.0 : Verbose - initializeRequestScopes called
[Thu, 16 Sep 2021 12:31:31 GMT] : [aedd73a2-3e7b-4474-8d88-8298d17d0b8c] : @azure/msal-node@1.3.0 : Verbose - buildOauthClientConfiguration called
[Thu, 16 Sep 2021 12:31:31 GMT] : [aedd73a2-3e7b-4474-8d88-8298d17d0b8c] : @azure/msal-node@1.3.0 : Verbose - building oauth client configuration with the authority: https://login.microsoftonline.com/common
[Thu, 16 Sep 2021 12:31:31 GMT] : [aedd73a2-3e7b-4474-8d88-8298d17d0b8c] : @azure/msal-node@1.3.0 : Verbose - createAuthority called
Error:
ClientAuthError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientConfigurationError: untrusted_authority: The provided authority is not a trusted authority. Please include this authority in the knownAuthorities config parameter.
    at ClientAuthError.AuthError [as constructor] (C:\Users\awhite7\AppData\Roaming\npm\node_modules\@pnp\cli-microsoft365\node_modules\@azure\msal-common\dist\index.cjs.js:477:24)
    at new ClientAuthError (C:\Users\awhite7\AppData\Roaming\npm\node_modules\@pnp\cli-microsoft365\node_modules\@azure\msal-common\dist\index.cjs.js:729:28)
    at Function.ClientAuthError.createEndpointDiscoveryIncompleteError (C:\Users\awhite7\AppData\Roaming\npm\node_modules\@pnp\cli-microsoft365\node_modules\@azure\msal-common\dist\index.cjs.js:766:16)
    at Function.<anonymous> (C:\Users\awhite7\AppData\Roaming\npm\node_modules\@pnp\cli-microsoft365\node_modules\@azure\msal-common\dist\index.cjs.js:6744:47)
    at step (C:\Users\awhite7\AppData\Roaming\npm\node_modules\@pnp\cli-microsoft365\node_modules\@azure\msal-common\dist\index.cjs.js:79:23)
    at Object.throw (C:\Users\awhite7\AppData\Roaming\npm\node_modules\@pnp\cli-microsoft365\node_modules\@azure\msal-common\dist\index.cjs.js:60:53)
    at rejected (C:\Users\awhite7\AppData\Roaming\npm\node_modules\@pnp\cli-microsoft365\node_modules\@azure\msal-common\dist\index.cjs.js:51:65)
    at processTicksAndRejections (internal/process/task_queues.js:95:5) {
  errorCode: 'endpoints_resolution_error',
  errorMessage: 'Error: could not resolve endpoints. Please check network and try again. Detail: ClientConfigurationError: untrusted_authority: The provided authority is not a trusted authority. Please include this authority in the knownAuthorities config parameter.',
  subError: ''
}

Error: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientConfigurationError: untrusted_authority: The provided authority is not a trusted authority. Please include this authority in the knownAuthorities config parameter.

wictorwilen commented 3 years ago

@anthonywhite Thanks!

It seems like your proxy is accepting TLS 1.1, and Graph has deprecated support for that version, due to it being considered unsecure. I wonder if this could have something to do with it. Ref: https://docs.microsoft.com/en-us/microsoft-365/compliance/prepare-tls-1.2-in-office-365?view=o365-worldwide

If I, without a proxy, run that curl statement I get the message that a connection cannot be established.

Also, following the error message, the call stack, the dependencies and source code leads to that the culprit lies more in the MSAL library - where the same issue is reported multiple times. Ref: https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/2600.

-> @waldekmastykarz - would it be worth testing an option where the MSAL networkClient configuration is set to the http-proxy-agent as described in https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/2600#issuecomment-881235564

mikeparkie commented 3 years ago

Curl results. Hope that's what you were after @wictorwilen.

.\curl.exe https://login.microsoftonline.com --verbose --tlsv1.1 --tls-max 1.1 
*   Trying 20.190.159.138:443...
* connect to 20.190.159.138 port 443 failed: Timed out
*   Trying 40.126.31.141:443...
* connect to 40.126.31.141 port 443 failed: Timed out
*   Trying 40.126.31.6:443...
* connect to 40.126.31.6 port 443 failed: Timed out
*   Trying 20.190.159.132:443...
* connect to 20.190.159.132 port 443 failed: Timed out
*   Trying 20.190.159.136:443...
* connect to 20.190.159.136 port 443 failed: Timed out
*   Trying 40.126.31.139:443...
* connect to 40.126.31.139 port 443 failed: Timed out
*   Trying 40.126.31.4:443...
* connect to 40.126.31.4 port 443 failed: Timed out
*   Trying 40.126.31.8:443...
* connect to 40.126.31.8 port 443 failed: Timed out
* Failed to connect to login.microsoftonline.com port 443 after 168298 ms: Timed out
* Closing connection 0
curl: (28) Failed to connect to login.microsoftonline.com port 443 after 168298 ms: Timed out

.\curl.exe https://login.microsoftonline.com --verbose --tlsv1.2 --tls-max 1.2
*   Trying 20.190.159.138:443...
* connect to 20.190.159.138 port 443 failed: Timed out
*   Trying 40.126.31.141:443...
* connect to 40.126.31.141 port 443 failed: Timed out
*   Trying 40.126.31.6:443...
* connect to 40.126.31.6 port 443 failed: Timed out
*   Trying 20.190.159.132:443...
* connect to 20.190.159.132 port 443 failed: Timed out
*   Trying 20.190.159.136:443...
* connect to 20.190.159.136 port 443 failed: Timed out
*   Trying 40.126.31.139:443...
* connect to 40.126.31.139 port 443 failed: Timed out
*   Trying 40.126.31.4:443...
* connect to 40.126.31.4 port 443 failed: Timed out
*   Trying 40.126.31.8:443...
* connect to 40.126.31.8 port 443 failed: Timed out
* Failed to connect to login.microsoftonline.com port 443 after 168254 ms: Timed out
* Closing connection 0
curl: (28) Failed to connect to login.microsoftonline.com port 443 after 168254 ms: Timed out

.\curl.exe http://PROXYNAME:PORT# --verbose --tlsv1.1 --tls-max 1.1
*   Trying XX.XXX.XX.XX:PORT...
* Connected to PROXYNAME (XX.XXX.XX.XX) port PORT# (#0)
> GET / HTTP/1.1
> Host: PROXYNAME:PORT#
> User-Agent: curl/7.79.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Cache-Control: no-cache
< Pragma: no-cache
< X-XSS-Protection: 1
< Content-Type: text/html; charset=utf-8
< Proxy-Connection: Keep-Alive
< Connection: Keep-Alive
< Content-Length: 1197
* Connection #0 to host PROXYNAME left intact

.\curl.exe http://PROXYNAME:PORT# --verbose --tlsv1.2 --tls-max 1.2
*   Trying 10.194.40.35:PORT...
* Connected to PROXYNAME (XX.XXX.XX.XX) port PORT# (#0)
> GET / HTTP/1.1
> Host: PROXYNAME:PORT#
> User-Agent: curl/7.79.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Cache-Control: no-cache
< Pragma: no-cache
< X-XSS-Protection: 1
< Content-Type: text/html; charset=utf-8
< Proxy-Connection: Keep-Alive
< Connection: Keep-Alive
< Content-Length: 1197
* Connection #0 to host PROXYNAME left intact

I'm OOO now until 6th Oct, so my replies will be limited as I'll be away from my work machine. In the meantime I've asked a colleague to do some WireShark traces, see if that reveals anything.

anthonywhite commented 3 years ago

It seems like your proxy is accepting TLS 1.1, and Graph has deprecated support for that version, due to it being considered unsecure.

@wictorwilen without being a proxy expert myself, I am advised that our proxy just passes through most client requests "as is", without rejecting TLS < 1.2 - and actually we need older TLS for some legacy support.

The question I have is, even if TLS < 1.2 is enabled on the client O/S, is the M365 login toolchain trying to use old TLS? Why would it? Could there be another reason for the MSAL error I am seeing?

PS Azure CLI works fine for me without altering env variables or anything else, if that's any help.

waldekmastykarz commented 3 years ago

I wonder if this issue is related to #2155

mikeparkie commented 2 years ago

@wictorwilen I'm just revisiting this as it dropped down my list of priorities.

Exploring the proxy documentation for Azure, it mentioned adding the system variable for the proxies: HTTP_PROXY / HTTPS_PROXY which I've just added:

Without

az login --use-device-code
Certificate verification failed. This typically happens when using Azure CLI behind a proxy that intercepts traffic with
 a self-signed certificate. Please add this certificate to the trusted CA bundle. More info: https://docs.microsoft.com/
cli/azure/use-cli-effectively#work-behind-a-proxy. Error detail: HTTPSConnectionPool(host='login.microsoftonline.com', p
ort=443): Max retries exceeded with url: /common/oauth2/devicecode?api-version=1.0 (Caused by SSLError(SSLError(1, '[SSL
: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1125)')))

With

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code CMYG9CQJJ to authent
icate.

So that helps Azure 👍I then get blocked at the consent stage, no biggy though as don't have the role, but does show I can get to the Azure sign through the cli.

Back to m365 login and I still get the same endpoint error.

I was going to do some tracing, which is preferred, WireShark or Fiddler? and if do a trace, what result shall I post/filter on?

teixejoe commented 2 years ago

Same issue with last version. do you have news how to use it behind a proxy?

waldekmastykarz commented 2 years ago

It seems like just recently there was an update to msal-node that adds support for proxy. @pnp/cli-for-microsoft-365-maintainers we should check it out if it helps addressing this issue.

More info: https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/2600#issuecomment-1048295218

anthonywhite commented 2 years ago

👍 yes please nothing has changed for us.

waldekmastykarz commented 2 years ago

Do you have any tips what's the easiest way for us to mimic your setup without standing up a fully-fledged infra with a proxy so that we can test any changes that we'd do?

teixejoe commented 2 years ago

We try to use cli only on servers and there we need to define manually the proxy.

waldekmastykarz commented 2 years ago

Do you have any suggestions how we could reproduce your configuration so that we're looking at the same thing?

teixejoe commented 2 years ago

you have in attachment an example of configuration to redirect all web requests (or almost depends of the application) to proxy

waldekmastykarz commented 2 years ago

Thank you @teixejoe. Am I understanding it correctly, that above only registers a proxy for all requests but I'd still need to have a proxy server set up on port 80?

teixejoe commented 2 years ago

In my case it's 3125 😀

waldekmastykarz commented 2 years ago

Right, but the question remains: how can our contributors, or us maintainers replicate this? For example, I don't have a proxy ready to use on my network and it's not something I'm setting up regularly, so having some more information about how we could replicate your setup so that we can reproduce the error would significantly cut the implementation time.

anthonywhite commented 2 years ago

@waldekmastykarz Could something like this help (please note I have not tried myself - I already have a corporate proxy ;-))?

Simulate-an-enterprise-proxy-on-a-single-developer-machine

I appreciate this is a pain for your authors/contributors, but the uncomfortable fact is that a percentage of your users, especially in large companies or regulated industries, are sat behind corporate proxies trying to make dev toolchains work. And the experience is very mixed, some things work and some don't. I've had a lot of pain in this area over many years.

If you do feel able to simulate this use case, that would be much appreciated.

waldekmastykarz commented 2 years ago

Happy to help any way I can and I'm sure that our contributors feel the same way! If we can get to a representative setup, then we can definitely work on a solution. Let's do this!

waldekmastykarz commented 2 years ago

@anthonywhite the instructions help for sure! I'm on a macOS so I'll either try for an alternative or use a VM, unless someone else who's on Windows would like to help with addressing this limitation 😄

user799595 commented 1 year ago

Is there a way to work around this problem?

nicodecleyre commented 1 year ago

Is there a way to work around this problem?

Hi @user799595, not that we know for now. You could maybe try to use netsh winhttp set proxy proxy-server="yourproxy" bypass-list="*.microsoftonline.com" to bypass the login url

user799595 commented 1 year ago

@nicodecleyre I'm behind a corporate firewall, so I cannot access the internet without using the proxy. (Also on macOS)

Is there any way I could help with this issue? (Unfortunately not a js programmer)

nicodecleyre commented 1 year ago

@nicodecleyre I'm behind a corporate firewall, so I cannot access the internet without using the proxy. (Also on macOS)

Is there any way I could help with this issue? (Unfortunately not a js programmer)

Thank you for offering your help @user799595!

I've created a dev environment with a proxy like the article explained in the link that @anthonywhite shared and was able to reproduce the error message. I'll take a deeper look to it in the coming days and investigate if the msal update that @waldekmastykarz shared can offer a solution to this.

I'll keep you posted

waldekmastykarz commented 1 year ago

We'd need to check if the latest versions of MSAL and Axios still have this limitation. It's been a while since we looked at this issue and we've had a couple of updates since

Adam-it commented 1 year ago

Awesome. @nicodecleyre thank you once again for your truly amazing engagement and dedication 👍. You rock 🤩

nicodecleyre commented 1 year ago

We may have found a breaktrough here!

ezgif-2-1e4562b86e

With the msal version we currently use (1.15.0) there is the possibility to provide a proxy url. By providing an additional option proxyUrl with the m365 login it targets the login towards the proxy. Next to that this same option is also provided when doing the actual requests as you can see in the example where I execute the m365 spo web list command.

This is not yet in production! I'll make a pull request and then we still have to review and test this new functionallity. But i'm really exited about this since it can provide an added value for people behind a corporate proxy

Ps: can a maintainer assign me to the issue please?

Adam-it commented 1 year ago

@nicodecleyre awesome research 👍. I assigned to you as you suggested

waldekmastykarz commented 1 year ago

Thanks for the additional info @nicodecleyre. Before we continue down this path:

imho, proxy URL should be a CLI-wide config rather than something we run on a specific command. In other words: if you're behind a proxy, you're behind the proxy all the time, and not just for a single command execution. As such, it should be a configuration setting that you set up once and which applies to all commands execution on your machine
in your POC you specify proxy for login but not for the subsequent command execution. How can it be that we need it the proxy for the sign in, but not for calling an 'spo' command which behind the scenes retrieves a new access token using MSAL? That's confusing
what if the proxy requires credentials to sign in? We need to accommodate that too in our setup

nicodecleyre commented 1 year ago

imho, proxy URL should be a CLI-wide config rather than something we run on a specific command. In other words: if you're behind a proxy, you're behind the proxy all the time, and not just for a single command execution. As such, it should be a configuration setting that you set up once and which applies to all commands execution on your machine

How would the login command know when to use the proxy? Will the config key be a fixed key?

in your POC you specify proxy for login but not for the subsequent command execution. How can it be that we need it the proxy for the sign in, but not for calling an 'spo' command which behind the scenes retrieves a new access token using MSAL? That's confusing

whenever a command is executed, it checks if a proxyUrl is given within the auth.service, if so, it uses the proxy url to execute the command so the user doesn't have to give the proxy url with every command

what if the proxy requires credentials to sign in? We need to accommodate that too in our setup

there are 2 formats in which the proxy url must exist if we want to implement this:

the first one is in the msal, there it expects to be a string. So a proxy url would be http://username:password@proxy.contoso.com:8080

The 2nd one is in the Axios request where it expects to be an AxiosProxyConfig object. For this I opted to write a function that converts the url to an AxiosProxyConfig object:

private parseProxyUrl(url: string): AxiosProxyConfig {
const parsedUrl = new URL(url);
const hostname = parsedUrl.hostname;
const port = parsedUrl.port || 80;
let authObject = null;
if (parsedUrl.username && parsedUrl.password) {
  authObject = {
    username: parsedUrl.username,
    password: parsedUrl.password
  };
}
else {
  authObject = { username: '', password: '' };
}
return { host: hostname, port: Number(port), auth: authObject };
}

so we can opt for 2 choices here:

expect the user to give the proxy url, username and password separately
or expect the user to give the proxy url with the username and password included like it would do in the browser settings

Is it easier to discuss the poc in a PR or do you wish to await submitting the pr and discuss the conditions here first?

waldekmastykarz commented 1 year ago

How would the login command know when to use the proxy? Will the config key be a fixed key?

Yes, all config keys in CLI are fixed and known upfront.

whenever a command is executed, it checks if a proxyUrl is given within the auth.service, if so, it uses the proxy url to execute the command so the user doesn't have to give the proxy url with every command

imho, proxy information doesn't belong on the auth.service. auth.service is meant for persisting auth-related information. Proxy info belongs to the machine rather than a specific connection.

Is it easier to discuss the poc in a PR or do you wish to await submitting the pr and discuss the conditions here first?

I suggest that we hash out as much as possible here to avoid unnecessary rework later on.

Ideally, we should let user specify the proxy information on a setting and then use the information to set proxy information wherever is needed in our code. So having a setting that can hold the whole string http://username:password@proxy.contoso.com:8080 and then using this information to pass it to MSAL and Axios would be ideal. I like your helper function to convert a URL to an AxiosProxyConfig instance. I suggest we change its name though from parseProxyUrl to something like createProxyConfigFromString so that it's clear what the function does. parsing is too vague.

nicodecleyre commented 1 year ago

imho, proxy information doesn't belong on the auth.service. auth.service is meant for persisting auth-related information. Proxy info belongs to the machine rather than a specific connection.

You're right, proxy info doesn't belong on auth.service

Ideally, we should let user specify the proxy information on a setting and then use the information to set proxy information wherever is needed in our code. So having a setting that can hold the whole string http://username:password@proxy.contoso.com:8080 and then using this information to pass it to MSAL and Axios would be ideal. I like your helper function to convert a URL to an AxiosProxyConfig instance. I suggest we change its name though from parseProxyUrl to something like createProxyConfigFromString so that it's clear what the function does. parsing is too vague.

If I understand correctly, the user adds the proxy url via config set containing the whole string http://username:password@proxy.contoso.com:8080 and we use this config key where needed? Would proxyUrl be a suitable name for the config key?

Should we add a remark to the login command documentation where we explain how one has to configure a key first when using a proxy url? Do you think we should add this information on other places?

martinlingstuyl commented 1 year ago

Hi @nicodecleyre, great work researching this! I'd suggest we add a separate section to the using guides. Something like 'Working behind a proxy'.

waldekmastykarz commented 1 year ago

If I understand correctly, the user adds the proxy url via config set containing the whole string http://username:password@proxy.contoso.com:8080 and we use this config key where needed? Would proxyUrl be a suitable name for the config key?

proxyUrl is a good name for the setting. It's clear what it's for.

Should we add a remark to the login command documentation where we explain how one has to configure a key first when using a proxy url? Do you think we should add this information on other places?

As it applies to using CLI at large, I suggest we follow @martinlingstuyl's suggestion and add it to the guide. Additionally, we should include this in the m365 setup command #4216

pnp / cli-microsoft365