Bug report: login fails with error 400 on 5.4.0

[crispinboylan-int]

Description

When logging in as normal with 5.4.0 using this:

I get:

Error: network_error: Network request failed. Please check network trace to determine root cause. | Fetch client threw: Error: HTTP status code 400 | Attempted to reach: https://login.microsoftonline.com/REDACTED/oauth2/v2.0/token

REDACTED has my normal tenant id in it.

Reverting to 5.3.0 works fine.

Steps to reproduce

m365 login --authType password --userName $(O365_USERNAME) --password '$(O365_PASSWORD)'

with CLIMICROSOFT365_AADAPPID and CLIMICROSOFT365_TENANT set

Expected results

Normal login.

Actual results

Error: network_error: Network request failed. Please check network trace to determine root cause. | Fetch client threw: Error: HTTP status code 400 | Attempted to reach: https://login.microsoftonline.com/REDACTED/oauth2/v2.0/token

Diagnostics

Logging out from Microsoft 365... Signing in to Microsoft 365... No token found for resource https://graph.microsoft.com [Wed, 22 Jun 2022 15:50:20 GMT] : @azure/msal-node@1.9.1 : Info - getTokenCache called Retrieving new access token using credentials... [Wed, 22 Jun 2022 15:50:20 GMT] : @azure/msal-node@1.9.1 : Info - acquireTokenByUsernamePassword called [Wed, 22 Jun 2022 15:50:20 GMT] : @azure/msal-node@1.9.1 : Verbose - initializeRequestScopes called [Wed, 22 Jun 2022 15:50:20 GMT] : [b281d126-ebb6-4939-9615-8f1da061608a] : @azure/msal-node@1.9.1 : Verbose - buildOauthClientConfiguration called [Wed, 22 Jun 2022 15:50:20 GMT] : [b281d126-ebb6-4939-9615-8f1da061608a] : @azure/msal-node@1.9.1 : Verbose - building oauth client configuration with the authority: https://login.microsoftonline.com/c55bd10c-6b74-4cf0-8a3f-48a5016d1997 [Wed, 22 Jun 2022 15:50:20 GMT] : [b281d126-ebb6-4939-9615-8f1da061608a] : @azure/msal-node@1.9.1 : Verbose - createAuthority called [Wed, 22 Jun 2022 15:50:21 GMT] : [b281d126-ebb6-4939-9615-8f1da061608a] : @azure/msal-node@1.9.1 : Verbose - Username password client created [Wed, 22 Jun 2022 15:50:21 GMT] : [b281d126-ebb6-4939-9615-8f1da061608a] : @azure/msal-common@6.4.0 : Info - in acquireToken call Error: ClientAuthError: network_error: Network request failed. Please check network trace to determine root cause. | Fetch client threw: Error: HTTP status code 400 | Attempted to reach: https://login.microsoftonline.com/REDACTED/oauth2/v2.0/token at ClientAuthError.AuthError [as constructor] (/usr/lib/node_modules/@pnp/cli-microsoft365/node_modules/@azure/msal-common/dist/index.cjs.js:493:24) at new ClientAuthError (/usr/lib/node_modules/@pnp/cli-microsoft365/node_modules/@azure/msal-common/dist/index.cjs.js:787:28) at Function.ClientAuthError.createNetworkError (/usr/lib/node_modules/@pnp/cli-microsoft365/node_modules/@azure/msal-common/dist/index.cjs.js:830:16) at NetworkManager. (/usr/lib/node_modules/@pnp/cli-microsoft365/node_modules/@azure/msal-common/dist/index.cjs.js:3374:51) at step (/usr/lib/node_modules/@pnp/cli-microsoft365/node_modules/@azure/msal-common/dist/index.cjs.js:79:23) at Object.throw (/usr/lib/node_modules/@pnp/cli-microsoft365/node_modules/@azure/msal-common/dist/index.cjs.js:60:53) at rejected (/usr/lib/node_modules/@pnp/cli-microsoft365/node_modules/@azure/msal-common/dist/index.cjs.js:51:65) at processTicksAndRejections (node:internal/process/task_queues:96:5) { errorCode: 'network_error', errorMessage: 'Network request failed. Please check network trace to determine root cause. | Fetch client threw: Error: HTTP status code 400 | Attempted to reach: https://login.microsoftonline.com/REDACTED/oauth2/v2.0/token',

CLI for Microsoft 365 version

5.4.0

nodejs version

17.3.1

Operating system (environment)

Linux

Shell

bash

cli doctor

No response

Additional Info

No response

[Dangerous-Mind]

We got this error also.

In our case the issue was a password with a special char. It seams that the new version does not support "#" char.

[waldekmastykarz]

@crispinboylan-int thank you for letting us know of the issue and we'll get on it asap.

@Dangerous-Mind was the # at the beginning of your password or in the middle? Have you wrapped the password in double quotes?

[Dangerous-Mind]

The # was at the beginning of the password. I started getting the error in dev ops. The password was a variable so I cant tell if it uses the double quotes.

I then tried on PowerShell with single quotes, double quotes, no quotes and go the same messages.

On Azure, enterprise applications, I checked the logs and it had several failed connections with invalid password. I then changed the password to another one still with the # and got the same error. After removing the # it started working.

[crispinboylan-int]

no # in our password but there is a $ and a !

[Dangerous-Mind]

We have another service with a ! on the password and it was not affected.

[waldekmastykarz]

Thank you for the additional information. What I meant with double quotes is if you wrapped the password in the command line, like:

m365 login --password $password

vs.

m365 login --password "$password"

[crispinboylan-int]

for us we were already putting the password in quotes to avoid the dollar being interpreted as the start of a variable.

[waldekmastykarz]

Got it. Let's see if we can reproduce it which would help us to understand what's wrong. I appreciate your help and patience.

[SharePointX]

I also reproduced it in my Azure devOps CI/CD pipeline.

I just tried it in my local environment. It reproduces with npm install -g @pnp/cli-microsoft365. It does not reproduce with npm install -g @pnp/cli-microsoft365@5.3.0.

Do you need any information to help?

[Dangerous-Mind]

#

```shell
m365 login --password $password

vs.

m365 login --password "$password"

Hi, Something like m365 login --password "$(pass)" .... The password is a variable inside a Dev Ops library.

I tried the same command on powershell with single quotes, double quotes and without quotes always receiving the same reply. 400.

Like @SharePointX said it only happens on the new version of cli.

Probably something to do with msal since also they have a new version. There is also a bug with the error messages reported in msal that are misleading. https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/4878

[waldekmastykarz]

I think we have enough information to investigate what's the culprit. Thank you @Dangerous-Mind for the pointer on MSAL, we'll check it out too.

@SharePointX what's the password pattern that you're working with? Also # at the beginning?

[SharePointX]

@waldekmastykarz It starts with '3', contains two '@' in the middle, and ends with 'n'. My password is 28 characters long and is a mixture of numbers, uppercase and lowercase letters. I could not find any other characteristics. It is a creepy string generated by a password generator.

I had no problems with that password last month.

[waldekmastykarz]

I can confirm that @ in the password causes the login command to fail. I'll check next if there's anything that we could do about it.

[waldekmastykarz]

This line seems to be the culprit:

https://github.com/pnp/cli-microsoft365/blob/4e973d950c2f806fae20545cf61efc566d186295/src/Auth.ts#L397

By removing the encoding, all seems to work as intended. I'll submit a PR and merge it asap.

[waldekmastykarz]

We've merged an issue for this fix and will include it in the next release end of August. You can try the fix early by installing the beta version using npm i -g @pnp/cli-microsoft365@next. Once again, thank you for reporting the issue and all your help in getting to the bottom of it.

[Phyxsius7]

Even when I use @pnp/cli-microsoft365@next the following password is gving me issues m365 login --authType password --userName my.myname@myhat.com --password ",K:mV!mrIRV!2q@6"

Am I missing something?

[martinlingstuyl]

@Phyxsius7 Could you check if you already consented to the PnP management shell app for this user: the easiest route to check that is to sign in using the normal flow: m365 login.

Also: I assume you have disabled MFA and your account is not using hybrid federation.