search

pnp / cli-microsoft365

Manage Microsoft 365 and SharePoint Framework projects on any platform
https://aka.ms/cli-m365
MIT License
927 stars 326 forks source link

m365 login: Error: post_request_failed: #6200

Open htammen opened 3 months ago

htammen commented 3 months ago

Priority

(Urgent) I can't use the CLI

Description

I installed m365 cli but cannot login with m365 login.

$ m365 version
"v7.10.0"

Steps to reproduce

Expected results

OAuth authentication should be started by opening my browser (Firefox 128.0.3) which asks me for login.

Actual results

I get this error message:

$ m365 login --debug
Executing command login with options {"options":{"debug":true,"output":"json"}}
Logging out from Microsoft 365...
Signing in to Microsoft 365...
No token found for resource https://graph.microsoft.com.
[Mon, 29 Jul 2024 16:14:08 GMT] : [] : @azure/msal-node@2.9.1 : Info - getTokenCache called
Starting Auth.ensureAccessTokenWithDeviceCode. resource: https://graph.microsoft.com, debug: true
[Mon, 29 Jul 2024 16:14:08 GMT] : [] : @azure/msal-node@2.9.1 : Info - acquireTokenByDeviceCode called
[Mon, 29 Jul 2024 16:14:08 GMT] : [] : @azure/msal-node@2.9.1 : Verbose - initializeRequestScopes called
[Mon, 29 Jul 2024 16:14:08 GMT] : [db9b872e-b47f-4793-9d1b-248714b89b34] : @azure/msal-node@2.9.1 : Verbose - buildOauthClientConfiguration called
[Mon, 29 Jul 2024 16:14:08 GMT] : [db9b872e-b47f-4793-9d1b-248714b89b34] : @azure/msal-node@2.9.1 : Verbose - createAuthority called
[Mon, 29 Jul 2024 16:14:08 GMT] : [] : @azure/msal-node@2.9.1 : Verbose - Attempting to get cloud discovery metadata  from authority configuration
[Mon, 29 Jul 2024 16:14:08 GMT] : [] : @azure/msal-node@2.9.1 : Verbose - Did not find cloud discovery metadata in the config... Attempting to get cloud discovery metadata from the hardcoded values.
[Mon, 29 Jul 2024 16:14:08 GMT] : [] : @azure/msal-node@2.9.1 : Verbose - Found cloud discovery metadata from hardcoded values.
[Mon, 29 Jul 2024 16:14:08 GMT] : [] : @azure/msal-node@2.9.1 : Verbose - Attempting to get endpoint metadata from authority configuration
[Mon, 29 Jul 2024 16:14:08 GMT] : [] : @azure/msal-node@2.9.1 : Verbose - Did not find endpoint metadata in the config... Attempting to get endpoint metadata from the hardcoded values.
[Mon, 29 Jul 2024 16:14:08 GMT] : [db9b872e-b47f-4793-9d1b-248714b89b34] : @azure/msal-node@2.9.1 : Info - Building oauth client configuration with the following authority: https://login.microsoftonline.com/common/oauth2/v2.0/token.
[Mon, 29 Jul 2024 16:14:08 GMT] : [db9b872e-b47f-4793-9d1b-248714b89b34] : @azure/msal-node@2.9.1 : Verbose - Device code client created
Response:
{
  userCode: undefined,
  deviceCode: undefined,
  verificationUri: undefined,
  expiresIn: undefined,
  interval: undefined,
  message: undefined
}

[Mon, 29 Jul 2024 16:14:08 GMT] : [db9b872e-b47f-4793-9d1b-248714b89b34] : @azure/msal-common@14.11.0 : Info - Unexpected error in polling from the server
Error:
AuthError: post_request_failed: Post request failed from the network, could be a 4xx/5xx or a network unavailability. Please check the exact error code for details. unknown_error
    at createAuthError (file:///home/htammen/.nvm/versions/node/v20.14.0/lib/node_modules/@pnp/cli-microsoft365/node_modules/@azure/msal-common/dist/error/AuthError.mjs:50:12)
    at DeviceCodeClient.acquireTokenWithDeviceCode (file:///home/htammen/.nvm/versions/node/v20.14.0/lib/node_modules/@pnp/cli-microsoft365/node_modules/@azure/msal-node/dist/client/DeviceCodeClient.mjs:168:27)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async DeviceCodeClient.acquireToken (file:///home/htammen/.nvm/versions/node/v20.14.0/lib/node_modules/@pnp/cli-microsoft365/node_modules/@azure/msal-node/dist/client/DeviceCodeClient.mjs:25:26)
    at async PublicClientApplication.acquireTokenByDeviceCode (file:///home/htammen/.nvm/versions/node/v20.14.0/lib/node_modules/@pnp/cli-microsoft365/node_modules/@azure/msal-node/dist/client/PublicClientApplication.mjs:66:20)
    at async Auth.ensureAccessToken (file:///home/htammen/.nvm/versions/node/v20.14.0/lib/node_modules/@pnp/cli-microsoft365/dist/Auth.js:193:26)
    at async login (file:///home/htammen/.nvm/versions/node/v20.14.0/lib/node_modules/@pnp/cli-microsoft365/dist/m365/commands/login.js:74:17)
    at async LoginCommand.commandAction (file:///home/htammen/.nvm/versions/node/v20.14.0/lib/node_modules/@pnp/cli-microsoft365/dist/m365/commands/login.js:92:9)
    at async LoginCommand.action (file:///home/htammen/.nvm/versions/node/v20.14.0/lib/node_modules/@pnp/cli-microsoft365/dist/m365/commands/login.js:102:9)
    at async Object.executeCommand (file:///home/htammen/.nvm/versions/node/v20.14.0/lib/node_modules/@pnp/cli-microsoft365/dist/cli/cli.js:201:9) {
  errorCode: 'post_request_failed',
  errorMessage: 'Post request failed from the network, could be a 4xx/5xx or a network unavailability. Please check the exact error code for details. unknown_error',
  subError: '',
  correlationId: 'db9b872e-b47f-4793-9d1b-248714b89b34'
}

Timings:
api: 0ms
core: 7.75798ms
command: 396.17878ms
options: 0.565499ms
total: 407.663951ms
validation: 0.499599ms
Error: post_request_failed: Post request failed from the network, could be a 4xx/5xx or a network unavailability. Please check the exact error code for details. unknown_error

Diagnostics

CLI for Microsoft 365 version

7.10.0

nodejs version

v20.14.0

Operating system (environment)

Windows

Shell

bash

cli doctor

$ m365 cli doctor
Error: Log in to Microsoft 365 first

Additional Info

No response

Adam-it commented 3 months ago

@htammen sorry to hear you are having problems with using CLI. We will look into this issue ASAP

Adam-it commented 3 months ago

@htammen by any chance are you using a pac file?

htammen commented 3 months ago

@Adam-it yes, the browser uses a pac file but in WSL I set HTTP_PROXY via env variable with the value of the resulting IP from pac file.

waldekmastykarz commented 3 months ago

Given that a regular call using curl results in a 411 I wonder if it's indicative of an issue with the machine/proxy setup rater than CLI.

martinlingstuyl commented 3 months ago

I think I have seen this behavior sometimes as well. But it's not very often. In my case I think the error message is actually descriptive of what's happening: It could be that it's polling an endpoint and failing to do so sometimes.

How about you @htammen, does this occur every time you use m365 login?

htammen commented 3 months ago

Yes, it occurs every time. Network is ok. I can send other requests, e.g. with curl, gitlab cli, github cli, jira cli, ..., without problems.

MOMED2023 commented 3 months ago

I'm also having an issue with login which seems like network issue:

  m365 login --appId *** --secret *** --tenant *** --authType secret --debug  --verbose
  shell: /usr/bin/bash -e {0}
  env:
    CLIMICROSOFT365_ENTRAAPPID: ***
    CLIMICROSOFT365_TENANT: ***

Executing command login with options {"options":{"appId":"***","secret":"***","tenant":"***","authType":"secret","debug":true,"verbose":true,"output":"json"}}
- Running command...
Logging out from Microsoft 365...
Signing in to Microsoft 365...
No token found for resource https://graph.microsoft.com.
[Tue, 27 Aug 2024 08:43:09 GMT] : [] : @azure/msal-node@2.9.1 : Info - acquireTokenByClientCredential called
[Tue, 27 Aug 2024 08:43:09 GMT] : [] : @azure/msal-node@2.9.1 : Verbose - initializeRequestScopes called
[Tue, 27 Aug 2024 08:43:09 GMT] : [5]d-786d-4548-9b09-4ac60b11b686] : @azure/msal-node@2.9.1 : Verbose - buildOauthClientConfiguration called
[Tue, 27 Aug 2024 08:43:09 GMT] : [20f7395d-786d-4548-9b09-4ac60b11b686] : @azure/msal-node@2.9.1 : Verbose - createAuthority called
[Tue, 27 Aug 2024 08:43:09 GMT] : [] : @azure/msal-node@2.9.1 : Verbose - Attempting to get cloud discovery metadata  from authority configuration
[Tue, 27 Aug 2024 08:43:09 GMT] : [] : @azure/msal-node@2.9.1 : Verbose - Did not find cloud discovery metadata in the config... Attempting to get cloud discovery metadata from the hardcoded values.
[Tue, 27 Aug 2024 08:43:09 GMT] : [] : @azure/msal-node@2.9.1 : Verbose - Found cloud discovery metadata from hardcoded values.
[Tue, 27 Aug 2024 08:43:09 GMT] : [] : @azure/msal-node@2.9.1 : Verbose - Attempting to get endpoint metadata from authority configuration
[Tue, 27 Aug 2024 08:43:09 GMT] : [] : @azure/msal-node@2.9.1 : Verbose - Did not find endpoint metadata in the config... Attempting to get endpoint metadata from the hardcoded values.
[Tue, 27 Aug 2024 08:43:09 GMT] : [] : @azure/msal-node@2.9.1 : Verbose - Replacing tenant domain name *** with id {tenantid}
[Tue, 27 Aug 2024 08:43:09 GMT] : [20f7395d-786d-4548-9b09-4ac60b11b686] : @azure/msal-node@2.9.1 : Info - Building oauth client configuration with the following authority: https://login.microsoftonline.com/***/oauth2/v2.0/token.
[Tue, 27 Aug 2024 08:43:09 GMT] : [20f7395d-786d-4548-9b09-4ac60b11b686] : @azure/msal-node@2.9.1 : Verbose - Client credential client created
[Tue, 27 Aug 2024 08:43:09 GMT] : [] : @azure/msal-node@2.9.1 : Verbose - Replacing tenant domain name *** with id {tenantid}
[Tue, 27 Aug 2024 08:43:09 GMT] : [] : @azure/msal-node@2.9.1 : Verbose - Replacing tenant domain name *** with id {tenantid}
[Tue, 27 Aug 2024 08:43:09 GMT] : [20f7395d-786d-4548-9b09-4ac60b11b686] : @azure/msal-common@14.11.0 : Info - Sending token request to endpoint: https://login.microsoftonline.com/***/oauth2/v2.0/token
Error:
ServerError: unknown_error: undefined - [undefined]: An unknown error occured.
Http status code: 302
Http status message: Found
Headers: {"Content-Length":"0","Location":"https://login.microsoftonline.com:443/***/oauth2/v2.0/token","Set-Cookie":"stsservicecookie=estsfd; path=/; secure; httponly","client-request-id":"88657924-bd75-4c60-a230-507927c69af8","Date":"Tue, 27 Aug 2024 08:43:09 GMT","Connection":"close"} - Correlation ID: undefined - Trace ID: undefined
    at ResponseHandler.validateTokenResponse (file:///opt/hostedtoolcache/node/20.17.0/x64/lib/node_modules/@pnp/cli-microsoft365/node_modules/@azure/msal-common/dist/response/ResponseHandler.mjs:99:33)
    at ClientCredentialClient.executeTokenRequest (file:///opt/hostedtoolcache/node/20.17.0/x64/lib/node_modules/@pnp/cli-microsoft365/node_modules/@azure/msal-node/dist/client/ClientCredentialClient.mjs:159:25)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async ConfidentialClientApplication.acquireTokenByClientCredential (file:///opt/hostedtoolcache/node/20.17.0/x64/lib/node_modules/@pnp/cli-microsoft365/node_modules/@azure/msal-node/dist/client/ConfidentialClientApplication.mjs:98:20)
    at async Auth.ensureAccessToken (file:///opt/hostedtoolcache/node/20.17.0/x64/lib/node_modules/@pnp/cli-microsoft365/dist/Auth.js:193:26)
    at async login (file:///opt/hostedtoolcache/node/20.17.0/x64/lib/node_modules/@pnp/cli-microsoft365/dist/m365/commands/login.js:74:17)
    at async LoginCommand.commandAction (file:///opt/hostedtoolcache/node/20.17.0/x64/lib/node_modules/@pnp/cli-microsoft365/dist/m365/commands/login.js:92:9)
    at async LoginCommand.action (file:///opt/hostedtoolcache/node/20.17.0/x64/lib/node_modules/@pnp/cli-microsoft365/dist/m365/commands/login.js:[102:9)
    at async Object.executeCommand (file:///opt/hostedtoolcache/node/20.17.0/x64/lib/node_modules/@pnp/cli-microsoft365/dist/cli/cli.js:201:9)
    at async Object.execute (file:///opt/hostedtoolcache/node/20.17.0/x64/lib/node_modules/@pnp/cli-microsoft365/dist/cli/cli.js:144:9) {
  errorCode: 'unknown_error',
  errorMessage: 'undefined - [undefined]: An unknown error occured.\n' +
    'Http status code: 302\n' +
    'Http status message: Found\n' +
    'Headers: {"Content-Length":"0","Location":"https://login.microsoftonline.com:443/***/oauth2/v2.0/token","Set-Cookie":"stsservicecookie=estsfd; path=/; secure; httponly","client-request-id":"88657924-bd75-4c60-a230-507927c69af8","Date":"Tue, 27 Aug 2024 08:43:09 GMT","Connection":"close"} - Correlation ID: undefined - Trace ID: undefined',
  subError: '',
  errorNo: undefined,
  correlationId: '20f7395d-786d-4548-9b09-4ac60bb686'
}

Timings:
api: 0ms
core: 7.385956ms
command: 203.450548ms
options: 0.149415ms
total: 2.341388ms
validation: 0.498531ms
Error: unknown_error: undefined - [undefined]: An unknown error occured.
Http status code: 302
Http status message: Found
Headers: {"Content-Length":"0","Location":"https://login.microsoftonline.com:443/***/oauth2/v2.0/token","Set-Cookie":"stsservicecookie=estsfd; path=/; secure; httponly","client-request-id":"88657924-bd75-4c60-a230-507927c69af8","Date":"Tue, 27 Aug 2024 08:43:09 GMT","Connection":"close"} - Correlation ID: undefined - Trace ID: undefined
Error: Process completed with exit code 1.

It does work on a machine which doesn't have a proxy. Also, I'm able to get the access token using curl:

  curl -X POST -H 'Content-Type:application/x-www-form-urlencoded' https://login.microsoftonline.com/***/oauth2/v2.0/token -d 'client_id=***' -d 'grant_type=client_credentials' -d 'scope=https://graph.microsoft.com/.default' -d 'client_secret=***'
  shell: /usr/bin/bash -e {0}
  env:
    CLIMICROSOFT_ENTRAAPPID: ***
    CLIMICROSOFT365_TENANT: ***

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  1822  100  1648  100   174   4117    434 --:--:-- --:--:-- --:--:--  4555
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"***"}

I've also tried to set the proxy using environment variables but no change in error.

waldekmastykarz commented 2 months ago

@MOMED2023 do you have any more information for us so that we can reproduce it?

MOMED2023 commented 2 months ago

@MOMED2023 do you have any more information for us so that we can reproduce it?

Not really, Are there any other commands that I could use to get more info? curl or smthn?

waldekmastykarz commented 2 months ago

If you could please run m365 cli doctor and redact and share the output with us, that would help for sure. Also, any additional information that you could share about your environment (proxy, network settings, type of machine, etc) might help too. This seems like an issue with MSAL which facilitates auth so we need to better understand what's wrong and if it's something that MSAL supports.

MOMED2023 commented 2 months ago

If you could please run m365 cli doctor and redact and share the output with us, that would help for sure. Also, any additional information that you could share about your environment (proxy, network settings, type of machine, etc) might help too. This seems like an issue with MSAL which facilitates auth so we need to better understand what's wrong and if it's something that MSAL supports.

here is the output:

m365 cli doctor
  shell: /usr/bin/bash -e {0}
  env:
    CLIMICROSOFT365_ENTRAAPPID: ***
    CLIMICROSOFT365_TENANT: ***
- Running command...
Error: Log in to Microsoft 365 first
Error: Process completed with exit code 1.

GitHub Actions where m365 command/action based syntax is used are running on Ubuntu.

germain-italic commented 2 months ago

Did you solve it? It stopped working for me after weeks of flawless service. No config change. I don't get it.

htammen commented 2 months ago

For me nothing changed, means it still does not work. I get a new PC at work soon and hope that it then works with a new setup.

CoreJa commented 2 months ago

Same thing happens here. Nothing changed, but won't be able to login again.

In a brand new docker container:

m365 cli doctor
Error: Log in to Microsoft 365 first

In my previous okay OS:

m365 cli doctor
{
  "os": {
    "platform": "darwin",
    "version": "Darwin Kernel Version 23.6.0: Fri Jul  5 17:53:24 PDT 2024; root:xnu-10063.141.1~2/RELEASE_ARM64_T6020",
    "release": "23.6.0"
  },
  "cliVersion": "7.10.0",
  "nodeVersion": "v22.8.0",
  "cliAadAppId": <some uuid>,
  "cliAadAppTenant": "common",
  "authMode": "DeviceCode",
  "cliEnvironment": "",
  "cliConfig": {},
  "roles": [],
  "scopes": {
    "https://graph.microsoft.com": [
      "AllSites.FullControl",
      "AppCatalog.ReadWrite.All",
      "ChannelMember.ReadWrite.All",
      "ChannelMessage.Read.All",
      "ChannelMessage.Send",
      "ChannelSettings.ReadWrite.All",
      "Directory.AccessAsUser.All",
      "Directory.ReadWrite.All",
      "Group.ReadWrite.All",
      "IdentityProvider.ReadWrite.All",
      "Mail.ReadWrite",
      "Mail.Send",
      "Policy.Read.All",
      "Reports.Read.All",
      "Tasks.ReadWrite",
      "Team.Create",
      "TeamMember.ReadWrite.All",
      "TeamsApp.ReadWrite.All",
      "TeamsAppInstallation.ReadWriteForUser",
      "TeamSettings.ReadWrite.All",
      "TeamsTab.ReadWrite.All",
      "TermStore.ReadWrite.All",
      "User.Invite.All",
      "User.ReadWrite.All",
      "profile",
      "openid",
      "email"
    ]
  }
}
germain-italic commented 2 months ago

A colleague found this article

β€œWe are introducing changes on how the PnP PowerShell and CLI for Microsoft 365 can be used to connect to Microsoft 365, which might have an impact on your scripts and automation. Previously you were able to use a multi-tenant app registration called PnP Management Shell to grant the needed permissions for the scripts. This multi-tenant app registration will be, however, deleted on September 9, 2024 which might impact your existing scripts.”

After re-registering the application, the problem was eventually solved!

milanholemans commented 2 months ago

Yes, not from v9.0.0, you'll need to register your own app registration. Command m365 setup can help you to create this app registration.

germain-italic commented 2 months ago

We're still using 8 and had the issue this morning.

It's a shame that there's so little communication about such a breaking change.

However I have no idea if the fix for this morning will also fix the issue raised by OP before Sept. 9 2024.

milanholemans commented 2 months ago

I agree that it was short notice, but unfortunately, there was nothing we could do about it. We tried to communicate as much as possible about it in this short time frame, starting with this blog post https://pnp.github.io/blog/post/changes-pnp-management-shell-registration

Adam-it commented 2 months ago

Also the changes in the default login behavior and the reasoning behind it may be found in the release blog post: https://pnp.github.io/blog/cli-for-microsoft-365/cli-for-microsoft-365-v9-0/#the-new-major-version-of-cli-for-microsoft-365--v9

waldekmastykarz commented 2 months ago

We're still using 8 and had the issue this morning.

It's a shame that there's so little communication about such a breaking change.

However I have no idea if the fix for this morning will also fix the issue raised by OP before Sept. 9 2024.

We're still using 8 and had the issue this morning.

It's a shame that there's so little communication about such a breaking change.

However I have no idea if the fix for this morning will also fix the issue raised by OP before Sept. 9 2024.

Unfortunately, this change affects all versions of CLI for Microsoft 365. Because the app reg we used no longer exists, you can't authenticate using it and need to use a custom app reg instead.

saurabh-dtu commented 2 months ago

I have a node version 16.14.2 and package pnp/cli-microsoft365:6.8.0 that is using m365 in a script to download a file. Do I need to upgrade to v9 or simply re-registering will work? Need help as I have an ongoing production issue because of this script failing.

Adam-it commented 2 months ago

@saurabh-dtu you may still use an older version of CLI for Microsoft 365. But now when login in you will need to do it over you own Entra App Registration that you created before hand manually, here we have the guidance how to do that: https://pnp.github.io/cli-microsoft365/user-guide/using-own-identity and then you need to define the appId and tenantId for the login command. You may do this in two ways:

So it is still possible to use any (previous) version of CLI for Microsoft 365. In v9 we updated the default login behavior that now it will always by default check for the appId and tenant info. And we updated the setup command so that it now allows you to create such an Entra App Registration automatically

sirosc commented 1 month ago

If you had posted updated instructions in the docs it would have saved me hours of time searching.

Adam-it commented 1 month ago

If you had posted updated instructions in the docs it would have saved me hours of time searching.

Thanks for the feedback and sorry for the trouble in finding the correct guidance πŸ™. We are aware our docs needs to be updated and I think we even have an issue for the page you pointed out πŸ‘

milanholemans commented 1 month ago

Thanks for the feedback and sorry for the trouble in finding the correct guidance πŸ™. We are aware our docs needs to be updated and I think we even have an issue for the page you pointed out πŸ‘

Yes, #6343. We should really make work of it. I'll see if I can find some time somewhere this week.

saurabh-dtu commented 1 month ago

@saurabh-dtu you may still use an older version of CLI for Microsoft 365. But now when login in you will need to do it over you own Entra App Registration that you created before hand manually, here we have the guidance how to do that: https://pnp.github.io/cli-microsoft365/user-guide/using-own-identity and then you need to define the appId and tenantId for the login command. You may do this in two ways:

So it is still possible to use any (previous) version of CLI for Microsoft 365. In v9 we updated the default login behavior that now it will always by default check for the appId and tenant info. And we updated the setup command so that it now allows you to create such an Entra App Registration automatically

@Adam-it so, I asked my networking team to follow the steps mentioned https://pnp.github.io/cli-microsoft365/user-guide/using-own-identity. they come up saying that setting up the CLI App registration requires a redirect URI and they do not apply redirect URIs to App registrations due security issue by off loading the authentication and bypassing PING. What to do, any suggestion/alternative?

Adam-it commented 1 month ago

@saurabh-dtu does the networking team have a problem with any redirect URI set or are those risks mentioned specific to nativeclient ?

saurabh-dtu commented 1 month ago

@Adam-it with any redirect. I was wondering if i skip the redirection url, will it use device flow authentication? like generating a code and then authenticate on different device. I’m new to this, so I just want to clarify: If I follow the steps outlined in https://pnp.github.io/cli-microsoft365/user-guide/using-own-identity, I will need to log in interactively to Microsoft 365 using m365 login. However, if I use a service principal, I can skip this interactive login, correct? In service principal case do I need to care about redirection url?

Adam-it commented 4 weeks ago

@saurabh-dtu that is correct. If you will be login as an app using for example the certificate auth type then you don't need to setup the redirect url

waldekmastykarz commented 2 weeks ago

@saurabh-dtu that is correct. If you will be login as an app using for example the certificate auth type then you don't need to setup the redirect url

Keep in mind though, that you'd be using CLI with application permissions which might not be desirable.

To keep using the CLI using delegated permissions without a redirect URI, you could use device code flow. More information: https://learn.microsoft.com/en-us/entra/identity-platform/reply-url