[Bug] netcore_daemon sample not working
See original GitHub issueWhich Version of MSAL are you using ? 4.7.1 Platform netcoreapp3.0 What authentication flow has the issue? Device code flow (browserless)
Is this a new or existing app? This is a straight download of https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-netcore-daemon ; the only changes are setting the Tenant, ClientId and ClientSecret in appsettings.json.
Repro Follow the steps from https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-netcore-daemon, which are summarized as: Download the sample. Register a new app on the Azure portal. Create a client secret for it. Add User.Read.All to its API and grant it admin consent. Populate appsettings.json with the Tenant, ClientId and ClientSecret generated by the portal page. Run the app.
Expected behavior The app outputs a list of users in the tenant.
Actual behavior The app fails; after enabling logging, it outputs:
MSAL Info False (False) MSAL 4.7.1.0 MSAL.NetCore Microsoft Windows 10.0.18363 [11/24/2019 17:25:08 - 6a1c22a2-cafa-40dc-bada-f3d366651994] (UnknownClient: 0.0.0.0) MSAL MSAL.NetCore with assembly version '4.7.1.0'. CorrelationId(6a1c22a2-cafa-40dc-bada-f3d366651994)
MSAL Info False (False) MSAL 4.7.1.0 MSAL.NetCore Microsoft Windows 10.0.18363 [11/24/2019 17:25:08 - 6a1c22a2-cafa-40dc-bada-f3d366651994] (UnknownClient: 0.0.0.0) === AcquireTokenForClientParameters ===
SendX5C: False
ForceRefresh: False
MSAL Info False (False) MSAL 4.7.1.0 MSAL.NetCore Microsoft Windows 10.0.18363 [11/24/2019 17:25:08 - 6a1c22a2-cafa-40dc-bada-f3d366651994] (UnknownClient: 0.0.0.0)
=== Request Data ===
Authority Provided? - True
Scopes - https://graph.microsoft.com/.default
Extra Query Params Keys (space separated) -
MSAL Info False (False) MSAL 4.7.1.0 MSAL.NetCore Microsoft Windows 10.0.18363 [11/24/2019 17:25:08 - 6a1c22a2-cafa-40dc-bada-f3d366651994] (UnknownClient: 0.0.0.0) === Token Acquisition (ClientCredentialRequest) started:
Authority Host: login.microsoftonline.com
MSAL Info False (False) MSAL 4.7.1.0 MSAL.NetCore Microsoft Windows 10.0.18363 [11/24/2019 17:25:08 - 6a1c22a2-cafa-40dc-bada-f3d366651994] (UnknownClient: 0.0.0.0) Looking up access token in the cache.
MSAL Info False (False) MSAL 4.7.1.0 MSAL.NetCore Microsoft Windows 10.0.18363 [11/24/2019 17:25:08 - 6a1c22a2-cafa-40dc-bada-f3d366651994] (UnknownClient: 0.0.0.0) Filtering by tenant id item count before 0 after 0
MSAL Info False (False) MSAL 4.7.1.0 MSAL.NetCore Microsoft Windows 10.0.18363 [11/24/2019 17:25:08 - 6a1c22a2-cafa-40dc-bada-f3d366651994] (UnknownClient: 0.0.0.0) No matching entry found for user or assertion
MSAL Info False (False) MSAL 4.7.1.0 MSAL.NetCore Microsoft Windows 10.0.18363 [11/24/2019 17:25:08 - 6a1c22a2-cafa-40dc-bada-f3d366651994] (UnknownClient: 0.0.0.0) Fetching instance discovery from the network from host login.microsoftonline.com
MSAL Info False (False) MSAL 4.7.1.0 MSAL.NetCore Microsoft Windows 10.0.18363 [11/24/2019 17:25:08 - 6a1c22a2-cafa-40dc-bada-f3d366651994] (UnknownClient: 0.0.0.0) Resolving authority endpoints... Already resolved? - FALSE
MSAL Info False (False) MSAL 4.7.1.0 MSAL.NetCore Microsoft Windows 10.0.18363 [11/24/2019 17:25:08 - 6a1c22a2-cafa-40dc-bada-f3d366651994] (UnknownClient: 0.0.0.0) ScopeSet was missing from the token response, so using developer provided scopes in the result.
MSAL Info False (False) MSAL 4.7.1.0 MSAL.NetCore Microsoft Windows 10.0.18363 [11/24/2019 17:25:09 - 6a1c22a2-cafa-40dc-bada-f3d366651994] (UnknownClient: 0.0.0.0) Checking client info returned from the server..
MSAL Info False (False) MSAL 4.7.1.0 MSAL.NetCore Microsoft Windows 10.0.18363 [11/24/2019 17:25:09 - 6a1c22a2-cafa-40dc-bada-f3d366651994] (UnknownClient: 0.0.0.0) Saving Token Response to cache..
MSAL Info False (False) MSAL 4.7.1.0 MSAL.NetCore Microsoft Windows 10.0.18363 [11/24/2019 17:25:09 - 6a1c22a2-cafa-40dc-bada-f3d366651994] (UnknownClient: 0.0.0.0) Looking for scopes for the authority in the cache which intersect with https://graph.microsoft.com/.default
MSAL Info False (False) MSAL 4.7.1.0 MSAL.NetCore Microsoft Windows 10.0.18363 [11/24/2019 17:25:09 - 6a1c22a2-cafa-40dc-bada-f3d366651994] (UnknownClient: 0.0.0.0) Intersecting scope entries count - 0
MSAL Info False (False) MSAL 4.7.1.0 MSAL.NetCore Microsoft Windows 10.0.18363 [11/24/2019 17:25:09 - 6a1c22a2-cafa-40dc-bada-f3d366651994] (UnknownClient: 0.0.0.0) === Token Acquisition finished successfully. An access token was returned with Expiration Time: 11/24/2019 18:25:08 +00:00 ===
Token acquired
Failed to call the Web Api: Forbidden
Content: {
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "524235d5-5faf-4b54-9b4b-2109df8c5e51",
"date": "2019-11-24T17:25:09"
}
}
}
I’ve played around with this for a while, but I don’t know why it’s not working. The token should be good for the registered app, and the registered app should have the relevant privilege. I’ve tried adding force refresh, but it doesn’t seem to change anything.
Issue Analytics
- State:
- Created 4 years ago
- Comments:9 (4 by maintainers)
Top GitHub Comments
Hey, wait… looking at our screenshots, the “type” field is “application” for you and “delegate” for me. Is that relevant? I’m off to search about it…
Edit: all right! I read up about that, and after sorting out the issue, it works.
I wish I could recommend some change to allow detecting this situation and warning the user, but I can’t think of how that would be possible…
Thanks for your assistance!
Yes: