Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Bug] NullReferenceException from MSAL when using region with CCA

See original GitHub issue

Logs and network traces CorrelationId == “a95592bb-f6c4-4f96-8e09-1ed652ec76fd”

Which version of MSAL.NET are you using? 4.35.1.0

Platform

What authentication flow has the issue?

  • Desktop / Mobile
    • Interactive
    • Integrated Windows Authentication
    • Username Password
    • Device code flow (browserless)
  • Web app
    • Authorization code
    • On-Behalf-Of
  • Daemon app
    • Service to Service calls

Other?

Is this a new or existing app? Upgrade to MSAL

Repro Create CCA

//Create CCA
var confidentialClientApplication = ConfidentialClientApplicationBuilder.Create(ClientId)
    .WithCertificate(Cert)
    .WithAzureRegion(msalRegion)
    .WithLegacyCacheCompatibility(false)
    .WithLogging(this.LogMSALMessages, Microsoft.Identity.Client.LogLevel.Warning)
    .Build();

//Acquire Token
var authenticationResult = await this.GetConfidentialClientApplication()
    .AcquireTokenForClient(scopes)
    .WithAuthority($"https://login.microsoft.com/{tenantId}")) // this is the root cause of the failure
    .WithSendX5C(sendX5c)
    .ExecuteAsync()
    .ConfigureAwait(false);

Expected behavior MSAL should acquire a token

Actual behavior Null Ref

System.NullReferenceException : Object reference not set to an instance of an object. at Microsoft.Identity.Client.Region.RegionManager.IsTelemetryRecorded(ApiEvent apiEvent) at Microsoft.Identity.Client.Region.RegionManager.RecordTelemetry(ApiEvent apiEvent, String azureRegionConfig, RegionInfo discoveredRegion) …

Root cause

MSAL tries to validate that the authority at the request level is the same as the authority at the app level. Since the hosts differ, it tries to do instance discovery to find out aliases. There is no api event, so this fails.

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:15 (13 by maintainers)

github_iconTop GitHub Comments

4reactions
bgavrilMScommented, Oct 13, 2021

I think we’re at a point where we can’t support WithAuthority at the request level anymore. It’s just too complex to handle all validation scenarios, aliasing and regionalization.

We should deprecate this method and provide the WithTenant instead, which is really what ppl want to do anyway. Along with deprecation, we will throw an exception if both authority override and regional are used, something like “Please use WithTenant instead, WithAuthority at the request level is not compatible with WithRegional”.

My only question is … what is the equivalent for B2C? What should we do there? Do we really want to change the tenant? I think not.

2reactions
bgavrilMScommented, Oct 14, 2021

Workaround of this issue:

  • this happens only if the authority host at the app level (which defaults to “login.microsoftonline.com”) is different than the authority at the request level.
  • so the workaround is to ensure they are always the same. For example:
var confidentialClientApplication = ConfidentialClientApplicationBuilder.Create(ClientId)
    .WithCertificate(Cert)
    .WithAuthority("https://login.microsoftonline.com/common") // use whatever tenant ID you want here
    .Build();

//Acquire Token
var authenticationResult = await this.GetConfidentialClientApplication()
    .AcquireTokenForClient(scopes)
    .WithAuthority($"https://login.microsoftonline.com/{tenantId}")) // the host must be the same! 
    .ExecuteAsync()
    .ConfigureAwait(false);

Note: if reading the authority from a WWWAuthenticateHeader, it can be “login.windows.net” or “login.microsoft.com”

Read more comments on GitHub >

github_iconTop Results From Across the Web

Intermittent failure of Azure AD Connect directory ...
I have an installation of Azure AD Connect on an on-premises server that has been running error-free for several years.
Read more >
Handle errors and exceptions in MSAL.NET
Learn how to handle errors and exceptions, Conditional Access claims challenges, and retries in MSAL.NET.
Read more >
Token cache serialization in MSAL.NET is not working
I'm using this Mircosoft provided class (TokenCacheHelper) myself and it works very nicely. I'm persisting the token now for several weeks.
Read more >
MSAL Python 1.23.0 documentation
An app running inside Azure Functions and Azure VM can use a special keyword ClientApplication.ATTEMPT_REGION_DISCOVERY to auto-detect region. Note. Setting ...
Read more >
confidential
Package confidential provides a client for authentication of "confidential" applications.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

[Bug] Browser pop up failed but no exception throws when Browser is no permission to run

Next page

[Bug] AADSTS50196: The server terminated an operation because it encountered a loop while processing a request