[Bug] Regression in 4.55.0 - MSAL fails interactive sign-in flows with ADFS when saving token response in .withTenantId(...)
See original GitHub issueWhich version of MSAL.NET are you using? Issue occurs upgrading to 4.55.0 from 4.54.1
Platform .NET 6.0
What authentication flow has the issue?
- Desktop / Mobile
- Interactive (broker)
- Interactive (embedded or system browser)
- Integrated Windows Authentication
- Username / Password
- Device code (browserless)
- Web app
- Authorization code
- On-Behalf-Of
- Daemon app
- Client credentials (service-to-service calls)
Other? I see this issue with authorization code and device code flow when using an ADFS authority; perhaps all flows with user interaction. Note that other flows like service principal auth when using an ADFS authority are working fine:
Note that above failures occur whether we use MSAL .WithAuthority() or .WithAdfsAuthority() when cosntructing the client. We never call .withTenantId(…) directly.
Is this a new or existing app? The app is in production, I haven’t upgraded MSAL, but started seeing this issue.
Repro
var builder = PublicClientApplicationBuilder
.Create(clientId)
// same result from using WithAdfsAuthority
.WithAuthority(authority, validateAuthority: false)
.WithInstanceDiscoveryMetadata(GetInstanceDiscoveryMetadata(authority))
.WithRedirectUri(redirectUri);
var client = builder.Build();
var result = await client
.AcquireTokenInteractive(scopes)
.ExecuteAsync();
Actual behavior Exception is thrown after receiving token response:
Message: Microsoft.Identity.Client.MsalClientException : WithTenantId can only be used when an AAD authority is specified at the application level.
Stack Trace: Authority.GetTenantedAuthority(String tenantId, Boolean forceSpecifiedTenant) Authority.CreateAuthorityWithTenant(AuthorityInfo authorityInfo, String tenantId) TokenResponseHelper.GetTenantId(IdToken idToken, AuthenticationRequestParameters requestParams) ITokenCacheInternal.SaveTokenResponseAsync(AuthenticationRequestParameters requestParams, MsalTokenResponse response) CacheSessionManager.SaveTokenResponseAsync(MsalTokenResponse tokenResponse) RequestBase.CacheTokenResponseAndCreateAuthenticationResultAsync(MsalTokenResponse msalTokenResponse) InteractiveRequest.ExecuteAsync(CancellationToken cancellationToken) RequestBase.RunAsync(CancellationToken cancellationToken) PublicClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenInteractiveParameters interactiveParameters, CancellationToken cancellationToken) MsalTests.CanAcquireToken_UsingAuthorizationCode_Core(String authority) line 359 MsalTests.CanAcquireToken_UsingAuthorizationCode(String authority) line 303 — End of stack trace from previous location —
Expected behavior Should return the token.
Possible solution
Additional context / logs / screenshots / links to code Logs (edited to remove secrets; contains fake PII):
Microsoft.AzureStack.Identity.Web.Tests.MsalTests.CanAcquireToken_UsingAuthorizationCode(authority: “https://localhost:3001/adfs”) Source: MsalTests.cs line 301 Duration: 5 sec
Message: Microsoft.Identity.Client.MsalClientException : WithTenantId can only be used when an AAD authority is specified at the application level.
Stack Trace: Authority.GetTenantedAuthority(String tenantId, Boolean forceSpecifiedTenant) Authority.CreateAuthorityWithTenant(AuthorityInfo authorityInfo, String tenantId) TokenResponseHelper.GetTenantId(IdToken idToken, AuthenticationRequestParameters requestParams) ITokenCacheInternal.SaveTokenResponseAsync(AuthenticationRequestParameters requestParams, MsalTokenResponse response) CacheSessionManager.SaveTokenResponseAsync(MsalTokenResponse tokenResponse) RequestBase.CacheTokenResponseAndCreateAuthenticationResultAsync(MsalTokenResponse msalTokenResponse) InteractiveRequest.ExecuteAsync(CancellationToken cancellationToken) RequestBase.RunAsync(CancellationToken cancellationToken) PublicClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenInteractiveParameters interactiveParameters, CancellationToken cancellationToken) MsalTests.CanAcquireToken_UsingAuthorizationCode_Core(String authority) line 359 MsalTests.CanAcquireToken_UsingAuthorizationCode(String authority) line 303 — End of stack trace from previous location —
Standard Output: [MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] MSAL MSAL.NetCore with assembly version ‘4.55.0.0’. CorrelationId(4c14c9ea-13be-4117-8d23-0d5f49c21197)
[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] DefaultBrowserOptions configured. HidePrivacyPrompt False
[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] HtmlMessageSuccess
[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] HtmlMessageError
[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] BrowserRedirectSuccess
[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] BrowserRedirectError
[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] === InteractiveParameters Data === LoginHint provided: False User provided: False UseEmbeddedWebView: System ExtraScopesToConsent: Prompt: not_specified HasCustomWebUi: False
[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] === Request Data === Authority Provided? - True Client Id - e68c40a5-a8e5-4250-bbea-5b43ab18cf0d Scopes - https://arm.asz/.default Redirect Uri - http://localhost Extra Query Params Keys (space separated) - ClaimsAndClientCapabilities - Authority - https://localhost:3001/adfs/ ApiId - AcquireTokenInteractive IsConfidentialClient - False SendX5C - False LoginHint - IsBrokerConfigured - False HomeAccountId - CorrelationId - 4c14c9ea-13be-4117-8d23-0d5f49c21197 UserAssertion set: False LongRunningOboCacheKey set: False Region configured:
[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] === Token Acquisition (InteractiveRequest) started: Authority: https://localhost:3001/adfs/ Scope: https://arm.asz/.default ClientId: e68c40a5-a8e5-4250-bbea-5b43ab18cf0d
[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] [Instance Discovery] Skipping Instance discovery for non-AAD authority.
[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Using system browser.
[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Listening for authorization code on http://localhost:50955/
[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Processing a response message to the browser. HttpStatus:OK
[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] HttpListner received a message on http://localhost:50955/
[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] An authorization code was retrieved from the /authorize endpoint.
[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Exchanging the auth code for tokens.
[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] DefaultBrowserOptions configured. HidePrivacyPrompt False
[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] HtmlMessageSuccess
[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] HtmlMessageError
[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] BrowserRedirectSuccess
[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] BrowserRedirectError
[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] === InteractiveParameters Data === LoginHint provided: False User provided: False UseEmbeddedWebView: System ExtraScopesToConsent: Prompt: not_specified HasCustomWebUi: False
[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Starting TokenClient:SendTokenRequestAsync
[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] [Token Client] Fetching MsalTokenResponse …
[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Starting [Oauth2Client] Sending POST request
[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Starting [HttpManager] ExecuteAsync
[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] [HttpManager] Sending request. Method: POST. URI: https://localhost:3001/adfs/oauth2/token.
[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] [HttpManager] Received response. Status code: OK.
[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Finished [HttpManager] ExecuteAsync in 501 ms
[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Finished [Oauth2Client] Sending POST request in 505 ms
[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Starting [OAuth2Client] Deserializing response
[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Finished [OAuth2Client] Deserializing response in 14 ms
[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Finished TokenClient:SendTokenRequestAsync in 531 ms
[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Checking client info returned from the server…
[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Saving token response to cache…
[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] [MsalTokenResponse] Error: ErrorDescription: Scopes: https://arm.asz/.default offline_access openid profile ExpiresIn: 4620 RefreshIn: AccessToken returned: True AccessToken Type: bearer RefreshToken returned: True IdToken returned: True ClientInfo: FamilyId: WamAccountId exists: False
[MSAL] [Error] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] MSAL.NetCore.4.55.0.0.MsalClientException: ErrorCode: tenant_override_non_aad Microsoft.Identity.Client.MsalClientException: WithTenantId can only be used when an AAD authority is specified at the application level. at Microsoft.Identity.Client.Instance.Authority.GetTenantedAuthority(String tenantId, Boolean forceSpecifiedTenant) at Microsoft.Identity.Client.Instance.Authority.CreateAuthorityWithTenant(AuthorityInfo authorityInfo, String tenantId) at Microsoft.Identity.Client.TokenResponseHelper.GetTenantId(IdToken idToken, AuthenticationRequestParameters requestParams) at Microsoft.Identity.Client.TokenCache.Microsoft.Identity.Client.ITokenCacheInternal.SaveTokenResponseAsync(AuthenticationRequestParameters requestParams, MsalTokenResponse response) at Microsoft.Identity.Client.Cache.CacheSessionManager.SaveTokenResponseAsync(MsalTokenResponse tokenResponse) at Microsoft.Identity.Client.Internal.Requests.RequestBase.CacheTokenResponseAndCreateAuthenticationResultAsync(MsalTokenResponse msalTokenResponse) at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.ExecuteAsync(CancellationToken cancellationToken) at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
Issue Analytics
- State:
- Created 2 months ago
- Comments:8 (3 by maintainers)
Top GitHub Comments
Tagging @bgavrilMS, if you want to provide private drop I can verify as well before any hotfix
Does not seem to repro on our test bed, where we use a non-localhost name for the ADFS authority. Will reach out for help repro-ing this. I am not able to repro via unit test with “https://localhost:3000/adfs” as authority.
The error message suggests MSAL mis-parses the authority uri and thinks it’s an AAD authority.