Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Bug] Regression in 4.55.0 - MSAL fails interactive sign-in flows with ADFS when saving token response in .withTenantId(...)

See original GitHub issue

Which version of MSAL.NET are you using? Issue occurs upgrading to 4.55.0 from 4.54.1

Platform .NET 6.0

What authentication flow has the issue?

  • Desktop / Mobile
    • Interactive (broker)
    • Interactive (embedded or system browser)
    • Integrated Windows Authentication
    • Username / Password
    • Device code (browserless)
  • Web app
    • Authorization code
    • On-Behalf-Of
  • Daemon app
    • Client credentials (service-to-service calls)

Other? I see this issue with authorization code and device code flow when using an ADFS authority; perhaps all flows with user interaction. Note that other flows like service principal auth when using an ADFS authority are working fine:

image

Note that above failures occur whether we use MSAL .WithAuthority() or .WithAdfsAuthority() when cosntructing the client. We never call .withTenantId(…) directly.

Is this a new or existing app? The app is in production, I haven’t upgraded MSAL, but started seeing this issue.

Repro

var builder = PublicClientApplicationBuilder
    .Create(clientId)
    // same result from using WithAdfsAuthority
    .WithAuthority(authority, validateAuthority: false)
    .WithInstanceDiscoveryMetadata(GetInstanceDiscoveryMetadata(authority))
    .WithRedirectUri(redirectUri);

var client = builder.Build();

var result = await client 
    .AcquireTokenInteractive(scopes)
    .ExecuteAsync();

Actual behavior Exception is thrown after receiving token response:

Message:  Microsoft.Identity.Client.MsalClientException : WithTenantId can only be used when an AAD authority is specified at the application level.

Stack Trace:  Authority.GetTenantedAuthority(String tenantId, Boolean forceSpecifiedTenant) Authority.CreateAuthorityWithTenant(AuthorityInfo authorityInfo, String tenantId) TokenResponseHelper.GetTenantId(IdToken idToken, AuthenticationRequestParameters requestParams) ITokenCacheInternal.SaveTokenResponseAsync(AuthenticationRequestParameters requestParams, MsalTokenResponse response) CacheSessionManager.SaveTokenResponseAsync(MsalTokenResponse tokenResponse) RequestBase.CacheTokenResponseAndCreateAuthenticationResultAsync(MsalTokenResponse msalTokenResponse) InteractiveRequest.ExecuteAsync(CancellationToken cancellationToken) RequestBase.RunAsync(CancellationToken cancellationToken) PublicClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenInteractiveParameters interactiveParameters, CancellationToken cancellationToken) MsalTests.CanAcquireToken_UsingAuthorizationCode_Core(String authority) line 359 MsalTests.CanAcquireToken_UsingAuthorizationCode(String authority) line 303 — End of stack trace from previous location —

Expected behavior Should return the token.

Possible solution

Additional context / logs / screenshots / links to code Logs (edited to remove secrets; contains fake PII):

Microsoft.AzureStack.Identity.Web.Tests.MsalTests.CanAcquireToken_UsingAuthorizationCode(authority: “https://localhost:3001/adfs”)  Source: MsalTests.cs line 301  Duration: 5 sec

Message:  Microsoft.Identity.Client.MsalClientException : WithTenantId can only be used when an AAD authority is specified at the application level.

Stack Trace:  Authority.GetTenantedAuthority(String tenantId, Boolean forceSpecifiedTenant) Authority.CreateAuthorityWithTenant(AuthorityInfo authorityInfo, String tenantId) TokenResponseHelper.GetTenantId(IdToken idToken, AuthenticationRequestParameters requestParams) ITokenCacheInternal.SaveTokenResponseAsync(AuthenticationRequestParameters requestParams, MsalTokenResponse response) CacheSessionManager.SaveTokenResponseAsync(MsalTokenResponse tokenResponse) RequestBase.CacheTokenResponseAndCreateAuthenticationResultAsync(MsalTokenResponse msalTokenResponse) InteractiveRequest.ExecuteAsync(CancellationToken cancellationToken) RequestBase.RunAsync(CancellationToken cancellationToken) PublicClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenInteractiveParameters interactiveParameters, CancellationToken cancellationToken) MsalTests.CanAcquireToken_UsingAuthorizationCode_Core(String authority) line 359 MsalTests.CanAcquireToken_UsingAuthorizationCode(String authority) line 303 — End of stack trace from previous location —

Standard Output:  [MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] MSAL MSAL.NetCore with assembly version ‘4.55.0.0’. CorrelationId(4c14c9ea-13be-4117-8d23-0d5f49c21197)

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] DefaultBrowserOptions configured. HidePrivacyPrompt False

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] HtmlMessageSuccess

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] HtmlMessageError

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] BrowserRedirectSuccess

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] BrowserRedirectError

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] === InteractiveParameters Data === LoginHint provided: False User provided: False UseEmbeddedWebView: System ExtraScopesToConsent: Prompt: not_specified HasCustomWebUi: False

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] === Request Data === Authority Provided? - True Client Id - e68c40a5-a8e5-4250-bbea-5b43ab18cf0d Scopes - https://arm.asz/.default Redirect Uri - http://localhost Extra Query Params Keys (space separated) - ClaimsAndClientCapabilities - Authority - https://localhost:3001/adfs/ ApiId - AcquireTokenInteractive IsConfidentialClient - False SendX5C - False LoginHint - IsBrokerConfigured - False HomeAccountId - CorrelationId - 4c14c9ea-13be-4117-8d23-0d5f49c21197 UserAssertion set: False LongRunningOboCacheKey set: False Region configured:

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] === Token Acquisition (InteractiveRequest) started: Authority: https://localhost:3001/adfs/ Scope: https://arm.asz/.default ClientId: e68c40a5-a8e5-4250-bbea-5b43ab18cf0d

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] [Instance Discovery] Skipping Instance discovery for non-AAD authority.

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Using system browser.

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Listening for authorization code on http://localhost:50955/

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Processing a response message to the browser. HttpStatus:OK

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] HttpListner received a message on http://localhost:50955/

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] An authorization code was retrieved from the /authorize endpoint.

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Exchanging the auth code for tokens.

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] DefaultBrowserOptions configured. HidePrivacyPrompt False

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] HtmlMessageSuccess

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] HtmlMessageError

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] BrowserRedirectSuccess

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] BrowserRedirectError

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] === InteractiveParameters Data === LoginHint provided: False User provided: False UseEmbeddedWebView: System ExtraScopesToConsent: Prompt: not_specified HasCustomWebUi: False

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Starting TokenClient:SendTokenRequestAsync

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] [Token Client] Fetching MsalTokenResponse …

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Starting [Oauth2Client] Sending POST request

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Starting [HttpManager] ExecuteAsync

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] [HttpManager] Sending request. Method: POST. URI: https://localhost:3001/adfs/oauth2/token.

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] [HttpManager] Received response. Status code: OK.

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Finished [HttpManager] ExecuteAsync in 501 ms

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Finished [Oauth2Client] Sending POST request in 505 ms

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Starting [OAuth2Client] Deserializing response

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Finished [OAuth2Client] Deserializing response in 14 ms

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Finished TokenClient:SendTokenRequestAsync in 531 ms

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Checking client info returned from the server…

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Saving token response to cache…

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] [MsalTokenResponse] Error: ErrorDescription: Scopes: https://arm.asz/.default offline_access openid profile ExpiresIn: 4620 RefreshIn: AccessToken returned: True AccessToken Type: bearer RefreshToken returned: True IdToken returned: True ClientInfo: FamilyId: WamAccountId exists: False

[MSAL] [Error] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] MSAL.NetCore.4.55.0.0.MsalClientException: ErrorCode: tenant_override_non_aad Microsoft.Identity.Client.MsalClientException: WithTenantId can only be used when an AAD authority is specified at the application level. at Microsoft.Identity.Client.Instance.Authority.GetTenantedAuthority(String tenantId, Boolean forceSpecifiedTenant) at Microsoft.Identity.Client.Instance.Authority.CreateAuthorityWithTenant(AuthorityInfo authorityInfo, String tenantId) at Microsoft.Identity.Client.TokenResponseHelper.GetTenantId(IdToken idToken, AuthenticationRequestParameters requestParams) at Microsoft.Identity.Client.TokenCache.Microsoft.Identity.Client.ITokenCacheInternal.SaveTokenResponseAsync(AuthenticationRequestParameters requestParams, MsalTokenResponse response) at Microsoft.Identity.Client.Cache.CacheSessionManager.SaveTokenResponseAsync(MsalTokenResponse tokenResponse) at Microsoft.Identity.Client.Internal.Requests.RequestBase.CacheTokenResponseAndCreateAuthenticationResultAsync(MsalTokenResponse msalTokenResponse) at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.ExecuteAsync(CancellationToken cancellationToken) at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)

Issue Analytics

  • State:closed
  • Created 2 months ago
  • Comments:8 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
keystrokecommented, Jul 25, 2023

Tagging @bgavrilMS, if you want to provide private drop I can verify as well before any hotfix

0reactions
bgavrilMScommented, Jul 27, 2023

Does not seem to repro on our test bed, where we use a non-localhost name for the ADFS authority. Will reach out for help repro-ing this. I am not able to repro via unit test with “https://localhost:3000/adfs” as authority.

The error message suggests MSAL mis-parses the authority uri and thinks it’s an AAD authority.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Bryant keystroke
Day of Week July Jul July Jul Sunday Sun No contributions on Sunday, July 24, 2022 No contributions on Sunday, July... Monday Mon No contributions...
Read more >
Troubleshoot AD FS issues - Windows Server
Federated users can't sign in after a token-signing certificate is changed on AD FS. A "Sorry, but we're having trouble signing you in"...
Read more >
azure - MSAL - Problem acquiring token with ...
I am using MSAL to acquire token from an auth app in Azure using integrated windows authentication. The code is: var tenant =...
Read more >
Issues · AzureAD/microsoft-authentication-library-for-dotnet
[Bug] Regression in 4.55.0 - MSAL fails interactive sign-in flows with ADFS when saving token response in .withTenantId(...) bug P1 regression scenario: ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Sign out does not clear SSO token

Next page

[Bug] Broker AcquireTokenInteractive() doesn't cache when it fallbacks