Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Bug] Throw a better exception when ROPC is attempted with MSA account

See original GitHub issue

Which Version of MSAL are you using ? 4.22

Attempt ROPC, with authority correctly set to l.m.o/organizations. Provide an MSA username to the API.

Expected an exception explaining the root cause.

Implementation suggestion:

We could use either the “domain_name” from the userrealm call (need to confirm with MSA folks)
Or the fact that the subsequent call to GET /FederationMetadata/2007-06/FederationMetadata.xml HTTP/1.1 fails with 406 Not Acceptable.

Actual a bad exception which causes developers to think there is a bug in MSAL

—> System.InvalidOperationException: Sequence contains no elements at System.Linq.ThrowHelper.ThrowNoElementsException() at System.Linq.Enumerable.First[TSource](IEnumerable1 source) at Microsoft.Identity.Client.WsTrust.MexDocument.SetPolicyEndpointAddresses(XContainer mexDocument) at Microsoft.Identity.Client.WsTrust.MexDocument..ctor(String responseBody) at Microsoft.Identity.Client.WsTrust.WsTrustWebRequestManager.GetMexDocumentAsync(String federationMetadataUrl, RequestContext requestContext) at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler.PerformWsTrustMexExchangeAsync(String federationMetadataUrl, String cloudAudienceUrn, UserAuthType userAuthType, String username, SecureString password) at Microsoft.Identity.Client.Internal.Requests.UsernamePasswordRequest.FetchAssertionFromWsTrustAsync() at Microsoft.Identity.Client.Internal.Requests.UsernamePasswordRequest.ExecuteAsync(CancellationToken cancellationToken) at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken) at Microsoft.Identity.Client.ApiConfig.Executors.PublicClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenByUsernamePasswordParameters usernamePasswordParameters, CancellationToken cancellationToken) at Azure.Identity.AbstractAcquireTokenParameterBuilderExtensions.ExecuteAsync[T](AbstractAcquireTokenParameterBuilder1 builder, Boolean async, CancellationToken cancellationToken) at Azure.Identity.MsalPublicClient.AcquireTokenByUsernamePasswordAsync(String[] scopes, String username, SecureString password, Boolean async, CancellationToken cancellationToken) at Azure.Identity.UsernamePasswordCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) — End of inner exception stack trace —

Issue Analytics

State:
Created 3 years ago
Comments:5 (2 by maintainers)

Top GitHub Comments

1reaction

bgavrilMScommented, Nov 25, 2020

Yeah, I think approach 1 is cleaner.

0reactions

jennyf19commented, Dec 5, 2020

@rayluo that’s interesting because we do get the 406 error. We went w/option 1 based on conversation w/ests. will loop you in on the email.

Top Results From Across the Web

MsalError Class (Microsoft.Identity.Client)

Error code returned as a property in MsalException. ... Resource Owner Password Credential (ROPC) grant attempted with an MSA (Microsoft personal) account.

MsalError.RopcDoesNotSupportMsaAccounts Field

Resource Owner Password Credential (ROPC) grant attempted with an MSA (Microsoft personal) account. ROPC does not support MSA accounts.

When users try to login to my Web API they receive the following error: One or more errors occurred. (ROPC does not support...

There appears to be trouble with your network connection. ...

I just got this this error when creating a new Vuejs project. My internet speed is 4mb/s and I'm not behind any proxy....

netFramework/Microsoft.Identity.Client.xml 3.2.0

MSAL's httpClient will no longer throw this exception after 4.19.0 ... Password Credential (ROPC) grant attempted with an MSA (Microsoft personal) account.