Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
AAD errors are masked by misleading "network_error" from MSAL node
See original GitHub issueCore Library
MSAL Node (@azure/msal-node)
Core Library Version
Version 1.9.1
Wrapper Library
Not Applicable
Wrapper Library Version
none
Description
This issue is related to MSAL node and can be reproduced with any MSAL node sample. I have not tried other MSAL js flavours.
Use for example the Username-Password node sample. Configure everything but set a bad password.
Actual error:
{“errorCode”:“network_error”, “errorMessage”:“Network request failed. Please check network trace to determine root cause. | Fetch client threw: Error: HTTP status code 400 | Attempted to reach: https://login.microsoftonline.com/common/oauth2/v2.0/token”, “subError”:“”, “name”:“ClientAuthError”}
Expected error:
Error_code is invalid_grant
Error_description is AADSTS50055: The password is expired
"{"error":"invalid_grant","error_description":"AADSTS50055: The password is expired.\r\nTrace ID: e59410c3-5316-43f7-84b9-28e298215600\r\nCorrelation ID: f8504f1a-8c13-4894-9af4-b4696246ad92\r\nTimestamp: 2022-06-08 13:50:55Z","error_codes":[50055],"timestamp":"2022-06-08 13:50:55Z","trace_id":"e59410c3-5316-43f7-84b9-28e298215600","correlation_id":"f8504f1a-8c13-4894-9af4-b4696246ad92","error_uri":"https://login.microsoftonline.com/error?code=50055\“,\“suberror\”:\“user_password_expired\”}”
Note: this message is available in the HttpClient class, but it is wiped out later.
Error Message
The network error message is very misleading. It is normal for AAD to reply with 400 Bad Request, but it doesn’t indicate a network error. Network errors fall in the 5xx category (and maybe the special 429 Too Many Requests).
Msal Logs
No response
MSAL Configuration
just use Username-Password sample with any client_id / tenant_id and set a bad password. Or use the client_credentials sample with a bad scope or a bad secret.
Relevant Code Snippets
Username-Password sample
Client_Credentials sample.
Reproduction Steps
See description
Expected Behavior
- Error code should be copied from the error from AAD
- Error message should also be copied from the error from AAD
- Error type should indicate that this is a service error. For error types like “invalid_grant”, the error type should indicate that “Interaction is required”
Identity Provider
Azure AD / MSA
Browsers Affected (Select all that apply)
None (Server)
Regression
No response
Source
Internal (Microsoft)
Issue Analytics
- State:
- Created a year ago
- Reactions:2
- Comments:15 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Can confirm, I’m getting proper error messages with 1.14.1 now!
The fix was merged via https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/5175 and according to the release notes, it is available in node 1.14.1
https://github.com/AzureAD/microsoft-authentication-library-for-js/releases/tag/msal-node-v1.14.1
@bmahall @EmLauber - can we close this as done?