OBO issues after upgrading from 1.9.0 to any other version - Network request failed.

Core Library

MSAL Node (@azure/msal-node)

Core Library Version

1.12.1

Wrapper Library

Not Applicable

Wrapper Library Version

None

Public or Confidential Client?

Confidential

Description

Our team updated the @azure/msal-node library from 1.9.0 to the latest version 1.12.1 and started seeing the following issue in the OBO flow:

{"errorCode":"network_error","errorMessage":"Network request failed. Please check network trace to determine root cause. | Fetch client threw: Error: HTTP status code 400 | Attempted to reach: https://login.microsoftonline.com/common/oauth2/v2.0/token","subError":"","name":"ClientAuthError"}

Switching back to version 1.9.0 lets the flow work fine again. We also tried a couple of other versions, but it seems to occur as of version 1.9.1.

Error Message

{“errorCode”:“network_error”,“errorMessage”:“Network request failed. Please check network trace to determine root cause. | Fetch client threw: Error: HTTP status code 400 | Attempted to reach: https://login.microsoftonline.com/common/oauth2/v2.0/token",“subError”:“”,“name”:"ClientAuthError”}

Msal Logs

No response

MSAL Configuration

msalClient.acquireTokenOnBehalfOf({
  oboAssertion: ssoToken,
  scopes: ["https://graph.microsoft.com/User.ReadBasic.All", "email", "profile", "offline_access", "openid"],
  skipCache: true,
})

Relevant Code Snippets

As we were unsure where this issue was coming from, I started a test project from the [on-behalf-of sample](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-node-samples/on-behalf-of).

When I configured the two apps based on the configuration defined in the documentation, it all works fine. Once I add an extra scope in the `oboRequest` scopes property (web-api) like: `mail.read` and try the flow again, the same error occurs. In this case, it is normal that the call would fail, as the new scope wasn't yet consented to, but with version 1.9.0, you received the following error message:


{"errorCode":"invalid_grant","errorMessage":"AADSTS65001: The user or administrator has not consented to use the application with ID '09eb8f9a-1515-47c6-b919-6e2fe5bb6013' named 'msal-node-webapi-sample'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 962688ba-116b-4d19-ace0-a2e27f55c000\r\nCorrelation ID: 2af9c851-aa60-4a58-8bba-60648be8c5ca\r\nTimestamp: 2022-09-06 13:57:39Z","subError":"consent_required","name":"InteractionRequiredAuthError"}

In versions > 1.9.0 (or the common library), some error handling is removed and prevents us from finding the root cause.

### Reproduction Steps

1. Start from the [on-behalf-of sample](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-node-samples/on-behalf-of)
2. Do the requested configuration
3. Test your app
4. Add an additional scope in the web-api `index.js` file
5. Test it again, and it should return the error

### Expected Behavior

I would expect that the updating from version `1.9.0` to any of the above versions (as they are minor) would not cause any issues for the OBO flow.

If a change was required, it would be nice for the library to return this as in version `1.9.0`.

### Identity Provider

Azure AD / MSA

### Browsers Affected (Select all that apply)

Chrome, Firefox, Edge

### Regression

_No response_

### Source

External (Customer)