Comments (28)
This is a configuration issue, @Druffl3
you need to set the Default client type for public client apps to Yes. See https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris
from azure-activedirectory-library-for-dotnet.
Ok, at least here we can see the error.
Your tenant has a device policy enabled. Currently MSAL is not able to satisfy device policies on UWP (you can do it on .net fwk because you can use a system browser, but UWP does not allow system browsers).
To satisfy device policies, you need to use WAM (Web Authentication Manager). We are currently working on integrating WAM into MSAL, tracking issue here. This is pretty complex and it will take a while.
So you have a few options:
- wait for us to complete the work
- use WAM on your own (sample code here)
- disable the CA policy until WAM integration is complete
from azure-activedirectory-library-for-dotnet.
This is a configuration issue, @Druffl3
you need to set the Default client type for public client apps to Yes. See https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris
Thank you @jmprieur and @bgavrilMS , this resolved the issue with my ADAL UWP application. I will pay heed to your words and migrate to MSAL as soon as WAM works fine.
from azure-activedirectory-library-for-dotnet.
@Druffl3 : did you look at the following sample?
https://github.com/azure-samples/active-directory-dotnet-native-multitarget
Note that it's archived because we recommend our customers to move to MSAL.NET, instead of ADAL.NET, but you can still look at the master branch
from azure-activedirectory-library-for-dotnet.
@jmprieur , thanks for the response. I will take a look at the sample.
from azure-activedirectory-library-for-dotnet.
Right now, in my UWP applications, the AcquireTokenSilentAsync() fetches a valid token only if the already acquired token from AcquireTokenAsync() hasn't expired. If the acquired token expires then AcquireTokenSilentAsync() always fails. Is this an expected behaviour?
This is what I am trying:
try{
if (authContext.TokenCache.ReadItems().Count() > 0)
{
authContext = new AuthenticationContext(authContext.TokenCache.ReadItems().First().Authority);
}
authResult = await authContext.AcquireTokenSilentAsync(graphResourceUri, clientId);
}
catch(AdalSilentTokenAcquisitionException ex)
{
authResult = await authContext.AcquireTokenAsync(graphResourceUri, clientId, returnUri, parent);
}
Do note that the TokenCache is never empty after initial authentication.
from azure-activedirectory-library-for-dotnet.
@bgavrilMS , @jmprieur , please help me in resolving this issue. AquireTokenSilentAsync, returns the already available token in cache and once it has expired, it simply fails and does not return a new valid token.
from azure-activedirectory-library-for-dotnet.
@Druffl3
It is expected that if the access token has expired and it cannot be refreshed, then you'll get an AdalUiRequiredException, which you need to process by calling AcquireTokenAsync.
See https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/AcquireTokenSilentAsync-using-a-cached-token#recommended-pattern-to-acquire-a-token
Finally, we would recommend you to move away from ADAL, but use MSAL, as ADAL is on the deprecation path. A UWP example with MSAL is available here: https://github.com/azure-samples/active-directory-xamarin-native-v2 and a quickstart is available from https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-uwp
from azure-activedirectory-library-for-dotnet.
Understood @jmprieur , we will move to MSAL soon. AquireTokenSIlentAsync does fetch a valid token after the previously acquired token has expired in Android and iOS. It is just not working in UWP. What could be the reason for refresh token to fail? Will any platform specific configuration be required?
from azure-activedirectory-library-for-dotnet.
Hey @jmprieur , I believe the issue I am facing is similar to this #1660
from azure-activedirectory-library-for-dotnet.
cc: @bgavrilMS
from azure-activedirectory-library-for-dotnet.
I just tried this and it is working fine, so there must be a more complex repro that is happening.
If this is a new app, I strongly recommend that you switch to using MSAL. The team is prioritizing MSAL issues higher, and we will be slow to react to any ADAL issues.
Does the sample not work for you?
from azure-activedirectory-library-for-dotnet.
@bgavrilMS , I actually tried this in a sample project with a different directory configured and It worked fine for me as well. Could this issue be related to any Azure configuration mismatch for the current directory?
from azure-activedirectory-library-for-dotnet.
You can try the sample project but use your own app coordinates (client ID, scopes etc.). I am not aware of how you can block silent auth if interactive auth is working. Maybe you are
from azure-activedirectory-library-for-dotnet.
@bgavrilMS as suggested I replaced the co-ordinates with my own in the sample project and tested it out. AquireSilentTokenAsync failed with the same exception :( . Will there be any particular limitation of using a Federated Active Directory with an application that does not follow IWA?
from azure-activedirectory-library-for-dotnet.
@bgavrilMS @jmprieur , I apologise for not trying the ADAL loggers earlier. I added them now and it looks like the process to refresh token is failing, just as @biozal is facing here #1631
My log:
Information 2020-07-16T11:07:55.6860155Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: ADAL PCL.UAP with assembly version '5.2.7.0', file version '5.2.7.0' and informational version '5.2.7' is running...
Information 2020-07-16T11:07:55.6860155Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: === Token Acquisition started:
CacheType: Microsoft.IdentityModel.Clients.ActiveDirectory.TokenCache (1 items)
Authentication Target: User
Verbose 2020-07-16T11:07:55.6860155Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Loading from cache.
Information 2020-07-16T11:07:55.6899983Z: 00000000-0000-0000-0000-000000000000 - AdalLoggerBase.cs: Deserialized 1 items to token cache.
Verbose 2020-07-16T11:07:55.6940028Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Looking up cache for a token...
Information 2020-07-16T11:07:55.6940028Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: An item matching the requested resource was found in the cache
Verbose 2020-07-16T11:07:55.6940028Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: A matching entry was found in the cache
Information 2020-07-16T11:07:55.6940028Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: An expired or near expiry token was found in the cache
Information 2020-07-16T11:07:55.6940028Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: A matching item (access token or refresh token or both) was found in the cache
Verbose 2020-07-16T11:07:55.6940028Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Refreshing the AT based on the RT.
Verbose 2020-07-16T11:07:55.6940028Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Refreshing access token...
Information 2020-07-16T11:07:56.2176777Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Response status code does not indicate success: 401 (Unauthorized).
Warning 2020-07-16T11:07:56.2176777Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: A service exception occurred
Information 2020-07-16T11:07:56.2176777Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: IsDeviceCode? True
Verbose 2020-07-16T11:07:56.2176777Z: 00000000-0000-0000-0000-000000000000 - AdalLoggerBase.cs: Looking up certificate matching authorities:OU=xxxxxxxxxxxx,CN=MS-Organization-Access,DC=windows,DC=net
Information 2020-07-16T11:07:56.8701239Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Response status code does not indicate success: 401 (Unauthorized).
Warning 2020-07-16T11:07:56.8701239Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: A service exception occurred
Information 2020-07-16T11:07:56.8701239Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: IsDeviceCode? False
Information 2020-07-16T11:07:56.8741255Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: TokenResponse ? True
Information 2020-07-16T11:07:56.8741255Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Error Code(s): 7000218
Information 2020-07-16T11:07:56.8741255Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Re-throwing a service exception with token response details
Verbose 2020-07-16T11:07:56.8741255Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Either a token was not found or an exception was thrown.
Verbose 2020-07-16T11:07:56.8741255Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Cannot invoke the broker directly, may require install ...
Verbose 2020-07-16T11:08:07.1364120Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Check and AcquireToken using broker
Verbose 2020-07-16T11:08:07.1364120Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Broker invocation is NOT required
Information 2020-07-16T11:08:07.8928939Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Response status code does not indicate success: 401 (Unauthorized).
Warning 2020-07-16T11:08:07.8928939Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: A service exception occurred
Information 2020-07-16T11:08:07.8928939Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: IsDeviceCode? True
Verbose 2020-07-16T11:08:07.8928939Z: 00000000-0000-0000-0000-000000000000 - AdalLoggerBase.cs: Looking up certificate matching authorities:OU=xxxxxxxxxxxxx,CN=MS-Organization-Access,DC=windows,DC=net
Verbose 2020-07-16T11:08:08.4825619Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: Storing token in the cache...
Information 2020-07-16T11:08:08.4860527Z: 00000000-0000-0000-0000-000000000000 - AdalLoggerBase.cs: Deserialized 1 items to token cache.
Verbose 2020-07-16T11:08:08.4860527Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: An item was stored in the cache
Information 2020-07-16T11:08:08.4925578Z: 00000000-0000-0000-0000-000000000000 - AdalLoggerBase.cs: Serializing token cache with 1 items.
Information 2020-07-16T11:08:08.4980696Z: b105f625-67f4-4216-8fe8-7238637d00b2 - AdalLoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 7/16/2020 12:08:07 PM +00:00Access Token Hash: xxxxxxxxxxxxxx
from azure-activedirectory-library-for-dotnet.
Please try to move to MSAL as ADAL is end of life
from azure-activedirectory-library-for-dotnet.
@bgavrilMS , I migrated to MSAL and I get an Invalid_grant error upon AquireTokenInteractively in UWP.
7/28/2020 6:34:51 PM
Verbose (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:12 - c4090f63-9bf1-498b-be67-ba7481c30ca6] GetAccounts found 0 RTs and 0 accounts in MSAL cache.
Verbose (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:13 - c4090f63-9bf1-498b-be67-ba7481c30ca6] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? False
Verbose (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:13 - c4090f63-9bf1-498b-be67-ba7481c30ca6] [Instance Discovery] Tried to use known metadata provider for login.microsoftonline.com. Success? True
Verbose (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:13 - c4090f63-9bf1-498b-be67-ba7481c30ca6] GetAccounts found 0 RTs and 0 accounts in MSAL cache after environment filtering.
Info (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:13 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] MSAL MSAL.UAP with assembly version '4.16.1.0'.
Info (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:13 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False
Info (True) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:13]
=== Request Data ===
Authority Provided? - True
Client Id - xxxxx
Scopes - xxxxxx
Redirect Uri - xxxxx
Extra Query Params Keys (space separated) -
ClaimsAndClientCapabilities -
Authority - xxxx
ApiId - AcquireTokenInteractive
IsConfidentialClient - False
SendX5C - False
LoginHint -
IsBrokerConfigured - False
HomeAccountId -
Info (True) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:13] === Token Acquisition (InteractiveRequest) started:
Verbose (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:13 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? False
Info (True) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:13 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] Fetching instance discovery from the network from host login.microsoftonline.com. Endpoint https://login.microsoftonline.com/common/discovery/instance
Verbose (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:14 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? True
Verbose (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:14 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] [Instance Discovery] After hitting the discovery endpoint, the network provider found an entry for login.microsoftonline.com ? True
Info (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:14 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] Resolving authority endpoints... Already resolved? - FALSE
Info (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:36 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] An authorization code was retrieved from the /authorize endpoint.
Info (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:36 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] Exchanging the auth code for tokens
Info (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:36 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False
Info (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:36 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] Response status code does not indicate success: 401 (Unauthorized).
Warning (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:36 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] Request retry failed.
Info (False) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:37 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] HttpStatusCode: 401: Unauthorized
Error (True) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:37 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] MSAL.UAP.4.16.1.0.MsalUiRequiredException:
ErrorCode: invalid_grant
Microsoft.Identity.Client.MsalUiRequiredException: AADSTS50097: Device authentication is required.
Trace ID: 3aca27d3-5f6e-4587-a1b8-3f1fe06c9f00
Correlation ID: 61f40c50-8756-4a39-bf9f-46499d6b1f82
Timestamp: 2020-07-28 13:05:36Z
StatusCode: 401
ResponseBody: {"error":"invalid_grant","error_description":"AADSTS50097: Device authentication is required.\r\nTrace ID: 3aca27d3-5f6e-4587-a1b8-3f1fe06c9f00\r\nCorrelation ID: 61f40c50-8756-4a39-bf9f-46499d6b1f82\r\nTimestamp: 2020-07-28 13:05:36Z","error_codes":[50097],"timestamp":"2020-07-28 13:05:36Z","trace_id":"3aca27d3-5f6e-4587-a1b8-3f1fe06c9f00","correlation_id":"61f40c50-8756-4a39-bf9f-46499d6b1f82","error_uri":"https://login.microsoftonline.com/error?code=50097"}
Headers: client-request-id: 61f40c50-8756-4a39-bf9f-46499d6b1f82
Strict-Transport-Security: max-age=31536000; includeSubDomains
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Cache-Control: no-store, no-cache
Set-Cookie: fpc=xxxxx; expires=Thu, 27-Aug-2020 13:05:36 GMT; path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=prod; path=/; secure; HttpOnly, stsservicecookie=ests; path=/; secure; HttpOnly; SameSite=None
Date: Tue, 28 Jul 2020 13:05:36 GMT
WWW-Authenticate: PKeyAuth CertAuthorities=xxxxxx
x-ms-ests-server: 2.1.10877.10 - SAN ProdSlices
x-ms-request-id: xxx
X-Content-Type-Options: nosniff
Pragma: no-cache
x-ms-clitelem: 1,50097,0,,
Error (True) MSAL 4.16.1.0 MSAL.UAP N/A [07/28/2020 13:05:37 - 61f40c50-8756-4a39-bf9f-46499d6b1f82] MSAL.UAP.4.16.1.0.MsalUiRequiredException:
ErrorCode: invalid_grant
Microsoft.Identity.Client.MsalUiRequiredException: AADSTS50097: Device authentication is required.
Trace ID: 3aca27d3-5f6e-4587-a1b8-3f1fe06c9f00
Correlation ID: 61f40c50-8756-4a39-bf9f-46499d6b1f82
Timestamp: 2020-07-28 13:05:36Z
at Microsoft.Identity.Client.OAuth2.OAuth2Client.ThrowServerException(Identity.Client.Http.HttpResponse response, Identity.Client.Internal.RequestContext requestContext)
at T Microsoft.Identity.Client.OAuth2.OAuth2Client.CreateResponse[T](HttpResponse, RequestContext) + 0x24
at Void Microsoft.Identity.Client.OAuth2.OAuth2Client+<ExecuteRequestAsync>d__11`1.MoveNext() + 0xf36
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Void System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task) + 0x5c
at Void System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task) + 0x33
at Void System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task) + 0x1c
at Microsoft.Identity.Client.OAuth2.OAuth2Client.<GetTokenAsync>d__10.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Void System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task) + 0x5c
at Void System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task) + 0x33
at Void System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task) + 0x1c
at Microsoft.Identity.Client.OAuth2.TokenClient.<SendHttpAndClearTelemetryAsync>d__8.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.Identity.Client.OAuth2.TokenClient.<SendHttpAndClearTelemetryAsync>d__8.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Void System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task) + 0x5c
at Void System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task) + 0x33
at Void System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task) + 0x1c
at Microsoft.Identity.Client.OAuth2.TokenClient.<SendTokenRequestAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Void System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task) + 0x5c
at Void System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task) + 0x33
at Void System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task) + 0x1c
at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.<GetTokenResponseAsync>d__11.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Void System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task) + 0x5c
at Void System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task) + 0x33
at Void System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task) + 0x1c
at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.<ExecuteAsync>d__8.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Void System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task) + 0x5c
at Void System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task) + 0x33
at Void System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task) + 0x1c
at Microsoft.Identity.Client.Internal.Requests.RequestBase.<RunAsync>d__14.MoveNext()
StatusCode: 401
ResponseBody: {"error":"invalid_grant","error_description":"AADSTS50097: Device authentication is required.\r\nTrace ID: 3aca27d3-5f6e-4587-a1b8-3f1fe06c9f00\r\nCorrelation ID: 61f40c50-8756-4a39-bf9f-46499d6b1f82\r\nTimestamp: 2020-07-28 13:05:36Z","error_codes":[50097],"timestamp":"2020-07-28 13:05:36Z","trace_id":"3aca27d3-5f6e-4587-a1b8-3f1fe06c9f00","correlation_id":"61f40c50-8756-4a39-bf9f-46499d6b1f82","error_uri":"https://login.microsoftonline.com/error?code=50097"}
Headers: client-request-id: 61f40c50-8756-4a39-bf9f-46499d6b1f82
Strict-Transport-Security: max-age=31536000; includeSubDomains
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Cache-Control: no-store, no-cache
Set-Cookie: xxxxxx; expires=Thu, 27-Aug-2020 13:05:36 GMT; path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=prod; path=/; secure; HttpOnly, stsservicecookie=ests; path=/; secure; HttpOnly; SameSite=None
Date: Tue, 28 Jul 2020 13:05:36 GMT
WWW-Authenticate: PKeyAuth CertAuthorities="xxxxx"
x-ms-ests-server: 2.1.10877.10 - SAN ProdSlices
x-ms-request-id: xxxxxxx
X-Content-Type-Options: nosniff
Pragma: no-cache
x-ms-clitelem: 1,50097,0,,
from azure-activedirectory-library-for-dotnet.
@bgavrilMS , I tried WAM, and RequestTokenAsync failed with a 'ProviderError' response. Does WAM come with an inbuilt logger like ADAL/MSAL ? If yes, could you please direct me towards a reference?
from azure-activedirectory-library-for-dotnet.
Sorry @Druffl3 WAM is a Windows component, my team doesn't own it. I have a PR opened with some integration on .net 45, but it will take some time for me to integrate it.
You can check the error message wamResponse.ResponseError.ErrorMessage;
for more details.
from azure-activedirectory-library-for-dotnet.
Hi @bgavrilMS , I managed to get the cause of the error:
ProviderError
3399614473
AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
from azure-activedirectory-library-for-dotnet.
That's an error returned by the AAD service, here's how I build my token request: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/f7fec85283fd8c0f11bc377bd3b3bd3b25eb425c/src/client/Microsoft.Identity.Client/Platforms/netdesktop/Broker/AadPlugin.cs#L101
from azure-activedirectory-library-for-dotnet.
@jmprieur , from the reference link you have shared, setting Default client type to Yes, would mean that my application doesn't require a redirect URI. Now, I have a single app registered with my tenant, which I use with Android, iOS and UWP. Both iOS and Android require redirect URIs, so wouldn't setting Default client type to Yes, hamper the login flow for these two platforms? It is also noted here https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-uwp-considerations that
On the UWP platform, the underlying WAB implementation doesn't work correctly in enterprise scenarios where conditional access is enabled. Users see symptoms of this problem when they try to sign in by using Windows Hello. When the user is asked to choose a certificate:
The certificate for the PIN isn't found.
After the user chooses a certificate, they aren't prompted for the PIN.
You can try to avoid this issue by using an alternative method such as username-password and phone authentication, but the experience isn't good.
Now with the ADAL non IWA flow as well, Token is acquired after username-password flow. And when attempted to fetch token silently using AquireSilentTokenAsync after token expiry, it failed with the same exception:
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException: {"error":"invalid_client","error_description":"AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.\r\nTrace ID: xxx\r\nCorrelation ID: xxxx\r\nTimestamp: 2020-05-06 17:23:15Z","error_codes":[7000218],"timestamp":"2020-05-06 17:23:15Z","trace_id":"xxxx","correlation_id":"xxxx","error_uri":"https://login.microsoftonline.com/error?code=7000218"}: Unknown error
Does this mean that I will have to register a separate app with my tenant just for UWP usage? So that I can set Default client type to Yes.
from azure-activedirectory-library-for-dotnet.
@Druffl3, you don't need to register another app if you have only public client applications (desktop/mobile), which iOS, Android, UWP. You can just set Default client type to true.
from azure-activedirectory-library-for-dotnet.
Also, @Druffl3 : we recommend you move to MSAL.NET (ADAL.NET is on the deprecation path)
The corresponding sample is there: https://github.com/azure-samples/active-directory-xamarin-native-v2
from azure-activedirectory-library-for-dotnet.
@jmprieur , I did move to MSAL.NET, and as conveyed by @bgavrilMS , it has a challenge when conditional access policies are enabled. And at his suggestion I moved to WAM, where the above mentioned error was thrown. Therefore back to square one in fixing the issue with the Tenant. Hopefully Default Client Type to Yes, solves it.
from azure-activedirectory-library-for-dotnet.
That's an error returned by the AAD service, here's how I build my token request: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/f7fec85283fd8c0f11bc377bd3b3bd3b25eb425c/src/client/Microsoft.Identity.Client/Platforms/netdesktop/Broker/AadPlugin.cs#L101
@bgavrilMS , After setting Default Client Type to Yes, the client_secret issue got resolved but it threw another error:
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'xxxxx'.
Nowhere in the code did I pass the returnURI and I don't see it being passed in your implementation as well. Am I missing something?
from azure-activedirectory-library-for-dotnet.
Thank you for following up @Druffl3
from azure-activedirectory-library-for-dotnet.
Related Issues (20)
- Refresh Tokens do not seem to work on iOS HOT 4
- Update nuget description to point to MSAL.NET HOT 1
- use specific proxy when call api #37049 HOT 2
- Unable to Acquire Token using cert and subject name auth from Powershell ISE
- Update ADAL communication with Broker to stop using AccountManager::GetAccount HOT 1
- Exception of type 'Microsoft.Identity.Client.MsalClientException' was thrown: password_required_for_managed_user HOT 1
- AcquireDeviceCodeAsync Failing on Mac OS HOT 1
- user is not able to login HOT 3
- Missing PlatformParameters constructor for .net core version of MS.IdentityModel.Clients.ActiveDirectory HOT 1
- Cannot install. Install-Package: Dependency loop detected for package 'Microsoft.IdentityModel.Clients.ActiveDirectory' HOT 10
- MS Docs: Please clarify what AssertionTypes would be valid here, or provide links to other documentation. HOT 1
- User is not able to signin HOT 4
- Device Auth incorrectly attempted on .NET classic
- [Bug] Auth Redirect failure in ADAL on iOS HOT 17
- ADAL webview with secure certificate on App UWP HOT 1
- DeserializeAdalV3(byte[]) needs exceptions listed HOT 2
- Get token using certificate assertion throws keyset does not exist HOT 3
- AuthenticationParameters.CreateFromUnauthorizedResponseAsync() is async but doesn't need to HOT 1
- GetAuthorizationRequestUrlAsync breaking change adds response_type=form_post HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from azure-activedirectory-library-for-dotnet.