Skip to content

[Bug]  #4989

New issue
New issue
Closed
Closed
[Bug] #4989
Labels
confidential-client
@ggroves

Description

@ggroves
ggroves
opened on Nov 7, 2024

Library version used

4.66.1.0

.NET version

8.0.10

Scenario

ConfidentialClient - web api (AcquireTokenOnBehalfOf)

Is this a new or an existing app?

The app is in production, I haven't upgraded MSAL, but started seeing this issue

Issue description and reproduction steps

We were asked to open this issue by Microsoft support. We have three identically configured Azure web apps (development, test, production). On development and production, calls to MS Graph fail. Here is what we log:
dbug: UnifiedSmartPortal.Services.UserService[0] [CallMicrosoftGraph] Calling Microsoft Graph...
info: UnifiedSmartPortal.Networking.GraphLoggingHandler[0]
MSAL Request: Method: GET, RequestUri: 'https://graph.microsoft.com/v1.0/me?$select=companyName,department,displayName,employeeType,givenName,jobTitle,mail,manager,officeLocation,preferredName,userPrincipalName', Version: 1.1, Content: , Headers:
{
Accept: application/json
Authorization: Bearer
FeatureFlag: 00000003
Cache-Control: no-store, no-cache
User-Agent: kiota-dotnet/1.3.4
SdkVersion: graph-dotnet-core/3.1.6 (featureUsage=00000003; hostOS=Microsoft Windows NT 10.0.20348.0; hostArch=X64; runtimeEnvironment=.NET 8.0.8;)
client-request-id: 48a0999b-d24a-49ee-ae01-bb62021e097d
}

  MSAL Response: StatusCode: 401, ReasonPhrase: 'Unauthorized', Version: 1.1, Content: System.Net.Http.HttpConnectionResponseContent, Headers:
  {
    Transfer-Encoding: chunked
    Strict-Transport-Security: max-age=31536000
    request-id: 5fd97559-d114-4ae3-b81b-9049ca68083c
    client-request-id: 48a0999b-d24a-49ee-ae01-bb62021e097d
    x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"East US","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"BL02EPF0002E9D5"}}
    WWW-Authenticate: Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000"
    WWW-Authenticate: PoP realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", nonce="****"
    Date: Wed, 06 Nov 2024 16:35:40 GMT
    Content-Type: application/json
  }
 
  {"error":{"code":"InvalidAuthenticationToken","message":"ArgumentNull","innerError":{"date":"2024-11-06T16:35:40","request-id":"5fd97559-d114-4ae3-b81b-9049ca68083c","client-request-id":"48a0999b-d24a-49ee-ae01-bb62021e097d"}}}

warn: UnifiedSmartPortal.Services.UserService[0] [CallMicrosoftGraph] MSGraph is unavailable - ArgumentNull

The same code works on the test instance, and multiple development machines. We have verified that test is set up the same as development and production.

Packages: Microsoft.Identity.Web 3.3.1, Microsoft.Identity.Web.GraphServiceClient 3.31, Microsoft.Kiota.Authentication.Azure 1.14.0

Relevant code snippets

private static readonly string[] UserProps = new string[] { "companyName", "department", "displayName", "employeeType",
            "givenName", "jobTitle", "mail", "manager", "officeLocation", "preferredName", "userPrincipalName" };

...
                    _logger.LogDebug("[CallMicrosoftGraph] Calling Microsoft Graph...");
                    userInfo = await _graphServiceClient.Me
                                            .GetAsync((requestConfiguration) =>
                                            {
                                                requestConfiguration.QueryParameters.Select = UserProps;
                                            });
                }

Expected behavior

This is what is logged from the same call on localhost:
info: UnifiedSmartPortal.Networking.GraphLoggingHandler[0]
MSAL Request: Method: GET, RequestUri: 'https://graph.microsoft.com/v1.0/me?$select=companyName,department,displayName,employeeType,givenName,jobTitle,mail,manager,officeLocation,preferredName,userPrincipalName', Version: 1.1, Content: , Headers:
{
Accept: application/json
Authorization: Bearer ****
FeatureFlag: 00000003
Cache-Control: no-store, no-cache
User-Agent: kiota-dotnet/1.3.4
SdkVersion: graph-dotnet-core/3.1.6 (featureUsage=00000003; hostOS=Microsoft Windows NT 10.0.22631.0; hostArch=X64; runtimeEnvironment=.NET 8.0.10;)
client-request-id: 5f1ff492-4dfc-4077-8a59-37804945e114
}

  MSAL Response: StatusCode: 200, ReasonPhrase: 'OK', Version: 1.1, Content: System.Net.Http.HttpConnectionResponseContent, Headers:
  {
    Cache-Control: max-age=0, private
    Transfer-Encoding: chunked
    Strict-Transport-Security: max-age=31536000
    request-id: 3c5ddd01-1b4e-4dcb-8325-7727160e8aba
    client-request-id: 5f1ff492-4dfc-4077-8a59-37804945e114
    x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"West US","Slice":"E","Ring":"4","ScaleUnit":"005","RoleInstance":"SJ1PEPF00001C68"}}
    x-ms-resource-unit: 1
    OData-Version: 4.0
    Date: Wed, 06 Nov 2024 13:17:10 GMT
    Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8
  }

  {"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#users(companyName,department,displayName,employeeType,givenName,jobTitle,mail,manager,officeLocation,preferredName,userPrincipalName)/$entity","companyName":"CP AHS VIRTUAL","department":"IT Clinical System Architectur","displayName":"Groves, Greg","employeeType":null,"givenName":"Greg","jobTitle":"IT-EMR Data Engineer Senior I","mail":"********@AdventHealth.com","officeLocation":"ALTAMONTE SPRINGS","userPrincipalName":"******@multihosp.net","preferredName":""}

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    confidential-client

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions