Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Public Client with Broker Cannot Acquire Token Silently from the Token Cache on a Machine Never Login With WAM #4786

Closed
msJinLei opened this issue May 24, 2024 · 15 comments · Fixed by #4846
Closed

[Bug] Public Client with Broker Cannot Acquire Token Silently from the Token Cache on a Machine Never Login With WAM #4786

msJinLei opened this issue May 24, 2024 · 15 comments · Fixed by #4846
Assignees
@iulico-1
Labels
bug public-client tracked-ado

Comments

@msJinLei
Copy link

msJinLei commented May 24, 2024
edited
Loading

Library version used

  • Microsoft.Identity.Client
  • Microsoft.Identity.Client.Extensions.Msal
  • Microsoft.Identity.Client.Broker

version 4.60.3.0

.NET version

.netstandards 2.0

Scenario

PublicClient - desktop app

Is this a new or an existing app?

The app is in production, and I have upgraded to a new version of MSAL

Issue description and reproduction steps

The user never login with a WAM on the machine

  • create a public client with broker
  • run AcquireTokenWithDeviceCodeAsync
  • run AcquireTokenSilentAsync

Or

  • login interactively with browser before
  • create a public client with broker
  • run AcquireTokenSilentAsync

Relevant code snippets

No response

Expected behavior

AcquireTokenSilentAsync returns an access token successfully but acctually returns an error

Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:'niranjanb@xxxxx'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
136389b4-bf6a-4417-8559-aa9451eac8b8] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
136389b4-bf6a-4417-8559-aa9451eac8b8] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
136389b4-bf6a-4417-8559-aa9451eac8b8] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
136389b4-bf6a-4417-8559-aa9451eac8b8] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
136389b4-bf6a-4417-8559-aa9451eac8b8] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [Runtime] WAM supported OS.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [RuntimeBroker]
ListWindowsWorkAndSchoolAccounts option was not enabled.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
7caefd13-8142-4f4a-b4fb-a57f546d77f9] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] Found 1 cache accounts and 0
broker accounts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] Returning 1 accounts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
68e20a0f-67d0-4258-92a8-5cbb42f9911f] MSAL MSAL.CoreCLR with assembly version '4.60.3.0'. CorrelationId(68e20a0f-67d0-4258-92a8-5cbb42f9911f)
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
68e20a0f-67d0-4258-92a8-5cbb42f9911f] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
68e20a0f-67d0-4258-92a8-5cbb42f9911f] LoginHint provided: False
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
68e20a0f-67d0-4258-92a8-5cbb42f9911f] Account provided: True
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
68e20a0f-67d0-4258-92a8-5cbb42f9911f] ForceRefresh: False
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
68e20a0f-67d0-4258-92a8-5cbb42f9911f]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - True
HomeAccountId - False
CorrelationId - 68e20a0f-67d0-4258-92a8-5cbb42f9911f
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
68e20a0f-67d0-4258-92a8-5cbb42f9911f] === Token Acquisition (SilentRequest) started:
  Scopes: https://management.core.windows.net//.default
 Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
68e20a0f-67d0-4258-92a8-5cbb42f9911f] Broker is configured and enabled, attempting to use broker instead.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [Runtime] WAM supported OS.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
68e20a0f-67d0-4258-92a8-5cbb42f9911f] Can invoke broker. Will attempt to acquire token with broker.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0001] WARNING
SetAuthorityString:98 Initializing authority from string 'https://login.microsoftonline.com/$tenantId/' without authority
type, defaulting to MsSts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] ERROR
ErrorInternalImpl:134 Created an error: 5vt4a, StatusInternal::AccountNotFound, InternalEvent::None, Error Code 0, Context 'Account with id '(pii)' not
found'
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:393 Printing Telemetry for Correlation ID: 68e20a0f-67d0-4258-92a8-5cbb42f9911f
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: start_time, Value: 2024-05-21T11:14:02.000Z
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: api_name, Value: ReadAccountById
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: was_request_throttled, Value: false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: authority_type, Value: Unknown
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: msal_version, Value: 1.1.0+local
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: correlation_id, Value: 68e20a0f-67d0-4258-92a8-5cbb42f9911f
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: broker_app_used, Value: false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: stop_time, Value: 2024-05-21T11:14:02.000Z
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: all_error_tags, Value: 5vt4a
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: msalruntime_version, Value: 0.16.0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: api_error_code, Value: 0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: api_error_tag, Value: 5vt4a
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: api_status_code, Value: StatusInternal::AccountNotFound
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: api_error_context, Value: Account with id '(pii)' not found
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: is_successful, Value: false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: request_duration, Value: 0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [RuntimeBroker] Could not find a
WAM account for the selected user. Error: Status: AccountNotFound
Context: Account with id '(pii)' not found
Tag: 0x1f553780
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
68e20a0f-67d0-4258-92a8-5cbb42f9911f] Exception type: Microsoft.Identity.Client.MsalUiRequiredException
, ErrorCode: wam_no_account_for_id
HTTP StatusCode 0
CorrelationId 68e20a0f-67d0-4258-92a8-5cbb42f9911f
To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
   at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.<ExecuteAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Identity.Client.Utils.StopwatchService.<MeasureCodeBlockAsync>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<RunAsync>d__11.MoveNext()
DEBUG: SharedTokenCacheCredential.GetToken was unable to retrieve an access token. Scopes: [ https://management.core.windows.net//.default ]
ParentRequestId:  Exception: Azure.Identity.CredentialUnavailableException (0x80131500): SharedTokenCacheCredential authentication unavailable. Token
acquisition failed for user [email protected]. Ensure that you have authenticated with a developer tool that supports Azure single sign on.
 ---> Microsoft.Identity.Client.MsalUiRequiredException (0x80131500): Could not find a WAM account for the selected user. Error: Status: AccountNotFound
Context: Account with id '(pii)' not found
Tag: 0x1f553780

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

The related issue reported before AzureAD/microsoft-authentication-library-for-python#563
@msJinLei msJinLei added needs attention Delete label after triage untriaged Do not delete. Needed for Automation labels May 24, 2024
@msJinLei msJinLei changed the title [Bug] Public Client with Broker Cannot Acquire Token Silently Successfully on a Machine Never Login With WAM [Bug] Public Client with Broker Cannot Acquire Token Silently from the Token Cache on a Machine Never Login With WAM May 24, 2024
@bgavrilMS bgavrilMS added bug public-client and removed untriaged Do not delete. Needed for Automation needs attention Delete label after triage labels May 24, 2024
@bgavrilMS
Copy link
Member

I think this is similar to the issue reported by Azure CLI and fixed in MSAL Py, where device code flow doesn't use the broker.

@rayluo
Copy link
Contributor

rayluo commented May 24, 2024

I think this is similar to the issue reported by Azure CLI and fixed in MSAL Py, where device code flow doesn't use the broker.

Indeed. It can be fixed by the accout_source behavior implemented in this MSAL Python PR.

@alaahusseiny
Copy link

Hello, do we have someone taking care of this bug ?

@daga05
Copy link

daga05 commented May 26, 2024

Hi, just following up on Alaa's reply. Do we have a contact for this bug or can we get an update? Thanks

@isra-fel
Copy link
Contributor

I think this is similar to the issue reported by Azure CLI and fixed in MSAL Py, where device code flow doesn't use the broker.

Yeah, except for device code, we also have customers using username+password (ROPC) flow getting impacted. Supposedly all the flows that don't involve in the broker should still be able to acquire token silently.

@DeviJagannadh-TechDevp
Copy link

Hello team, any update on this issue?

Thanks

@mbukovich
Copy link

Hi team; I'm checking to see if there is any update on this issue.

@manuel-falcao-magalhaes
Copy link

Hi team, just wanted to check if there's an update on this issue, please.

@bgavrilMS
Copy link
Member

@iulico-1 to comment

@iulico-1
Copy link
Contributor

It seems to be a behavior that existed for quite some time (since broker integration was enabled). This is a feature ask to support device code flow outside the broker. A change to support ROPC with the broker is also being considered.

@msJinLei
Copy link
Author

msJinLei commented May 30, 2024
edited
Loading

It seems to be a behavior that existed for quite some time (since broker integration was enabled). This is a feature ask to support device code flow outside the broker. A change to support ROPC with the broker is also being considered.

@iulico-1
We don't find it earlier the as the issue can be find only on the machine without WAM login but with WAM option enabled.
We usually test in the following process and so it is the limitation of the test.

  • Login with WAM
  • Test subsequent operations

But we don't expect the behavior that we cannot acquire token silent with broker option when there is a valid token in the cache and so we don't test it in the direction.

The issue is a blocking issue for our product. Actually the customers using "ROPC and device code" flows cannot use Azure PowerShell when the issue is not fixed. The only way to workaround is to close WAM option.

@ashok672
Copy link
Contributor

@msJinLei - The issue is understood now and we are actively working on the fix. Will update around mid next week on the progress and ETA for the final fix.

@msJinLei
Copy link
Author

@ashok672 Thanks for letting us know! We are waiting for your progress.

@isra-fel isra-fel mentioned this issue Jun 1, 2024
Open
@msJinLei
Copy link
Author

msJinLei commented Jun 5, 2024

@ashok672 Could you update the progress of the item? Thanks

@ashok672
Copy link
Contributor

ashok672 commented Jun 7, 2024
edited
Loading

I am actively working on the fix. ETA for the fix to be checked in is by 06/14. I will see if I can release the fix as well within this time. If not, the release might take some more time, probably another 2 or 3 days.

@msJinLei msJinLei mentioned this issue Jul 1, 2024
Merged
6 tasks
@ashok672 ashok672 mentioned this issue Jul 17, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@iulico-1 iulico-1

Labels
bug public-client tracked-ado
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Device code flow fixes when broker is enabled AzureAD/microsoft-authentication-library-for-dotnet