Skip to content

[Bug] On behalf of supplier doesn't pass tenant id to silent supplier #881

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
q-benwillis opened this issue Nov 22, 2024 · 2 comments
Closed

[Bug] On behalf of supplier doesn't pass tenant id to silent supplier #881

q-benwillis opened this issue Nov 22, 2024 · 2 comments
Labels
Bug Something isn't working, needs an investigation and a fix confidential-client For issues related to confidential client apps
Milestone
1.18.0

Comments

@q-benwillis
Copy link

Library version used

1.17.2

Java version

17.0.11

Scenario

ConfidentialClient - web api (AcquireTokenOnBehalfOf)

Is this a new or an existing app?

This is a new app or experiment

Issue description and reproduction steps

It seems that when the OBO supplier attempts to acquire the token silently from the cache it doesn't pass the Tenant ID in the SilentParameters which means that the token cannot be found in the cache.

I'm sending OnBehalfOfParameters with the Tenant ID:

OnBehalfOfParameters.builder(scopes, userAssertion).tenant(tenantId).build

This is all I'm seeing in the logs:

2024-11-22T11:56:56.127Z DEBUG 24 --- [app] [onPool-worker-3] c.m.a.m.AcquireTokenByOnBehalfOfSupplier : SkipCache set to false. Attempting cache lookup
2024-11-22T11:56:56.128Z DEBUG 24 --- [app] [onPool-worker-3] c.m.a.m.AcquireTokenByOnBehalfOfSupplier : Cache lookup failed: Token not found in the cache

However if I dig a little deeper I can see that the cache miss is because the cached token realm doesn't match the authority tenant here. If I follow this back I can see that the authority tenant can come from the request parameters here. However it looks like this isn't happening because the OnBehalfOfSupplier doesn't add the tenant to the SilentParameters here.

Relevant code snippets

val userAssertion = new UserAssertion(???)
val scopes = Set(???)
val tenantId = ???

val parameters = OnBehalfOfParameters.builder(scopes, userAssertion).tenant(tenantId).build

// Call confidential client with below parameters and request should succeed and write OBO token to cache
client.acquireToken(parameters)

// Call confidential client with again with same parameters and request does not find previous token from cache
client.acquireToken(parameters)

Expected behavior

The second request should be able to retrieve the token from the cache

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response
@q-benwillis q-benwillis added needs attention Automatically used when an issue is created through an issue template untriaged Automatically used when an issue is created through an issue template labels Nov 22, 2024
@Avery-Dunn Avery-Dunn added Bug Something isn't working, needs an investigation and a fix confidential-client For issues related to confidential client apps and removed needs attention Automatically used when an issue is created through an issue template untriaged Automatically used when an issue is created through an issue template labels Dec 3, 2024
@Avery-Dunn Avery-Dunn mentioned this issue Dec 9, 2024
Merged
@Avery-Dunn
Copy link
Collaborator

Hello @q-benwillis, thanks for bringing this to our attention. The root cause was exactly what you described: the tenant wasn't getting added to our internal silent call, and I've just created a PR that should fix it: #886

I'll update this thread once it's released, which should be by the end of this week.

@Avery-Dunn Avery-Dunn added this to the 1.18.0 milestone Dec 10, 2024
@Avery-Dunn
Copy link
Collaborator

The fix for this was released as part of 1.18.0, thanks again for letting us know about this!

@q-benwillis q-benwillis mentioned this issue Dec 31, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Something isn't working, needs an investigation and a fix confidential-client For issues related to confidential client apps
Projects
None yet
Milestone
1.18.0
Development

No branches or pull requests
2 participants
@q-benwillis @Avery-Dunn