[Bug] Regression in 4.55.0 - MSAL fails interactive sign-in flows with ADFS when saving token response in .withTenantId(...)

[keystroke]

Which version of MSAL.NET are you using?
Issue occurs upgrading to 4.55.0 from 4.54.1

Platform
.NET 6.0

What authentication flow has the issue?

• Desktop / Mobile
  • Interactive (broker)
  • Interactive (embedded or system browser)
  • Integrated Windows Authentication
  • Username / Password
  • Device code (browserless)
• Web app
  • Authorization code
  • On-Behalf-Of
• Daemon app
  • Client credentials (service-to-service calls)

Other?
I see this issue with authorization code and device code flow when using an ADFS authority; perhaps all flows with user interaction. Note that other flows like service principal auth when using an ADFS authority are working fine:

Note that above failures occur whether we use MSAL .WithAuthority() or .WithAdfsAuthority() when cosntructing the client. We never call .withTenantId(...) directly.

Is this a new or existing app?
The app is in production, I haven't upgraded MSAL, but started seeing this issue.

Repro

var builder = PublicClientApplicationBuilder
    .Create(clientId)
    // same result from using WithAdfsAuthority
    .WithAuthority(authority, validateAuthority: false)
    .WithInstanceDiscoveryMetadata(GetInstanceDiscoveryMetadata(authority))
    .WithRedirectUri(redirectUri);

var client = builder.Build();

var result = await client 
    .AcquireTokenInteractive(scopes)
    .ExecuteAsync();

Actual behavior
Exception is thrown after receiving token response:

Message: 
Microsoft.Identity.Client.MsalClientException : WithTenantId can only be used when an AAD authority is specified at the application level.

Stack Trace: 
Authority.GetTenantedAuthority(String tenantId, Boolean forceSpecifiedTenant)
Authority.CreateAuthorityWithTenant(AuthorityInfo authorityInfo, String tenantId)
TokenResponseHelper.GetTenantId(IdToken idToken, AuthenticationRequestParameters requestParams)
ITokenCacheInternal.SaveTokenResponseAsync(AuthenticationRequestParameters requestParams, MsalTokenResponse response)
CacheSessionManager.SaveTokenResponseAsync(MsalTokenResponse tokenResponse)
RequestBase.CacheTokenResponseAndCreateAuthenticationResultAsync(MsalTokenResponse msalTokenResponse)
InteractiveRequest.ExecuteAsync(CancellationToken cancellationToken)
RequestBase.RunAsync(CancellationToken cancellationToken)
PublicClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenInteractiveParameters interactiveParameters, CancellationToken cancellationToken)
MsalTests.CanAcquireToken_UsingAuthorizationCode_Core(String authority) line 359
MsalTests.CanAcquireToken_UsingAuthorizationCode(String authority) line 303
--- End of stack trace from previous location ---

Expected behavior
Should return the token.

Possible solution

Additional context / logs / screenshots / links to code
Logs (edited to remove secrets; contains fake PII):

 Microsoft.AzureStack.Identity.Web.Tests.MsalTests.CanAcquireToken_UsingAuthorizationCode(authority: "https://localhost:3001/adfs")
 Source: MsalTests.cs line 301
 Duration: 5 sec

Message: 
Microsoft.Identity.Client.MsalClientException : WithTenantId can only be used when an AAD authority is specified at the application level.

Stack Trace: 
Authority.GetTenantedAuthority(String tenantId, Boolean forceSpecifiedTenant)
Authority.CreateAuthorityWithTenant(AuthorityInfo authorityInfo, String tenantId)
TokenResponseHelper.GetTenantId(IdToken idToken, AuthenticationRequestParameters requestParams)
ITokenCacheInternal.SaveTokenResponseAsync(AuthenticationRequestParameters requestParams, MsalTokenResponse response)
CacheSessionManager.SaveTokenResponseAsync(MsalTokenResponse tokenResponse)
RequestBase.CacheTokenResponseAndCreateAuthenticationResultAsync(MsalTokenResponse msalTokenResponse)
InteractiveRequest.ExecuteAsync(CancellationToken cancellationToken)
RequestBase.RunAsync(CancellationToken cancellationToken)
PublicClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenInteractiveParameters interactiveParameters, CancellationToken cancellationToken)
MsalTests.CanAcquireToken_UsingAuthorizationCode_Core(String authority) line 359
MsalTests.CanAcquireToken_UsingAuthorizationCode(String authority) line 303
--- End of stack trace from previous location ---

Standard Output: 
[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] MSAL MSAL.NetCore with assembly version '4.55.0.0'. CorrelationId(4c14c9ea-13be-4117-8d23-0d5f49c21197)

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] DefaultBrowserOptions configured. HidePrivacyPrompt False

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] HtmlMessageSuccess

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] HtmlMessageError

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] BrowserRedirectSuccess

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] BrowserRedirectError

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: System
ExtraScopesToConsent:
Prompt: not_specified
HasCustomWebUi: False

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197]
=== Request Data ===
Authority Provided? - True
Client Id - e68c40a5-a8e5-4250-bbea-5b43ab18cf0d
Scopes - https://arm.asz/.default
Redirect Uri - http://localhost
Extra Query Params Keys (space separated) -
ClaimsAndClientCapabilities -
Authority - https://localhost:3001/adfs/
ApiId - AcquireTokenInteractive
IsConfidentialClient - False
SendX5C - False
LoginHint -
IsBrokerConfigured - False
HomeAccountId -
CorrelationId - 4c14c9ea-13be-4117-8d23-0d5f49c21197
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] === Token Acquisition (InteractiveRequest) started:
Authority: https://localhost:3001/adfs/
Scope: https://arm.asz/.default
ClientId: e68c40a5-a8e5-4250-bbea-5b43ab18cf0d

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] [Instance Discovery] Skipping Instance discovery for non-AAD authority.

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Using system browser.

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:07Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Listening for authorization code on http://localhost:50955/

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Processing a response message to the browser. HttpStatus:OK

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] HttpListner received a message on http://localhost:50955/

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] An authorization code was retrieved from the /authorize endpoint.

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Exchanging the auth code for tokens.

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] DefaultBrowserOptions configured. HidePrivacyPrompt False

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] HtmlMessageSuccess

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] HtmlMessageError

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] BrowserRedirectSuccess

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] BrowserRedirectError

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: System
ExtraScopesToConsent:
Prompt: not_specified
HasCustomWebUi: False

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Starting TokenClient:SendTokenRequestAsync

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] [Token Client] Fetching MsalTokenResponse ....

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Starting [Oauth2Client] Sending POST request

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Starting [HttpManager] ExecuteAsync

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:09Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] [HttpManager] Sending request. Method: POST. URI: https://localhost:3001/adfs/oauth2/token.

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] [HttpManager] Received response. Status code: OK.

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Finished [HttpManager] ExecuteAsync in 501 ms

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Finished [Oauth2Client] Sending POST request in 505 ms

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Starting [OAuth2Client] Deserializing response

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Finished [OAuth2Client] Deserializing response in 14 ms

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Finished TokenClient:SendTokenRequestAsync in 531 ms

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Checking client info returned from the server..

[MSAL] [Info] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] Saving token response to cache..

[MSAL] [Verbose] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197]
[MsalTokenResponse]
Error:
ErrorDescription:
Scopes: https://arm.asz/.default offline_access openid profile
ExpiresIn: 4620
RefreshIn:
AccessToken returned: True
AccessToken Type: bearer
RefreshToken returned: True
IdToken returned: True
ClientInfo:
FamilyId:
WamAccountId exists: False

[MSAL] [Error] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:04:10Z - 4c14c9ea-13be-4117-8d23-0d5f49c21197] MSAL.NetCore.4.55.0.0.MsalClientException:
ErrorCode: tenant_override_non_aad
Microsoft.Identity.Client.MsalClientException: WithTenantId can only be used when an AAD authority is specified at the application level.
at Microsoft.Identity.Client.Instance.Authority.GetTenantedAuthority(String tenantId, Boolean forceSpecifiedTenant)
at Microsoft.Identity.Client.Instance.Authority.CreateAuthorityWithTenant(AuthorityInfo authorityInfo, String tenantId)
at Microsoft.Identity.Client.TokenResponseHelper.GetTenantId(IdToken idToken, AuthenticationRequestParameters requestParams)
at Microsoft.Identity.Client.TokenCache.Microsoft.Identity.Client.ITokenCacheInternal.SaveTokenResponseAsync(AuthenticationRequestParameters requestParams, MsalTokenResponse response)
at Microsoft.Identity.Client.Cache.CacheSessionManager.SaveTokenResponseAsync(MsalTokenResponse tokenResponse)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.CacheTokenResponseAndCreateAuthenticationResultAsync(MsalTokenResponse msalTokenResponse)
at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.ExecuteAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)

[keystroke]

Related to #4191 and #4144

[keystroke]

If it helps, here are the claims in the ID token that "ADFS" returns. Note that ADFS authority URL does not contain tenantId, but the iss claim appends it:

{
  "alg": "RS256",
  "kid": "[REDACTED]",
  "x5t": "[REDACTED]",
  "typ": "JWT"
}.{
  "ver": "1.0",
  "iat": 1690247050,
  "aud": "e68c40a5-a8e5-4250-bbea-5b43ab18cf0d",
  "iss": "https://localhost:3001/adfs/460afc9d-718d-40c8-8d03-9540fa56cc2c/",
  "name": "[REDACTED]",
  "oid": "[REDACTED]",
  "sub": "[REDACTED]",
  "tid": "460afc9d-718d-40c8-8d03-9540fa56cc2c",
  "unique_name": "[REDACTED]",
  "uti": "ee4c32d7-b110-4214-8132-fb0bbc232785",
  "upn": "[REDACTED]",
  "exp": 1690252449,
  "nbf": 1690247049
}

[keystroke]

Looks like this change in authority setup causing issue: 1c7e4c3

[keystroke]

Even when I change .WithAuthority to .WithAdfsAuthority, the stack trace doesn't change:

    [MSAL] [Error] True MSAL 4.55.0.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.22621 [2023-07-25 01:46:47Z - 94f33d85-fd02-44e5-a545-49f915e1c90e] MSAL.NetCore.4.55.0.0.MsalClientException:
  ErrorCode: tenant_override_non_aad
Microsoft.Identity.Client.MsalClientException: WithTenantId can only be used when an AAD authority is specified at the application level.
   at Microsoft.Identity.Client.Instance.Authority.GetTenantedAuthority(String tenantId, Boolean forceSpecifiedTenant)
   at Microsoft.Identity.Client.Instance.Authority.CreateAuthorityWithTenant(AuthorityInfo authorityInfo, String tenantId)
   at Microsoft.Identity.Client.TokenResponseHelper.GetTenantId(IdToken idToken, AuthenticationRequestParameters requestParams)
   at Microsoft.Identity.Client.TokenCache.Microsoft.Identity.Client.ITokenCacheInternal.SaveTokenResponseAsync(AuthenticationRequestParameters requestParams, MsalTokenResponse response)
   at Microsoft.Identity.Client.Cache.CacheSessionManager.SaveTokenResponseAsync(MsalTokenResponse tokenResponse)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.CacheTokenResponseAndCreateAuthenticationResultAsync(MsalTokenResponse msalTokenResponse)
   at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)

I see from commit that the ADFS authority subclass does not override the base class anymore, probably that would be enough to fix:
1c7e4c3#diff-ef961febb44235ea63633fb173ce3e018a1a6bbb9eaba10c48383a58925591e8

Note that we should not require the use of .WithAdfsAuthority in the builder as that would be another regression (I think previously it was identified that was a bad idea and was only left in place to avoid breaking change, otherwise clients need to have ugly setup to determine how to build MSAL client with parsing authority string first and checking for adfs etc.). So not sure which authority class is "active" in flows I submitted above; hopefully both resolve to the ADFS subclass?

[keystroke]

Tagging @bgavrilMS, if you want to provide private drop I can verify as well before any hotfix

[bgavrilMS]

Will provide a drop soon, thanks for picking this up @keystroke

[bgavrilMS]

CC @jmprieur

[bgavrilMS]

Does not seem to repro on our test bed, where we use a non-localhost name for the ADFS authority. Will reach out for help repro-ing this. I am not able to repro via unit test with "https://localhost:3000/adfs" as authority.

The error message suggests MSAL mis-parses the authority uri and thinks it's an AAD authority.