Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Improve logging and error message when the web api receives claim challenge #4496

Closed
bgavrilMS opened this issue Jan 11, 2024 · 0 comments · Fixed by #4628
Closed

[Bug] Improve logging and error message when the web api receives claim challenge #4496

bgavrilMS opened this issue Jan 11, 2024 · 0 comments · Fixed by #4628
Assignees
@trwalke
Labels
bug confidential-client P2 public-client Supportability
Milestone
4.60.0

Comments

@bgavrilMS
Copy link
Member

Library version used

4.58.0

.NET version

all

Scenario

ConfidentialClient - web api (AcquireTokenOnBehalfOf)

Is this a new or an existing app?

None

Issue description and reproduction steps

Better logs and error message is needed to guide app developers to implement OBO correctly when it comes to claims challenges, MFA etc. Note that exception messages are not logged by default, so please treat this case.

See https://portal.microsofticm.com/imp/v3/incidents/incident/457725369/summary for confused app developers

I propose changes as follows:

  1. If error code is invalid_grant and Claims are present and this is an OBO flow If response contains Claims, log and throw non-pii exception with clear message to https://learn.microsoft.com/en-us/entra/msal/dotnet/acquiring-tokens/web-apps-apis/on-behalf-of-flow#handling-multi-factor-auth-mfa-conditional-access-and-incremental-consent
  2. If it's not an OBO flow but Claims are present, add a helper message and a link to https://learn.microsoft.com/en-us/entra/msal/dotnet/advanced/exceptions/msal-error-handling#conditional-access-and-claims-challenges

Alternative: create an MsalClaimsChallengeException that derives from MsalUiRequiredException to make it more clear that Claims are present.

CC @localden @neha-bhargava

Relevant code snippets

No response

Expected behavior

No response

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response
@bgavrilMS bgavrilMS added untriaged Do not delete. Needed for Automation needs attention Delete label after triage bug P2 Supportability confidential-client public-client and removed untriaged Do not delete. Needed for Automation needs attention Delete label after triage labels Jan 11, 2024
@trwalke trwalke self-assigned this Jan 23, 2024
@trwalke trwalke mentioned this issue Jan 24, 2024
Closed
1 task
@trwalke trwalke linked a pull request Jan 24, 2024 that will close this issue
Adding Claims challenge exception and error messages #4571
Closed
1 task
@trwalke trwalke removed a link to a pull request Feb 15, 2024
Adding Claims challenge exception and error messages #4571
Closed
1 task
@trwalke trwalke linked a pull request Feb 15, 2024 that will close this issue
Trwalke/claims challenge error update #4628
Merged
@trwalke trwalke added this to the 4.60.0 milestone Mar 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@trwalke trwalke

Labels
bug confidential-client P2 public-client Supportability
Projects
MSAL.NET Customer Trust
Archived in project
Milestone
4.60.0
2 participants
@bgavrilMS @trwalke