Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Log an error if ppl perform OBO over common or organizations #4606

Closed
bgavrilMS opened this issue Feb 5, 2024 · 5 comments · Fixed by #4642
Closed

[Bug] Log an error if ppl perform OBO over common or organizations #4606

bgavrilMS opened this issue Feb 5, 2024 · 5 comments · Fixed by #4642
Assignees
@trwalke
Labels
bug ICM This issue has a corresponding ICM, either for our team or another. P2 public-client scenario:WebApi Supportability
Milestone
4.60.0

Comments

@bgavrilMS
Copy link
Member

Library version used

4.58

.NET version

all

Scenario

ConfidentialClient - web api (AcquireTokenOnBehalfOf)

Is this a new or an existing app?

None

Issue description and reproduction steps

We keep getting issues related OBO + guest users.

Correct pattern is:

  1. Extract tid claim from client assertion
  2. Use authority cloud/tid to perform OBO on

Actual (wrong) pattern used by many is to use cloud/common to perform OBO

Relevant code snippets

No response

Expected behavior

No response

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

Log.Error similar to the one we put in client_credentials
@bgavrilMS bgavrilMS added untriaged Do not delete. Needed for Automation needs attention Delete label after triage scenario:WebApi Supportability ICM This issue has a corresponding ICM, either for our team or another. public-client bug P2 and removed untriaged Do not delete. Needed for Automation needs attention Delete label after triage labels Feb 5, 2024
@bgavrilMS bgavrilMS added this to the 4.60.0 milestone Feb 5, 2024
@pmaytak
Copy link
Contributor

pmaytak commented Feb 14, 2024

As part of this we should also add a clear code snippet in our docs on how to do this:

Correct pattern is:

Extract tid claim from client assertion
Use authority cloud/tid to perform OBO on

@trwalke trwalke self-assigned this Feb 16, 2024
@trwalke trwalke mentioned this issue Feb 21, 2024
Merged
1 task
@pmaytak pmaytak linked a pull request Feb 23, 2024 that will close this issue
Adding error log for common/organizations on OBO flow #4642
Merged
1 task
@trwalke
Copy link
Member

trwalke commented Mar 6, 2024

As part of this we should also add a clear code snippet in our docs on how to do this:

Correct pattern is:
Extract tid claim from client assertion
Use authority cloud/tid to perform OBO on

Which client assertion are we referring to exactly? what we pass into WithClientAssertion or ClaimsPrincipal?
I am trying to find a code snippet where this is happening.

@bgavrilMS

@trwalke trwalke reopened this Mar 6, 2024
@trwalke
Copy link
Member

trwalke commented Mar 6, 2024

Keeping issue open to track doc updates

@pmaytak
Copy link
Contributor

pmaytak commented Mar 21, 2024

Were the docs updated?

@neha-bhargava neha-bhargava modified the milestones: 4.60.0, 4.61.0 Mar 27, 2024
@pmaytak pmaytak mentioned this issue Apr 9, 2024
Open
@pmaytak
Copy link
Contributor

pmaytak commented Apr 9, 2024

Closing - this was released in 4.60.0. Added an issue in the docs repo for the related updates: MicrosoftDocs/microsoft-authentication-library-dotnet#393

@pmaytak pmaytak closed this as completed Apr 9, 2024
@pmaytak pmaytak removed this from the 4.61.0 milestone Apr 12, 2024
@pmaytak pmaytak added this to the 4.60.0 milestone Apr 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@trwalke trwalke

Labels
bug ICM This issue has a corresponding ICM, either for our team or another. P2 public-client scenario:WebApi Supportability
Projects
MSAL.NET Customer Trust
Archived in project
Milestone
4.60.0
4 participants
@bgavrilMS @trwalke @pmaytak @neha-bhargava