-
Notifications
You must be signed in to change notification settings - Fork 330
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resource url's trailing slash is omitted, which caused sql auth failure #747
Comments
@yhvicey var result = app.AcquireTokenForClientAsync(new[]
{
"https://database.windows.net//.default",
}).GetAwaiter().GetResult(); Note the double MSAL does not look inside the access token claims, we just return it as a string. This works with ADAL because you're hitting a v1 endpoint, and eSTS uses the resource you define as the "aud" claim. I heard from eSTS, and in your case, you're hitting the v2 endpoint with MSAL using a v1 access token, so eSTS is parsing the desired audience from the requested scope (MSAL does not use resources, but scopes), and eSTS takes everything before the last slash and uses it as the resource identifier ("aud" claim). Your request.scope value is Let us know if the suggestion above solves the issue for you. I will add this to our wiki. cc: @jmprieur |
Adding another slash solved the issue. Thanks for your help! |
@yhvicey Great! thanks for the quick response. |
ref: AzureAD/microsoft-authentication-library-for-dotnet#747 For MSAL (v2.0 endpoint) asking an access token for a resource that accepts a v1.0 access token, Azure AD parses the desired audience from the requested scope by taking everything before the last slash and using it as the resource identifier. For example, if the scope is "https://vault.azure.net/.default", the resource identifier is "https://vault.azure.net". If the scope is "http://database.windows.net//.default", the resource identifier is "http://database.windows.net/". Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
ref: AzureAD/microsoft-authentication-library-for-dotnet#747 For MSAL (v2.0 endpoint) asking an access token for a resource that accepts a v1.0 access token, Azure AD parses the desired audience from the requested scope by taking everything before the last slash and using it as the resource identifier. For example, if the scope is "https://vault.azure.net/.default", the resource identifier is "https://vault.azure.net". If the scope is "http://database.windows.net//.default", the resource identifier is "http://database.windows.net/". Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Which Version of ADAL are you using ?
Microsoft.Identity.Client v2.6.2
Which platform has the issue?
net462
What authentication flow has the issue?
Other? - please describe;
Repro
Expected behavior
Sql connection should be opened without any exception.
Actual behavior
Throw Unhandled Exception:
Possible Solution
Tried to do this using
Microsoft.IdentityModel.Clients.ActiveDirectory v4.4.2
with same settings (clientId, clientSecret, etc.) and it opened the connection successfully.Additional context/ Logs / Screenshots
I checked the token acquired by each library and find some difference:
Token from
Microsoft.IdentityModel.Clients.ActiveDirectory v4.4.2
while token from
Microsoft.Identity.Client v2.6.2
:The trailing slash is missing. Here's a related SO question: Token-based database authentication fails with “Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.”
The text was updated successfully, but these errors were encountered: