Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resource url's trailing slash is omitted, which caused sql auth failure #747

Closed
1 of 8 tasks
yhvicey opened this issue Dec 28, 2018 · 3 comments
Closed
1 of 8 tasks

Resource url's trailing slash is omitted, which caused sql auth failure #747

yhvicey opened this issue Dec 28, 2018 · 3 comments
Labels
external

Comments

@yhvicey
Copy link

yhvicey commented Dec 28, 2018

Which Version of ADAL are you using ?
Microsoft.Identity.Client v2.6.2

Which platform has the issue?
net462

What authentication flow has the issue?

  • Desktop / Mobile
    • Interactive
    • Integrated Windows Auth
    • Username Password
    • Device code flow (browserless)
  • Web App
    • Authorization code
    • OBO
  • Web API
    • OBO

Other? - please describe;

  • Console

Repro

var cred = new ClientCredential("<clientCredential>");
var app = new ConfidentialClientApplication(
    clientId: "<clientId>",
    authority: "https://login.microsoftonline.com/<tenantId>",
    redirectUri: "https://localhost",
    clientCredential: cred,
    userTokenCache: null,
    appTokenCache: new TokenCache());
var result = app.AcquireTokenForClientAsync(new[]
{
    "https://database.windows.net/.default",
}).GetAwaiter().GetResult();
var token = result.AccessToken;
var builder = new SqlConnectionStringBuilder()
{
    DataSource = "<dbServer>",
    InitialCatalog = "<dbName>",
    // ... other options
};
var conn = new SqlConnection(builder.ToString())
{
    AccessToken = token,
};
conn.Open(); // Throw Unhandled Exception: System.Data.SqlClient.SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

Expected behavior
Sql connection should be opened without any exception.

Actual behavior
Throw Unhandled Exception:

System.Data.SqlClient.SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

Possible Solution
Tried to do this using Microsoft.IdentityModel.Clients.ActiveDirectory v4.4.2 with same settings (clientId, clientSecret, etc.) and it opened the connection successfully.

Additional context/ Logs / Screenshots

I checked the token acquired by each library and find some difference:

Token from Microsoft.IdentityModel.Clients.ActiveDirectory v4.4.2

"aud": "https://database.windows.net/"

while token from Microsoft.Identity.Client v2.6.2:

"aud": "https://database.windows.net"

The trailing slash is missing. Here's a related SO question: Token-based database authentication fails with “Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.”
@jennyf19
Copy link
Collaborator

jennyf19 commented Jan 3, 2019

@yhvicey
You need to add another / to the scope value:

var result = app.AcquireTokenForClientAsync(new[]
{
    "https://database.windows.net//.default",
}).GetAwaiter().GetResult();

Note the double // in database.windows.net//

MSAL does not look inside the access token claims, we just return it as a string. This works with ADAL because you're hitting a v1 endpoint, and eSTS uses the resource you define as the "aud" claim.

I heard from eSTS, and in your case, you're hitting the v2 endpoint with MSAL using a v1 access token, so eSTS is parsing the desired audience from the requested scope (MSAL does not use resources, but scopes), and eSTS takes everything before the last slash and uses it as the resource identifier ("aud" claim).

Your request.scope value is https://database.windows.net/.default, so eSTS will send back "aud":"https://database.windows.net"

Let us know if the suggestion above solves the issue for you. I will add this to our wiki.

cc: @jmprieur

@yhvicey
Copy link
Author

yhvicey commented Jan 3, 2019

Adding another slash solved the issue. Thanks for your help!

@yhvicey yhvicey closed this as completed Jan 3, 2019
@jennyf19
Copy link
Collaborator

jennyf19 commented Jan 3, 2019

@yhvicey Great! thanks for the quick response.

aramase added a commit to aramase/azure-workload-identity that referenced this issue Oct 17, 2022
@aramase
fix: remove trim suffix from resource_id in proxy
c375f90 
ref: AzureAD/microsoft-authentication-library-for-dotnet#747
For MSAL (v2.0 endpoint) asking an access token for a resource that accepts a v1.0 access token, Azure AD parses the desired audience
from the requested scope by taking everything before the last slash and using it as the resource identifier.
For example, if the scope is "https://vault.azure.net/.default", the resource identifier is "https://vault.azure.net".
If the scope is "http://database.windows.net//.default", the resource identifier is "http://database.windows.net/".

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
@aramase aramase mentioned this issue Oct 17, 2022
Merged
5 tasks
aramase added a commit to Azure/azure-workload-identity that referenced this issue Oct 17, 2022
@aramase
fix: remove trim suffix from resource_id in proxy (#594)
712b5a1 
ref: AzureAD/microsoft-authentication-library-for-dotnet#747
For MSAL (v2.0 endpoint) asking an access token for a resource that accepts a v1.0 access token, Azure AD parses the desired audience
from the requested scope by taking everything before the last slash and using it as the resource identifier.
For example, if the scope is "https://vault.azure.net/.default", the resource identifier is "https://vault.azure.net".
If the scope is "http://database.windows.net//.default", the resource identifier is "http://database.windows.net/".

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
@cheenamalhotra cheenamalhotra mentioned this issue Jan 7, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
external
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yhvicey @jennyf19