Access token cannot be retrieved if Saxon is default transformer

[jxkraj]

Access token cannot be retrieved and throws the below error if Saxon transformer is on the classpath or javax.xml.transform.TransformerFactory is set to net.sf.saxon.TransformerFactoryImpl.

Caused by: com.microsoft.aad.msal4j.MsalInteractionRequiredException: AADSTS500088: SAML Assertion is missing the required 'MajorVersion' Attribute.
Trace ID: 18981f3d-9297-412d-a7b0-7560355dc900
Correlation ID: b0e1f1c9-4706-45fc-b245-8ca3102e3e93
Timestamp: 2021-11-29 12:30:20Z
	at com.microsoft.aad.msal4j.MsalServiceExceptionFactory.fromHttpResponse(MsalServiceExceptionFactory.java:37)
	at com.microsoft.aad.msal4j.TokenRequestExecutor.createAuthenticationResultFromOauthHttpResponse(TokenRequestExecutor.java:96)
	at com.microsoft.aad.msal4j.TokenRequestExecutor.executeTokenRequest(TokenRequestExecutor.java:37)
	at com.microsoft.aad.msal4j.AbstractClientApplicationBase.acquireTokenCommon(AbstractClientApplicationBase.java:120)
	at com.microsoft.aad.msal4j.AcquireTokenByAuthorizationGrantSupplier.execute(AcquireTokenByAuthorizationGrantSupplier.java:63)
	at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:59)
	at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:17)

The issue can be reproduced by means of below code snippet:

String clientId = "<Client-Id>";
String userName = "<User-Name>";
String password = "<Password>";

try {
	System.setProperty("javax.xml.transform.TransformerFactory", "net.sf.saxon.TransformerFactoryImpl");
	PublicClientApplication publicClientApplication = PublicClientApplication.builder(clientId).authority("https://login.microsoftonline.com/organizations").build();
	Set<String> scopes = Set.of("https://analysis.windows.net/powerbi/api/.default");
	UserNamePasswordParameters parameters = UserNamePasswordParameters.builder(scopes, userName, password.toCharArray()).build();
	IAuthenticationResult result = publicClientApplication.acquireToken(parameters).get();

	System.out.println("accessToken = " + result.accessToken());
} catch (Exception e) {
	e.printStackTrace();
}

net.sf.saxon.saxon-he:10.3 and com.microsoft.azure.msal4j:1.11.0 were used to reproduced the issue.
The same issue can be also reproduced for previous library com.microsoft.azure.adal4j:1.6.7.

[deepaktiwari29]

Hello @rsafaie ,
Can I know which msal4j jar version has these changes? As I don't see WSTrustResponse.java file's change in current source code.

[leozent]

The problem still exists in version 1.13.3.
I have manually applied the changes of @rsafaie, then the error was fixed. In which version will the problem be fixed?

[siddhijain]

Thanks for your comments and sorry for not being able to include the fix yet. We will plan to include this fix in our next release and will update the thread once done.

[Syed-SnapLogic]

@siddhijain , can we know by when can we expect the next release as it will help us convey our customers on the ETA for the fixes we need to roll out for them?

[siddhijain]

Thanks for your message @Syed-SnapLogic. Looking closely at the code changes suggested by @rsafaie, the changes can only be done from Java 9 onwards and won't work for packages built using Java 8. Since MSAL Java is built using Java 8, we won't be able to make those changes in our library. There are 2 options - 1. We find a fix for this bug using Java 8. 2. We wait for MSAL Java to be updated to using Java 9.
I don't have an ETA to implement any of these options but will update the thread once I know more.

Hope that makes sense.

Thanks,
Siddhi

[bgavrilMS]

Identity does not recommend using Username / Password flow. Pls use AcquireTokenInteractive in your desktop applications.

If you're using this flow in a confidential client, please provision a pure AAD user. There is no XML parsing when dealing with pure AAD users, only with federated users, i.e. those that are homed in ADFS and federated with AAD.

[siddhijain]

Closing based on Bogdan's comment above. Please reopen the issue if you have more questions.

[omeuid]

Hi,

Notice that this issue can cause problems using the JDBC driver if you select ActiveDirectoryPassword authentication method.

Our testing environment:

• On premises windows server 2016 domain with Azure AD connect configured with Seamless single sign-on
• JDBD driver configured with ActiveDirectoryPassword authentication method and using credentials for a user located on-premises domain.

The JDBC driver returned error:

com.microsoft.aad.msal4j.MsalInteractionRequiredException: AADSTS500088: SAML Assertion is missing the required 'MajorVersion' Attribute.
Trace ID: a18deb75-aaf0-495e-9133-374b8fba8400
Correlation ID: 7e008b86-91e1-4faa-8317-3d26bd70472f
Timestamp: 2023-07-10 09:06:42Z
at com.microsoft.aad.msal4j.MsalServiceExceptionFactory.fromHttpResponse(MsalServiceExceptionFactory.java:39) ~[msal4j-1.11.0.jar:1.11.0]
at com.microsoft.aad.msal4j.TokenRequestExecutor.createAuthenticationResultFromOauthHttpResponse(TokenRequestExecutor.java:96) ~[msal4j-1.11.0.jar:1.11.0]
at com.microsoft.aad.msal4j.TokenRequestExecutor.executeTokenRequest(TokenRequestExecutor.java:37) ~[msal4j-1.11.0.jar:1.11.0]
at com.microsoft.aad.msal4j.AbstractClientApplicationBase.acquireTokenCommon(AbstractClientApplicationBase.java:128) ~[msal4j-1.11.0.jar:1.11.0]
at com.microsoft.aad.msal4j.AcquireTokenByAuthorizationGrantSupplier.execute(AcquireTokenByAuthorizationGrantSupplier.java:63) ~[msal4j-1.11.0.jar:1.11.0]
at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:69) ~[msal4j-1.11.0.jar:1.11.0]
at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:18) ~[msal4j-1.11.0.jar:1.11.0]

Note: A similar issue happens if the JDBC driver version uses adal4j instead of msal4j.

If this problem it is not going to be fixed, Could you provide a workaround to avoid the problem?

Regards