New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[msal-node] Issues when server is behind proxy #2600
Comments
@sameerag Thank you for the quick response. What I need to change to make it work? (for Example let say my proxy ip address is http://192.168.1.1) |
@sameerag did you see my attached configuration? |
I am trying to reproduce on my end. Will update in a couple of days. How urgent is this? |
@sameerag It can wait couple of days. Thanks! |
This issue has not seen activity in 14 days. It will be closed in 7 days if it remains stale. |
@ben-sf Apologies for the delay in our response. This will be the best way to setup your proxy and have the library work. Please let us know if you have any further questions. |
We're may consider adding |
Any progress on this? I am using the msal-node module and followed the auth code flow example. https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/samples/msal-node-samples/standalone-samples/auth-code/index.js Without the proxy, it got untrusted authority error after a few seconds, seems like a final error returned with the timeout. {"errorCode":"endpoints_resolution_error","errorMessage":"Error: could not resolve endpoints. Please check network and try again. Detail: ClientAuthError: openid_config_error: Could not retrieve endpoints. Check your authority and verify the .well-known/openid-configuration endpoint returns the required endpoints. Attempted to retrieve endpoints from: https://login.microsoftonline.com//v2.0/.well-known/openid-configuration","subError":"","name":"ClientAuthError"} |
@ben-sf @wodeleeway We have been considering something like this as @hectormmg mentioned above. We haven't yet started the work, this is slated to be picked up soon and we will update here once we have an active PR. Apologies for the wait, please note that we are tracking this. |
@sameerag Can you please provide an example of the |
Have the same, but the weird thing is that msal-node works fine (I think it gets the proxy from the browser) on 2 servers, but on the other one it doesn't, and I don't know why |
Can you share the error you see here @piotrlech ? |
signin error: ClientAuthError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientConfigurationError: untrusted_authority: The provided authority is not a trusted authority. Please include this authority in the knownAuthorities config parameter. So many ms means a timeout to me. When looking at the tcpdump I can see that the TCP syn request goes to the IP address of 20...sth, which is MS Azure. In the other good servers, the request goes correctly to the proxy instead. The browser setup is the same here and there. |
This is interesting. Is it possible to share the fiddler's trace for success and failure cases with us @piotrlech? You can email me, my email is available in my profile. I am curious what configuration is causing this error. Also is it the same app all these scenarios? If they are different apps, can you please share the |
Also, the proxy settings you made, if possible. |
Hey guys, I've implemented a proxy client: The proxy is set automatically via env variable then: proxyclient.js const fetch = require('node-fetch-with-proxy');
async function sendGetRequestAsync(url, options) {
const response = await fetch(url, options);
const json = await response.json();
const headers = response.headers.raw();
return {
headers: Object.create(Object.prototype, headers),
body: json,
status: response.status
}
}
async function sendPostRequestAsync(url, options) {
const sendingOptions = options || {};
sendingOptions.method = 'post';
const response = await fetch(url, sendingOptions);
const json = await response.json()
const headers = response.headers.raw();
return {
headers: Object.create(Object.prototype, headers),
body: json,
status: response.status
}
}
module.exports = {
sendGetRequestAsync,
sendPostRequestAsync
} and in my main: const msal = require('@azure/msal-node');
const client = require('./proxyClient.js');
async function main() {
const msalConfig = {
auth: {
clientId: 'STRING',
authority: 'STRING',
clientSecret:'STRING',
},
system: {
networkClient: client
}
};
const tokenRequest = {
scopes: ['https://graph.microsoft.com/.default'],
};
const cca = new msal.ConfidentialClientApplication(msalConfig);
const authResponse = await cca.acquireTokenByClientCredential(tokenRequest);
console.log(authResponse.accessToken) // display access token
}
main()
.catch(console.log))
.then(_ => process.exit()); |
I'm facing the same issue, even with the |
We think this is axios not supporting proxy: axios/axios#2072 (comment); Can you please try the alternative they suggested and let us know? |
Hi, After some tests, the solution given by @Bjego works correctly for authentication. To send requests with Axios I had to use const HttpsProxyAgent = require('https-proxy-agent')
const agent = new HttpsProxyAgent('http://127.0.0.1:3128');
return {
headers: {
Accept: "application/json;odata=verbose",
Authorization: `Bearer ${this.cachedAccessToken}`
},
httpsAgent: agent
}; Now it works properly, thanks. |
Hi Everyone, We're struggling with that too: we've tried using global-agent library, put simply importing it and calling bootstrap does not look sufficient. Thank you very much in advance |
Interesting that so many people still struggeling. Have you tried to trust your inhouse cert in node? You can do this by the environmentvariable: https://nodejs.org/api/cli.html#cli_node_extra_ca_certs_file - name: NODE_EXTRA_CA_CERTS
value: /usr/local/share/ca-certificates/MYCORPORATECERT.crt or plain linux
|
Sure, I even usually add my ca into the trusted system ca store. |
Facing the same issue. I used the |
We are also encountering this, but only for users running in WSL. The exact same code on developers running macs there are no issues but if run through WSL it has an issue. |
Note that sometimes helps if you set your HTTP_PROXY and HTTPS_PROXY in the .env file |
I made it work with |
We are also facing same issue. Could someone please share the code snippet to resolve the issue? Dependency Config
Error
|
@san-goyal per your error message, you may want to add the following to your auth block: |
@Robbie-Microsoft thanks for your response. Now code started throwing different error. 240 out of 2400 requests got failed. Behavior is intermittent.
|
@san-goyal Did you try the latest msal-node release? We added proxy support in the latest msal-node release @azure/msal-node Please let us know if this solves your issue. |
We support proxy with |
Closing this. We have a custom proxy implementation now with node http/https and should solve this issue. |
@sameerag : You said "we have a custom proxy implementation now with node http/https and should solve this issue." ? Can you provide an example please ? I am getting this error while running my nodejs Lambda function backed by MSAL-NODE to fetch the token ; Using "@azure/msal-node": "^1.6.0" "Detail: ClientAuthError: openid_config_error: Could not retrieve endpoints. Check your authority and verify the .well-known/openid-configuration endpoint returns the required endpoints." ***********CODE SNIPPET **********
Also you mentioned in the change log for 1.6.0 :: "Support proxy in msal-node(#4447)" Can you please tell how to leverage that custom proxy ? |
@GurpreetVirdi You can find documentation on proxy support in the configuration README for MSAL-Node. It's located here: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/configuration.md |
@Robbie-Microsoft : Not able to find. The link that you posted has no mention of any "PROXY SUPPORT/ CONFIG" and also I am using ConfidentialClientApplication in my Lambda <Authenticating API's deployed to different accounts> and not PublicClientApplication ; please show the way! Looks like my app is trying to call ' .well-known/openid-configuratio' GET endpoint but its blocked. I am running this in AWS managed environment. |
Search for "proxy" on that link I posted, you will find the documentation. It will tell you that you need to provide a "proxyUrl" to the system settings in the config. It functions the same no matter if your application is public or confidential. |
Library
msal@1.x.x
or@azure/msal@1.x.x
@azure/msal-browser@2.x.x
@azure/msal-node@1.0.0-alpha.5
@azure/msal-react@1.x.x
@azure/msal-angular@0.x.x
@azure/msal-angular@1.x.x
@azure/msal-angular@2.x.x
@azure/msal-angularjs@1.x.x
##Framework:
NodeJS
Description:
When proxy is configured for NodeJS we are getting the following error. We should have the ability to pass the proxy configuration to the NetworkClient.
Error Message:
ClientAuthError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientConfigurationError: untrusted_authority: The provided authority is not a trusted authority. Please include this authority in the knownAuthorities config parameter.
Reproduction steps
Expected behavior
We should be able to call msal-node functions when behind proxy
The text was updated successfully, but these errors were encountered: