Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client_id is case sensitive #304

Closed
SaarasM opened this issue Feb 2, 2021 · 4 comments · Fixed by #307
Closed

Client_id is case sensitive #304

SaarasM opened this issue Feb 2, 2021 · 4 comments · Fixed by #307
Labels
question

Comments

@SaarasM
Copy link

SaarasM commented Feb 2, 2021

Describe the bug
A clear and concise description of what the bug is.
If the client_id provided to the PublicClientApplication class is not lowercase the following exception is received:

RuntimeError: 3. The aud (audience) Claim must contain this client's client_id. id_token was: {
   I have redacted the contents for privacy
}

To Reproduce
Steps to reproduce the behavior:

  1. Go to the usage sample on the homepage
from msal import PublicClientApplication
app = PublicClientApplication(
    "UPPER-CASE-CLIENT-ID",
    authority="https://login.microsoftonline.com/Enter_the_Tenant_Name_Here")
token = app.acquire_token_interactive([SCOPE], prompt="login")
  1. Provide an uppercase client id
  2. Acquire token interactively
  3. See error:
Traceback (most recent call last):
  File "example.py", line 30, in <module>
    token = app.acquire_token_interactive([SCOPE], prompt="login")
  File "C:\Users\smehan\.venvs\gallery_venv\lib\site-packages\msal\application.py", line 1072, in acquire_token_interactive
    **kwargs)
  File "C:\Users\smehan\.venvs\gallery_venv\lib\site-packages\msal\oauth2cli\oidc.py", line 241, in obtain_token_by_browser
    **kwargs)
  File "C:\Users\smehan\.venvs\gallery_venv\lib\site-packages\msal\oauth2cli\oauth2.py", line 645, in obtain_token_by_browser
    flow, auth_response, scope=scope, **kwargs)
  File "C:\Users\smehan\.venvs\gallery_venv\lib\site-packages\msal\oauth2cli\oidc.py", line 186, in obtain_token_by_auth_code_flow
    auth_code_flow, auth_response, **kwargs)
  File "C:\Users\smehan\.venvs\gallery_venv\lib\site-packages\msal\oauth2cli\oauth2.py", line 559, in obtain_token_by_auth_code_flow
    **kwargs)
  File "C:\Users\smehan\.venvs\gallery_venv\lib\site-packages\msal\oauth2cli\oauth2.py", line 698, in _obtain_token_by_authorization_code
    return self._obtain_token("authorization_code", data=data, **kwargs)
  File "C:\Users\smehan\.venvs\gallery_venv\lib\site-packages\msal\oauth2cli\oidc.py", line 98, in _obtain_token
    ret = super(Client, self)._obtain_token(grant_type, *args, **kwargs)
  File "C:\Users\smehan\.venvs\gallery_venv\lib\site-packages\msal\oauth2cli\oauth2.py", line 761, in _obtain_token
    "response": _resp, "params": params, "data": _data,
  File "C:\Users\smehan\.venvs\gallery_venv\lib\site-packages\msal\application.py", line 300, in <lambda>
    event, environment=authority.instance)),
  File "C:\Users\smehan\.venvs\gallery_venv\lib\site-packages\msal\token_cache.py", line 113, in add
    return self.__add(event, now=now)
  File "C:\Users\smehan\.venvs\gallery_venv\lib\site-packages\msal\token_cache.py", line 138, in __add
    if id_token else {})
  File "C:\Users\smehan\.venvs\gallery_venv\lib\site-packages\msal\oauth2cli\oidc.py", line 73, in decode_id_token
    err, json.dumps(decoded, indent=2)))
RuntimeError: 3. The aud (audience) Claim must contain this client's client_id. id_token was: {
   I have redacted the contents for privacy
}

Expected behavior
A clear and concise description of what you expected to happen.
Ideally the token would be printed.
Failing that an error message that reminds the user that the client_id is case sensitive.
Failing that some documentation that the client_id should be lowercase.

What you see instead
Paste the sample output, or add screenshots to help explain your problem.
Instead the following error is seen:

RuntimeError: 3. The aud (audience) Claim must contain this client's client_id. id_token was: {
   I have redacted the contents for privacy
}

The MSAL Python version you are using
Paste the output of this
python -c "import msal; print(msal.__version__)"
1.8.0

Additional context
Add any other context about the problem here.
@rayluo rayluo added the question label Feb 2, 2021
@rayluo
Copy link
Collaborator

rayluo commented Feb 2, 2021

Thanks for your detail issue report! That was helpful to help us repro the issue and investigate.

We tend to not make any change in this case, though. And this is why.

Expected behavior
Ideally the token would be printed.
Failing that an error message that reminds the user that the client_id is case sensitive.
Failing that some documentation that the client_id should be lowercase.

The "offending" token is already printed on the console, in its decoded form. This has been helpful to lead you to raise this issue. If you mean you want the raw token to be printed, it is unlikely to give you the following insight. Here comes an example.

RuntimeError: 3. The aud (audience) Claim must contain this client's client_id. id_token was: {
"aud": "04b07795-**",

And, nope, there is no requirement saying that client_id should be lowercase. Also, all id fields are generally considered as case-sensitive, unless otherwise documented.

@jiasli
Copy link
Contributor

jiasli commented Feb 3, 2021

Tested with Azure CLI client ID in UPPER CASE and reproduced this issue.

from msal import PublicClientApplication

app = PublicClientApplication(
    "04B07795-8DDB-461A-BBEE-02F9E1BF7B46",
    authority="https://login.microsoftonline.com/common")
token = app.acquire_token_interactive(["https://management.azure.com/.default"], prompt="login")
RuntimeError: 3. The aud (audience) Claim must contain this client's client_id. id_token was: {
  "aud": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
  "iss": "https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0",

Perhaps AAD service should fail even earlier when the browser launches at https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=04B07795-8DDB-461A-BBEE-02F9E1BF7B46&... (rejecting the UPPER CASE client ID 04B07795-8DDB-461A-BBEE-02F9E1BF7B46). 🤔

For example, if I use a wrong client ID 04B07795-8DDB-461A-BBEE-02F9E1BFXXXX:

image

@rayluo
Copy link
Collaborator

rayluo commented Feb 3, 2021

Indeed, ideally the server-side would block an uppercase client_id like it does to a misspelled client_id. But, at this point, it might not make this change. Regardless, the current MSAL behavior is correct to treat aud from id token as case-sensitive.

Empirically, the client_id was always created as all lowercase GUID, so, everything would be fine if apps just use the client_id in their original form. @SaarasM , where did you find your app's client_id in uppercase form? Perhaps we can identify that data source and fix it there.

@SaarasM
Copy link
Author

SaarasM commented Feb 3, 2021

Thank you both for the quick response. I wasn't aware that the client_id is case sensitive, in which case I agree that the implementation is completely correct, although it might be more user friendly if this was stated in the docstring? This is a very minor point though, it's up to you how to proceed.

The data source was the Azure Sphere Public API Docs. I am on the team so will contact our docs team and ask them to fix this.

Feel free to close this issue and thank you for all your help!

@rayluo rayluo mentioned this issue Feb 4, 2021
Merged
@rayluo rayluo mentioned this issue Feb 9, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
MSAL Python Customer Trust
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Improve aud error msg AzureAD/microsoft-authentication-library-for-python
3 participants
@rayluo @jiasli @SaarasM