Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Experimental Feature Oidc Authority #4791

Closed
Hatzman91 opened this issue May 30, 2024 · 3 comments · Fixed by #4794
Closed

[Bug] Experimental Feature Oidc Authority #4791

Hatzman91 opened this issue May 30, 2024 · 3 comments · Fixed by #4794
Assignees
@bgavrilMS
Labels
Feature Request public-client

Comments

@Hatzman91
Copy link

Library version used

4.61.1

.NET version

.NET 7.0

Scenario

PublicClient - mobile app

Is this a new or an existing app?

This is a new app or experiment

Issue description and reproduction steps

For MS Graph access we are using service accounts with delegated permissions.
To access login.microsoft.com we are using an implementation with the HttpClientFactory to route the traffic over the a proxy.

Now we got a security requirement to not directly use the proxy anymore, but we have to use our enterprise service gateway to which we provide a cerrtificate fe: "api-cert.company.ch/application-id/rest/microsoft/auth/v1" which then redirects to login.microsoft.com + our tenantId

I tried to use the new OidcAuthority (which is still in Experimental I know) but it doesn't set an URI for the UserRealmUriPrefix which then tries to make a call to https://loginSMTP/?api-version=1.0 which doesn't make much sense

Is there a way where i can achieve what i want to do?

Relevant code snippets

PublicClientApplicationBuilder
                  .CreateWithApplicationOptions(pcaOptions)
                  .WithExperimentalFeatures(true)
                  .WithOidcAuthority(o365IntegrationOptions.BaseUrl)
                  .WithDefaultRedirectUri() //https://login.microsoftonline.com/common/oauth2/nativeclient
                  .WithHttpClientFactory(serviceProvider.GetRequiredService<IWebProxyMsalClientFactory>()) // new doesn't have the proxy, but adds a certificate to the requests
                  .Build();

Expected behavior

The expected behaviour is either to skip the user realm discovery somehow, or that I can manually set the Uri for the OIDC Case.

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

4.61.1

Solution and workarounds

No response
@Hatzman91 Hatzman91 added needs attention Delete label after triage untriaged Do not delete. Needed for Automation labels May 30, 2024
@bgavrilMS bgavrilMS added Feature Request public-client and removed untriaged Do not delete. Needed for Automation needs attention Delete label after triage labels May 30, 2024
@bgavrilMS
Copy link
Member

Which "AcquireToken" method do you use?

@rayluo
Copy link
Contributor

rayluo commented May 31, 2024

Which "AcquireToken" method do you use?

Possibly the username password flow, as it is the only flow in MSAL that may run the user realm discovery code path. Speaking of username password flow, it shall - if it has not already - bypass user realm discovery when running in WithOidcAuthority mode.

@bgavrilMS
Copy link
Member

Which "AcquireToken" method do you use?

Possibly the username password flow, as it is the only flow in MSAL that may run the user realm discovery code path. Speaking of username password flow, it shall - if it has not already - bypass user realm discovery when running in WithOidcAuthority mode.

+1 yes, that is the correct fix. ROPC should attempt user realm discovery etc only for AAD authority. All else should implement only OAUTH protocol.

@bgavrilMS bgavrilMS self-assigned this Jun 3, 2024
bgavrilMS added a commit that referenced this issue Jun 3, 2024
@bgavrilMS
Fix for #4791
1ee8f13
@bgavrilMS bgavrilMS mentioned this issue Jun 3, 2024
Merged
1 task
bgavrilMS added a commit that referenced this issue Jun 4, 2024
@bgavrilMS
Fix for #4791
c4872b8
neha-bhargava added a commit that referenced this issue Jun 6, 2024
@bgavrilMS @neha-bhargava
Fix for #4791 - don't use WSTrust for ROPC except for AAD authorities (
88df640 
…#4794)

* Fix for #4791

* Fix for #4791

* fix

---------

Co-authored-by: Neha Bhargava <61847233+neha-bhargava@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bgavrilMS bgavrilMS

Labels
Feature Request public-client
Projects
None yet
Milestone
No milestone
3 participants
@rayluo @bgavrilMS @Hatzman91