-
Notifications
You must be signed in to change notification settings - Fork 25.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Facing Common endpoint error #19795
Comments
#assign @Rick-Anderson @01binary |
Looks simple, I can do it this evening. I don't have a project to test with anymore, but I will change exactly the way it was suggested. |
I tested this a month ago with personal and it worked. |
@Rick-Anderson Here is the text Exception: invalid_request;Description=The request is not valid for the application's 'userAudience' configuration. In order to use /common/ endpoint, the application must not be configured with 'Consumer' as the user audience. The userAudience should be configured with 'All' to use /common/ endpoint. @01binary I have the sample. I will send it to you. |
It sounds like the Microsoft Account OAuth provider is using a "common" endpoint, which makes sense. It's optimized for the "common case" of someone trying to login with Xbox, Outlook, or similar account. The instructions that send you to Azure Active Directory to create a compatible App Registration should mention that you need to select a specific type that would be supported by the OAuth provider: Haven't tried the code yet, but these options are reflected in App Registration manifest as follows:
The URL can be found by going to Overview page for App Registration and clicking "Endpoints" button. The OAuth provider for MS Account uses:
I conclude therefore that the MS Account provider is hardwired to use "AzureADAndPersonalMicrosoftAccount" App Registration Audience, which is called "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)" in Azure portal when creating a new App Registration. It seems like people should know that when they are going to use the Microsoft Account provider, then the App Registration that can work with it has to be created a certain way by picking the above option. |
Trial results with various types of App Registrations, using MS Account provider and Blazor app I got from OP.
I assume it's because Single Tenant must use Tenant ID in the URL, and since the MS Account provider is hardwired to use the common URL which does not contain a Tenant ID, it fails to find the App Registration specified by Client ID. This is expected.
The OAuth dialog is shown with a UI error that says
The OAuth dialog is shown, no error. Logs in successfully.
This error is the reason why we should explicitly call out which App Registration type will work with MS Account provider. |
I recommend the following change under the bullet point that says "Pick a supported account type":
I have to sync my fork and create a pull request, etc. |
@01binary This is great. @Rick-Anderson What would be the recommendation for customers that need to target "Microsoft Accounts only"? |
I think you'd need to scaffold Identity and write you own code to handle that. @Tratcher who's the right person to answer this question? |
It should just be a matter of the developer setting |
I suspected that was configurable (just the constant was hard-coded) but haven't looked there again. The OAuth URL for "Personal Microsoft Accounts Only" is Here's what I got: OAuth 2.0 authorization endpoint (v2): |
Ah, great. Yes, update the MicrosoftAccountOptions AuthorizationEndpoint and TokenEndpoint and re-validate. |
I failed to sync my fork, so I re-created and re-cloned everything - sorry for the delay. |
Thank you @01binary @Rick-Anderson |
Good it's work for me, thank's |
The instructions here don't specifically mention which supported account type to choose.
I selected "Personal Microsoft account users" since the article is related to configuring Microsoft Logins
But this results in an error.
I believe this is because of MSAL now using a common endpoint?
Creating a new App Registration with supported account type as "All Microsoft account users" works with any errors
We should update the documentation accordingly.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: