AzureAD
[Bug] Invalid reply address
Which version of MSAL Go are you using? github.com/AzureAD/[email protected]
Where is the issue?
- Public client
- [ ] Device code flow
- [ ] Username/Password (ROPC grant)
- [x] Authorization code flow
- Confidential client
- [ ] Authorization code flow
- [ ] Client credentials:
- [ ] client secret
- [ ] client certificate
- Token cache serialization
- [ ] In-memory cache
- Other (please describe)
Is this a new or an existing app? c. This is a new app or an experiment. However, code was borrowed from a pre-existing app in production.
What version of Go are you using (go version)?
$ go version go version go1.17.3 darwin/amd64
What operating system and processor architecture are you using (go env)?
go env Output
$ go env GOARCH="amd64" GOHOSTARCH="amd64" GOHOSTOS="darwin" GOVERSION="go1.17.3" GCCGO="gccgo"
Repro
import (
"context"
"fmt"
"github.com/AzureAD/microsoft-authentication-library-for-go/apps/cache"
"github.com/AzureAD/microsoft-authentication-library-for-go/apps/public"
"io/ioutil"
"log"
"os"
)
func GetAccessToken() public.AuthResult {
var (
err error
authResult public.AuthResult
)
scopes := []string{fmt.Sprintf("api://%s/Custom.Scope", "<uuid>")}
client, err := public.New(
"<clientId>",
public.WithAuthority("https://login.microsoftonline.com/<tenantId>"),
public.WithCache(&TokenCache{file: "/tmp/test.json"}),
)
if err != nil {
log.Fatal(err)
}
accounts := client.Accounts()
if len(accounts) > 0 {
authResult, err = client.AcquireTokenSilent(context.Background(), scopes, public.WithSilentAccount(accounts[0]))
if err != nil {
authResult, err = acquireTokenInteractively(client, scopes)
}
} else {
authResult, err = acquireTokenInteractively(client, scopes)
}
if err != nil {
log.Fatal(err)
}
return authResult
}
func acquireTokenInteractively(client public.Client, scopes []string) (public.AuthResult, error) {
if authResult, err := client.AcquireTokenInteractive(context.Background(), scopes); err == nil {
return authResult, err
} else {
fmt.Println(err)
}
if deviceCode, err := client.AcquireTokenByDeviceCode(context.Background(), scopes); err == nil {
fmt.Println(deviceCode.Result.Message)
return deviceCode.AuthenticationResult(context.Background())
} else {
return public.AuthResult{}, err
}
}
func main() {
fmt.Println(GetAccessToken())
}
Expected behavior After configuring an App Registration in Azure with the valid scopes, API permissions, and authentication flows, I should receive a token by authenticating using the PKE Auth Code Flow.
Actual behavior Azure returns an error saying the reply address is not configured. However, I have configured the default redirect URIs provided by the Azure blade for "Desktop Apps". This includes the following:
https://login.microsoftonline.com/common/oauth2/nativeclient
https://login.live.com/oauth20_desktop.srf (LiveSDK)
msal<clientId>://auth (MSAL only)
Possible solution
After a quick debug session it appears that MSAL go is setting the redirect port to localhost:<randomport>. Setting an additional redirect URI in Azure to http://localhost appears to fix the problem but this is not desirable since we cannot reuse an app registration to support multiple client types (i.e., desktop apps and SPAs). Instead, the client should set the redirect URI to either the msal<clientId>://auth (MSAL only) or https://login.microsoftonline.com/common/oauth2/nativeclient and the client should internally translate the redirection to the local HTTP server handler.
Additional context / logs / screenshots N/A
Setting an additional redirect URI in Azure to
http://localhostappears to fix the problem but this is not desirable since we cannot reuse an app registration to support multiple client types (i.e., desktop apps and SPAs).
@allfro , since you were "setting an additional redirect URI", it shouldn't affect your other existing settings, and it shouldn't prevent you from reuse an app registration for multiple client types.
