microsoft-authentication-library-for-js icon indicating copy to clipboard operation
microsoft-authentication-library-for-js copied to clipboard
verified publisher icon AzureAD

Regional Auth routing to invalid auth url

Open riteshbhoi opened this issue 1 year ago • 0 comments

Core Library

MSAL Node (@azure/msal-node)

Core Library Version

2.9.2

Wrapper Library

Not Applicable

Wrapper Library Version

None

Public or Confidential Client?

Confidential

Description

We implemented a ConfidentialClientApplication and used it to call acquireTokenByClientCredential(clientCredentialRequest) with clientCredentialRequest being identical to the example in the docs for the purpose of using regional auth.

We added the region (westus in our case) to the azureRegion field just like in the example, but the request wasn't routed to a regional endpoint.

const privateClient = new ConfidentialClientApplication({
    auth: {
      clientId: clientId,
      authority: `https://login.microsoftonline.us/${tenantId}`,
      clientCertificate: {
        thumbprint: clientCertificateData.thumbprint,
        privateKey: clientCertificateData.privateKey,
        x5c: clientCertificateData.x5c
      }
    }
  });

response = await privateClient.acquireTokenByClientCredential({
  scopes: ['https://graph.microsoft.us/.default'],
  azureRegion: 'westus'
});

Authentication call (for tenant id 5b750121-f135-44ef-b08e-61da0ff7c4d6) is routed to below URL which doesn't exist. https://westus.login.microsoftonline.us/5b750121-f135-44ef-b08e-61da0ff7c4d6/oauth2/v2.0/token/

Same issue is happening for https://login.partner.microsoftonline.cn/ authority as well.

Error Message

No response

MSAL Logs

No response

Network Trace (Preferrably Fiddler)

  • [ ] Sent
  • [ ] Pending

MSAL Configuration

auth: {
clientId: clientId,
authority: `https://login.microsoftonline.us/${tenantId}`,
clientCertificate: {
    thumbprint: clientCertificateData.thumbprint,
    privateKey: clientCertificateData.privateKey,
    x5c: clientCertificateData.x5c
  }
}

Relevant Code Snippets

const privateClient = new ConfidentialClientApplication({
    auth: {
      clientId: clientId,
      authority: `https://login.microsoftonline.us/${tenantId}`,
      clientCertificate: {
        thumbprint: clientCertificateData.thumbprint,
        privateKey: clientCertificateData.privateKey,
        x5c: clientCertificateData.x5c
      }
    }
  });

response = await privateClient.acquireTokenByClientCredential({
  scopes: ['https://graph.microsoft.us/.default'],
  azureRegion: 'westus'
});

Reproduction Steps

  1. Run the code snippet with the provided msal config (substituting the values with the ones found in the logs)
  2. Check the logs to see which endpoints the request is routed to

Expected Behavior

Auth call should be routed to a valid auth URL

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

None (Server)

Regression

No response

Source

Internal (Microsoft)

riteshbhoi avatar Jul 30 '24 22:07 riteshbhoi