AzureAD
Exception is thrown in acquireTokenByClientCredential if authority ends with /consumers when use personal tenant account
Core Library
MSAL Node (@azure/msal-node)
Core Library Version
3.1.0
Wrapper Library
Not Applicable
Wrapper Library Version
None
Public or Confidential Client?
Confidential
Description
Hello! The issue "Exception is thrown in acquireTokenByClientCredential if tenantId is missing #5805" added a check for legal tenantId values (prohibiting the case where the value is consumers). However, when the azure application option is only for individual tenants, tenantId (parse from the end of authority) may be consumers, as mentioned in the official nodejs (server) usage sample. Therefore, writing this in the current version will produce an exception without tenantId, which is not expected.
Error Message
D:\Projects\Webstorm\untitled\node_modules@azure\msal-node\lib\msal-node.cjs:861 return new ClientAuthError(errorCode, additionalMessage); ^
ClientAuthError: missing_tenant_id_error: A tenant id - not common, organizations, or consumers - must be specified when using the client_credentials flow. at createClientAuthError (D:\Projects\Webstorm\untitled\node_modules@azure\msal-node\lib\msal-node.cjs:861:12) at ConfidentialClientApplication.acquireTokenByClientCredential (D:\Projects\Webstorm\untitled\node_modules@azure\msal-node\lib\msal-node.cjs:11616:19) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) { errorCode: 'missing_tenant_id_error', errorMessage: 'A tenant id - not common, organizations, or consumers - must be specified when using the client_credentials flow.', subError: '' Node.js v20.15.1
MSAL Logs
[Fri, 24 Jan 2025 13:07:47 GMT] : [] : @azure/[email protected] : Info - acquireTokenByClientCredential called [Fri, 24 Jan 2025 13:07:47 GMT] : [] : @azure/[email protected] : Verbose - initializeRequestScopes called D:\Projects\Webstorm\untitled\node_modules@azure\msal-node\lib\msal-node.cjs:861 return new ClientAuthError(errorCode, additionalMessage); ^
ClientAuthError: missing_tenant_id_error: A tenant id - not common, organizations, or consumers - must be specified when using the client_credentials flow. at createClientAuthError (D:\Projects\Webstorm\untitled\node_modules@azure\msal-node\lib\msal-node.cjs:861:12) at ConfidentialClientApplication.acquireTokenByClientCredential (D:\Projects\Webstorm\untitled\node_modules@azure\msal-node\lib\msal-node.cjs:11616:19) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) { errorCode: 'missing_tenant_id_error', errorMessage: 'A tenant id - not common, organizations, or consumers - must be specified when using the client_credentials flow.', subError: '' Node.js v20.15.1
Network Trace (Preferrably Fiddler)
- [ ] Sent
- [ ] Pending
MSAL Configuration
{
auth: {
clientId: "clientId",
authority: "https://login.microsoftonline.com/consumers",
clientSecret: "clientSecret"
}
}
Relevant Code Snippets
const msal = require('@azure/msal-node');
const msalConfig = {
auth: {
clientId: "clientId",
authority: "https://login.microsoftonline.com/consumers",
clientSecret: "clientSecret"
},
system: {
loggerOptions: {
loggerCallback(loglevel, message, containsPii) {
console.log(message);
},
piiLoggingEnabled: false,
logLevel: msal.LogLevel.Verbose,
}
}
};
const cca = new msal.ConfidentialClientApplication(msalConfig);
const tokenRequest = {
scopes: [ 'https://graph.microsoft.com/.default' ],
};
cca.acquireTokenByClientCredential(tokenRequest).then(res => {
console.log(res)
})
Reproduction Steps
- Use the "Relevant Code Snippets" above.
- Install the latest "@azure/msal-node".
- Replace the clientId and clientSecret with your own.
- Run the code;
Expected Behavior
Like the version below 2.0. It will not throw an error. It will send the request and print the response successfully.
Identity Provider
Entra ID (formerly Azure AD) / MSA
Browsers Affected (Select all that apply)
None (Server)
Regression
@azure/msal-node 2.0.0
