AzureAD
[Bug] PoP auth on macOS gives `ServerNonceInvalidSignature` error from Graph endpoint
Describe the bug
Running the following script works on Windows with WAM, but not on macOS with Company Portal:
https://gist.github.com/pvaneck/d304306a303c8d6ad8ccac52d995f4a8
Instead, on macOS, the request with the PoP token yields a 401 response with the following error:
{"error":{"code":"InvalidAuthenticationToken","message":"ServerNonceInvalidSignature","innerError":{"date":"2024-10-23T01:24:12","request-id":"488ed87e-30cb-466f-85a1-f898e60351e1","client-request-id":"488ed87e-30cb-466f-85a1-f898e60351e1"}}}
Any ideas what could be causing this?
To Reproduce
Install the latest msal and pymsalruntime, and run the following script which runs through the PoP authentication flow with Microsoft Graph.
https://gist.github.com/pvaneck/d304306a303c8d6ad8ccac52d995f4a8
Expected behavior
The request to the Graph endpoint should yield a 200 response.
What you see instead
A 401 response is returned with a ServerNonceInvalidSignature error.
The MSAL Python version you are using
msal==1.31.0 pymsalruntime==0.17.1
Looks like MSAL Python and mac broker got you a token back, but somehow MS Graph did not accept that token. Assigning to @fengga for investigatino.
Looks like MSAL Python and mac broker got you a token back, but somehow MS Graph did not accept that token. Assigning to @fengga for investigatino.
It worked on windows broker. So please take a look. :)
Hi @pvaneck, I just tested on my mac, https://gist.github.com/pvaneck/d304306a303c8d6ad8ccac52d995f4a8 will succeed, everything looks good on my machine.
Can you check if you get tokens from mac broker by calling app.acquire_token_interactive()?
@fengga I do get a PoP token, and comparing the tokens I get on Windows versus Mac on jwt.ms, the structure and contents are pretty similar. Are there any other dependencies that are used for signing that I should check? I am on an M3 Pro Mac with macOS 15.0.1 with Python 3.12.7.
- openssl: 3.3.2
- cryptography: 43.0.1
- PyJWT: 2.9.0