NullReferenceException is thrown when using DefaultTokenAcquisitionHost and trying to acquire a token

[MZOLN]

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

2.13.3

Web app

Sign-in users

Web API

Protected web APIs (validating tokens)

Token cache serialization

In-memory caches

Description

NRE thrown in the pasted stack. The issue is that the defaultokenacquisitionhost returns a null redirecturi but msal assumes that it`s not null

Reproduction steps

Create console app Call downstream api

Error message

System.NullReferenceException

HResult=0x80004003

Message=Object reference not set to an instance of an object.

Source=Microsoft.Identity.Web.TokenAcquisition

StackTrace:

at Microsoft.Identity.Web.MergedOptions.PrepareAuthorityInstanceForMsal() in /_/src/Microsoft.Identity.Web.TokenAcquisition/MergedOptions.cs:line 452

at Microsoft.Identity.Web.TokenAcquisition.BuildConfidentialClientApplication(MergedOptions mergedOptions) in /_/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs:line 580

at Microsoft.Identity.Web.TokenAcquisition.GetOrBuildConfidentialClientApplication(MergedOptions mergedOptions) in /_/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs:line 566

at Microsoft.Identity.Web.TokenAcquisition.<GetAuthenticationResultForUserAsync>d__14.MoveNext() in /_/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs:line 235

This exception was originally thrown at this call stack:

Microsoft.Identity.Web.MergedOptions.PrepareAuthorityInstanceForMsal() in MergedOptions.cs

Microsoft.Identity.Web.TokenAcquisition.BuildConfidentialClientApplication(Microsoft.Identity.Web.MergedOptions) in TokenAcquisition.cs

Microsoft.Identity.Web.TokenAcquisition.GetOrBuildConfidentialClientApplication(Microsoft.Identity.Web.MergedOptions) in TokenAcquisition.cs

Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForUserAsync(System.Collections.Generic.IEnumerable<string>, string, string, string, System.Security.Claims.ClaimsPrincipal, Microsoft.Identity.Web.TokenAcquisitionOptions) in TokenAcquisition.cs

Id Web logs

No response

Relevant code snippets

Run ConsoleApp2 on MISE repo

Regression

Id Web 2.13.3

Expected behavior

Token is acquired.

[jennyf19]

@MZOLN Do you have everything in the appsettings.json? Is the authority, instance, etc... all present?

[MZOLN]

Those are the settings: { "AzureAd": { //"Instance": "https://login.microsoftonline.com/", //"ClientId": "a4c2469b-cf84-4145-8f5f-cb7bacf814bc", //"TenantId": "7f58f645-c190-4ce5-9de4-e2b7acd2a6ab", //"Audience": "a4c2469b-cf84-4145-8f5f-cb7bacf814bc", "Instance": "https://login.microsoftonline.com/", "ClientId": "a4c2469b-cf84-4145-8f5f-cb7bacf814bc", // your client Id, e.g. a4c2469b-cf84-4145-8f5f-cb7bacf814bc "TenantId": "7f58f645-c190-4ce5-9de4-e2b7acd2a6ab", // your tenant id, e.g. 7f58f645-c190-4ce5-9de4-e2b7acd2a6ab "ShowPII": true, "MinimumDataClassificationCategory": "SystemMetadata", "Logging": { "LogLevel": "Warning" }, "Modules": { "TrV2": { "ModuleType": "TrV2Module", "Enabled": true } } },

....

DownstreamApi:
.....

    "me": {
        "BaseUrl": "https://graph.microsoft.com/v1.0",
        "RelativePath": "/me",
        "Scopes": [ "user.read" ],
        "AcquireTokenOptions": {
            "AuthenticationOptionsName": "S2SAuthentication"
        }

Is anything missing?

[Jan1503]

I encounter the same issue with 2.13.3. It's working in 2.13.2. Haven't found the time to further debug it, just switched back to 2.13.2.

Short Stack Trace: System.NullReferenceException: at Microsoft.Identity.Web.MergedOptions.PrepareAuthorityInstanceForMsal (Microsoft.Identity.Web.TokenAcquisition, Version=2.13.3.0, Culture=neutral, PublicKeyToken=0a613f4dd989e8ae) at Microsoft.Identity.Web.TokenAcquisition.BuildConfidentialClientApplication (Microsoft.Identity.Web.TokenAcquisition, Version=2.13.3.0, Culture=neutral, PublicKeyToken=0a613f4dd989e8ae) at Microsoft.Identity.Web.TokenAcquisition.GetOrBuildConfidentialClientApplication (Microsoft.Identity.Web.TokenAcquisition, Version=2.13.3.0, Culture=neutral, PublicKeyToken=0a613f4dd989e8ae) at Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForAppAsync (Microsoft.Identity.Web.TokenAcquisition, Version=2.13.3.0, Culture=neutral, PublicKeyToken=0a613f4dd989e8ae) at Microsoft.Identity.Web.TokenAcquisition+<GetAccessTokenForAppAsync>d__17.MoveNext (Microsoft.Identity.Web.TokenAcquisition, Version=2.13.3.0, Culture=neutral, PublicKeyToken=0a613f4dd989e8ae) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)`

[jmprieur]

@Jan1503 : Marcin's error was with is code (he forgot to configure the MicrosoftIdentityApplicationOptions) how did you configure your application?

Do you use AddMicrosoftWebApp or AddMicrosoftWebApi? Do you configure the MicrosoftIdentityApplicationOptions passing-in an authentication scheme?

[Jan1503]

@jmprieur : Here's my auth-config:

public static IServiceCollection AddDefaultAuthentication(this IServiceCollection services,
        IConfigurationSection azureAdConfigurationSection)
    {
        ArgumentNullException.ThrowIfNull(azureAdConfigurationSection);
        
        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
            .AddMicrosoftIdentityWebApi(jwt =>
            {
                IdentityModelEventSource.ShowPII = true;
                var opt = new MicrosoftIdentityOptions();
                azureAdConfigurationSection.Bind(opt);

                jwt.Authority = $"https://sts.windows.net/{opt.TenantId}/v2.0";
                jwt.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidIssuer = $"https://sts.windows.net/{opt.TenantId}",
                    ValidAudiences = new List<string>
                    {
                        opt.ClientId!,
                        $"api://{opt.ClientId}"
                    }
                };
                jwt.Events = new JwtBearerEvents
                {
                    OnAuthenticationFailed = ctx => Task.CompletedTask
                };
            }, azureAdConfigurationSection.Bind)

            .EnableTokenAcquisitionToCallDownstreamApi(options => { })
            .AddInMemoryTokenCaches();

        return services;
    }

[jmprieur]

@Jan1503 this should be fixed in 2.15.0 that is going to release tomorrow

[slabarque]

Still not fixed apparently. I'm having this issue with the daemon_console sample from https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/1-Call-MSGraph

I was following this Quickstart guide: https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-console-app-netcore-acquire-token