Failed to Update AuthenticationEventListeners

[cmenzi]

Describe the bug

I am trying to update an existing AuthenticationEventListeners, but it it fails with "The request body is null or in bad format"

https://learn.microsoft.com/en-us/graph/api/authenticationeventlistener-update?view=graph-rest-1.0&tabs=http

I tried it with the SDK and with PowerShell, on both the same result

Expected behavior

Changed properties such as "includeApplications" are updated and a 204 No Content is returned

How to reproduce

1. Create an AuthenticationListener of type "OnTokenIssuanceStartListener", remember the Id
2. Add a new element in "IncludeApplications" or remove one.
3. Update the AuthenticationListener -> Error

{
  "error": {
    "code": "AADB2C",
    "message": "The request body is null or in bad format",
    "innerError": {
      "correlationId": "445b097f-0624-4337-b894-b67cd1bff6cf",
      "date": "2024-09-11T06:29:22",
      "request-id": "923ef88e-31f2-43e2-a0c0-5d6ab4565f33",
      "client-request-id": "af19381d-d121-4659-9d40-f41ba2f40c1f"
    }
  }
}

SDK Version

5.56.0

Latest version known to work for scenario above?

No response

Known Workarounds

1. Delete the listener first and then Create it

Debug output

Click to expand log

``` DEBUG: ============================ HTTP REQUEST ============================

HTTP Method: PATCH

Absolute Uri: https://graph.microsoft.com/v1.0/identity/authenticationEventListeners/d8df43ad-673f-46ee-ac9b-e3454680c52d

Headers: FeatureFlag : 00000043 Cache-Control : no-store, no-cache User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.19045; en-US),PowerShell/7.4.5 Accept-Encoding : gzip SdkVersion : graph-powershell/2.23.0 client-request-id : af19381d-d121-4659-9d40-f41ba2f40c1f

Body: { "@odata.type": "#microsoft.graph.onTokenIssuanceStartListener", "conditions": { "applications": { "includeApplications": [ { "appId": "d702e2dc-6763-4422-a87b-4beb0f2b2e16" } ] } } }

DEBUG: ============================ HTTP RESPONSE ============================

Status Code: BadRequest

Headers: Cache-Control : no-cache Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : 923ef88e-31f2-43e2-a0c0-5d6ab4565f33 client-request-id : af19381d-d121-4659-9d40-f41ba2f40c1f x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Switzerland North","Slice":"E","Ring":"3","ScaleUnit":"001","RoleInstance":"ZRH2EPF000000E0"}} Date : Wed, 11 Sep 2024 06:29:21 GMT

Body: { "error": { "code": "AADB2C", "message": "The request body is null or in bad format", "innerError": { "correlationId": "445b097f-0624-4337-b894-b67cd1bff6cf", "date": "2024-09-11T06:29:22", "request-id": "923ef88e-31f2-43e2-a0c0-5d6ab4565f33", "client-request-id": "af19381d-d121-4659-9d40-f41ba2f40c1f" } } }

</details>


### Configuration

- OS: Windows 10
- Architecture: x64

### Other information

_No response_

[shemogumbe]

Hello @cmenzi thanks for using the SDK and for reporting this.

To help isolate and reproduce the issue, mind sharing a snippet of your payload and the call.

[cmenzi]

@shemogumbe

namespace ConsoleApp
{
    using Azure.Identity;

    using Microsoft.Graph;
    using Microsoft.Graph.Models;

    internal class Program
    {
        static async Task Main(string[] args)
        {
            await ReproduceBug();
        }

        private static async Task ReproduceBug()
        {
            var customAuthenticationExtensionUrl = "https://my.example.com/token-start";
            var identifierUri = "api://my.example.com/c98fd4a0-0ed3-4966-9fd7-3335864dfdc5";
            var appIdToInclude = "c98fd4a0-0ed3-4966-9fd7-3335864dfdc5";

            var tenantId = "3bb8aeaa-c72a-4b35-96d0-542fb05c0ccf";
            var clientId = "f6aef772-6164-433f-a523-384c673d65ff";
            var clientSecret = "StrongSecret";

            // NOTE: client has the following Application permissions:
            //
            // "Policy.Read.All,
            // "Policy.ReadWrite.ApplicationConfiguration"
            // "CustomAuthenticationExtension.ReadWrite.All",
            // "EventListener.ReadWrite.All"
            var clientSecretCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);

            var graphServiceClient = new GraphServiceClient(clientSecretCredential);

            CustomAuthenticationExtension onTokenIssuanceStartCustomExtension = new OnTokenIssuanceStartCustomExtension
            {
                DisplayName = "TokenIssueStart",
                Description = "",
                EndpointConfiguration = new HttpRequestEndpoint
                {
                    TargetUrl = customAuthenticationExtensionUrl
                },
                AuthenticationConfiguration = new AzureAdTokenAuthentication
                {
                    ResourceId = identifierUri
                },
                ClientConfiguration = new()
                {
                    MaximumRetries = 1,
                    TimeoutInMilliseconds = 2000
                },
                ClaimsForTokenConfiguration = [
                    new OnTokenIssuanceStartReturnClaim { ClaimIdInApiResponse = "myClaim" }
                ]
            };

            onTokenIssuanceStartCustomExtension = (await graphServiceClient.Identity.CustomAuthenticationExtensions
                .PostAsync(onTokenIssuanceStartCustomExtension))!;

            AuthenticationEventListener authenticationEventListener = new OnTokenIssuanceStartListener
            {
                Handler = new OnTokenIssuanceStartCustomExtensionHandler
                {
                    CustomExtension = new() { Id = onTokenIssuanceStartCustomExtension.Id }
                },
                Conditions = new AuthenticationConditions
                {
                    Applications = new AuthenticationConditionsApplications
                    {
                        IncludeApplications = [
                           new AuthenticationConditionApplication { AppId = appIdToInclude }
                       ]
                    }
                }
            };

            authenticationEventListener = (await graphServiceClient.Identity.AuthenticationEventListeners
                .PostAsync(authenticationEventListener))!;

            // Everything above works.
            // Here the issue:
            var appIdToInclude2 = "d000feef-25fb-4639-8b8c-737ac4d6a37d";
            AuthenticationEventListener authenticationEventListenerPatch = new OnTokenIssuanceStartListener
            {
                Conditions = new AuthenticationConditions
                {
                    Applications = new AuthenticationConditionsApplications
                    {
                        IncludeApplications = [
                            new AuthenticationConditionApplication { AppId = appIdToInclude },
                            new AuthenticationConditionApplication { AppId = appIdToInclude2 }
                        ]
                    }
                }
            };

            // BAM: Exception
            await graphServiceClient.Identity.AuthenticationEventListeners[authenticationEventListener.Id]
                .PatchAsync(authenticationEventListenerPatch);
        }
    }
}

[cmenzi]

@shemogumbe Any updates? Needs author feedback is done

[cmenzi]

@darrelmiller @baywet

Could you please take a look at this or give it small push. There is no reaction at all.

[baywet]

Sorry about the delay here, Shem had to take a personal leave.

Since this is failing for both PowerShell and dotnet SDK, it's unlikely it's a client side issue. Can you try crafting the request in Graph Explorer (make sure you're signed in with the your tenant)

If the request also fails there, this most likely indicates a problem with the service, and the best next step will be to open a support ticket to get the service teams attention.

[microsoft-github-policy-service[bot]]

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.