close
The Wayback Machine - https://web.archive.org/web/20220417053823/https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/223
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Acquiring token silently with account set to None fails in Azure Government #223

Closed
marlonsingleton opened this issue Jul 6, 2020 · 7 comments
Closed

Acquiring token silently with account set to None fails in Azure Government #223

marlonsingleton opened this issue Jul 6, 2020 · 7 comments
Assignees
@rayluo
Labels
investigate
Projects
MSAL Python Board

Comments

@marlonsingleton
Copy link

@marlonsingleton marlonsingleton commented Jul 6, 2020
edited by rayluo

Describe the bug
A clear and concise description of what the bug is.

UPDATE by Ray: There is also an internal issue created here, which is currently under investigation by our service side team.

To Reproduce
Steps to reproduce the behavior:

  1. Go to our off-the-shelf samples and pick one that is closest to your usage scenario. You should not need to modify the sample.
  2. Follow the description of the sample, typically at the beginning of it, to prepare a config.json containing your test configurations
  3. Run such sample, typically by python sample.py config.json
  4. See the error
  5. In this bug report, tell us the sample you choose, paste the content of the config.json with your test setup (which you can choose to skip your credentials, and/or mail it to our developer's email).
import msal
import os
import sys
from pprint import pprint

SCOPES = ["https://graph.microsoft.us/.default"]

app = msal.ConfidentialClientApplication(
    client_id="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    client_credential=['CLIENT_SECRET'],
    authority='https://login.microsoftonline.us/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
)

result = app.acquire_token_silent(scopes=SCOPES, account=None)
if not result:
    result = app.acquire_token_for_client(scopes=SCOPES)

if 'access_token' not in result:
    msg = "Could not acquire Azure access token: {error}: {descr}".format(
        error=result.get('error'),
        descr=result.get('error_description'),
    )
    pprint(msg)
    sys.exit(1)

pprint("Finished")
pprint(result)

Expected behavior

#result should equal None, evaluate if statement then acquire token for client
#works as expected in Azure Public cloud

result = app.acquire_token_silent(scopes=SCOPES, account=None)
if not result:
    result = app.acquire_token_for_client(scopes=SCOPES)

What you see instead

Traceback starts with:
 httplib_response = self._make_request(

Traceback ends with:
(Caused by SSLError(SSLCertVerificationError("hostname 'login.usgovcloudapi.net' doesn't match either of 'graph.aadg.microsoftonline.us', '*.b2clogin.us'")))

The MSAL Python version you are using
Paste the output of this
python -c "import msal; print(msal.__version__)"
MSAL version '1.4.1'

Additional context
Add any other context about the problem here.

#This returns token without issue

#result = app.acquire_token_silent(scopes=SCOPES, account=None)
#if not result:
result = app.acquire_token_for_client(scopes=SCOPES)
@rayluo
Copy link
Collaborator

@rayluo rayluo commented Jul 6, 2020
edited

Thanks for following our issue template, @marlonsingleton !

Your code snippet happened to supply a list for the client_credential, it should really be a string. But perhaps that was just your typo when drafting this bug report? If you haven't already, please run this out-of-box confidential client sample to reproduce it, just to be sure.

Traceback starts with:

 httplib_response = self._make_request(

Traceback ends with:

(Caused by SSLError(SSLCertVerificationError(
"hostname 'login.usgovcloudapi.net' doesn't match either of
'graph.aadg.microsoftonline.us', '*.b2clogin.us'")))

Perhaps you can send us your full error trace (which would typically contain only script file names and line numbers, but no other sensitive info) to understand what happened. That starting (?) line httplib_response = self._make_request( does not even seem to exist inside this MSAL library's code base. We assume there would be some other activities before that.

Regardless, the ending error SSLError(SSLCertVerificationError sounds like an cert validation issue. I'll loop in my colleague @abhidnya13 who has more hands-on experience in this area than me.

@abhidnya13
Copy link
Member

@abhidnya13 abhidnya13 commented Jul 6, 2020

I tried to reproduce this error and was able to get it reproduced. What I found out is, in the acquire_token_silent call, the step where authority aliasing is performed, there is an alias returned for login.microsoftonline.us which is https://login.usgovcloudapi.net. The reason why this error is returned is because the open-id config call for this endpoint fails because it expects a certain cert to be installed on your machine as @rayluo mentioned a possible cert validation issue. So, temporarily, I was able to get it working by initializing the application with verify=False but we will still have to investigate the cause for this cert error. Looking into it right now, will keep you guys posted here.

@rayluo rayluo added the question label Jul 7, 2020
@abhidnya13
Copy link
Member

@abhidnya13 abhidnya13 commented Jul 7, 2020

After investigating looks like there is SSL validation failure from https://login.usgovcloudapi.net endpoint. Service team to investigate the issue.

@coverprice
Copy link

@coverprice coverprice commented Jul 7, 2020
edited

MAG customer who filed the original bug report with MAG support here.

Your code snippet happened to supply a list for the client_credential, it should really be a string. But perhaps that was just your typo when drafting this bug report?

Confirmed, that was a typo from my original repro code. The original was os.environ['CLIENT_SECRET'].

And to confirm, I am also seeing the TLS validation failure. The requests call attempts to connect to login.microsoftonline.us, but the certificate returned by the server is for graph.aadg.microsoftonline.us, so TLS validation fails.

@marlonsingleton
Copy link
Author

@marlonsingleton marlonsingleton commented Jul 7, 2020

@abhidnya13 thanks! I was also able to repro before posting this issue. Any thoughts why acquire_token_for_client(scopes=SCOPES) returns a bearer token?

@abhidnya13
Copy link
Member

@abhidnya13 abhidnya13 commented Jul 7, 2020

@marlonsingleton acquire_token_silent(...) performs authority aliasing which basically means it tries to see if there is a token in the cache for the input authority and if we can't find one using the input authority, all its authority aliases are used to search for a token. In the case of login.microsoftonline.us the server returns the alias login.usgovcloudapi.net and so when when this authority is initialized, it does network calls at which the SSL validation failure happens. This type of aliasing is not done for acquire_token_for_client() scenarios and so the token is successfully returned.

@abhidnya13 abhidnya13 mentioned this issue Jul 7, 2020
Merged
@abhidnya13 abhidnya13 linked a pull request Jul 7, 2020 that will close this issue
Adding test case for acquire_token_silent in Arlington #225
Merged
@abhidnya13 abhidnya13 removed a link to a pull request Jul 7, 2020
Adding test case for acquire_token_silent in Arlington #225
Merged
@navyasric navyasric added this to To do in MSAL Python Board via automation Jul 14, 2020
@navyasric navyasric moved this from To do to In progress in MSAL Python Board Jul 14, 2020
@abhidnya13 abhidnya13 mentioned this issue Jul 23, 2020
Merged
@rayluo
Copy link
Collaborator

@rayluo rayluo commented Jul 23, 2020

Closing notes: This was triggered by multiple reasons combined. Now a workaround has been shipped in MSAL Python 1.4.2.

@rayluo rayluo closed this Jul 23, 2020
MSAL Python Board automation moved this from In progress to Done Jul 23, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rayluo rayluo

Labels
investigate
Projects
MSAL Python Board
  
Done
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rayluo @coverprice @navyasric @abhidnya13 @marlonsingleton