Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Improve logging and error message when the web api receives claim challenge #4496

Closed
bgavrilMS opened this issue Jan 11, 2024 · 0 comments · Fixed by #4628
Closed

[Bug] Improve logging and error message when the web api receives claim challenge #4496

bgavrilMS opened this issue Jan 11, 2024 · 0 comments · Fixed by #4628
Assignees
@trwalke
Labels
bug confidential-client P2 public-client Supportability
Milestone
4.60.0

Comments

@bgavrilMS
Copy link
Member

Library version used

4.58.0

.NET version

all

Scenario

ConfidentialClient - web api (AcquireTokenOnBehalfOf)

Is this a new or an existing app?

None

Issue description and reproduction steps

Better logs and error message is needed to guide app developers to implement OBO correctly when it comes to claims challenges, MFA etc. Note that exception messages are not logged by default, so please treat this case.

See https://portal.microsofticm.com/imp/v3/incidents/incident/457725369/summary for confused app developers

I propose changes as follows:

  1. If error code is invalid_grant and Claims are present and this is an OBO flow If response contains Claims, log and throw non-pii exception with clear message to https://learn.microsoft.com/en-us/entra/msal/dotnet/acquiring-tokens/web-apps-apis/on-behalf-of-flow#handling-multi-factor-auth-mfa-conditional-access-and-incremental-consent
  2. If it's not an OBO flow but Claims are present, add a helper message and a link to https://learn.microsoft.com/en-us/entra/msal/dotnet/advanced/exceptions/msal-error-handling#conditional-access-and-claims-challenges

Alternative: create an MsalClaimsChallengeException that derives from MsalUiRequiredException to make it more clear that Claims are present.

CC @localden @neha-bhargava

Relevant code snippets

No response

Expected behavior

No response

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response
@bgavrilMS bgavrilMS added untriaged Do not delete. Needed for Automation needs attention Delete label after triage bug P2 Supportability confidential-client public-client and removed untriaged Do not delete. Needed for Automation needs attention Delete label after triage labels Jan 11, 2024
@bgavrilMS bgavrilMS moved this from Committed to Committed High Priority in MSAL Customer Trust / QM Jan 11, 2024
@trwalke trwalke self-assigned this Jan 23, 2024
@trwalke trwalke moved this from Committed High Priority to In Progress in MSAL Customer Trust / QM Jan 24, 2024
@trwalke trwalke mentioned this issue Jan 24, 2024
Closed
1 task
@trwalke trwalke linked a pull request Jan 24, 2024 that will close this issue
Adding Claims challenge exception and error messages #4571
Closed
1 task
@trwalke trwalke moved this from In Progress to Waiting for Code Review in MSAL Customer Trust / QM Jan 31, 2024
@trwalke trwalke removed a link to a pull request Feb 15, 2024
Adding Claims challenge exception and error messages #4571
Closed
1 task
@trwalke trwalke linked a pull request Feb 15, 2024 that will close this issue
Trwalke/claims challenge error update #4628
Merged
@github-project-automation github-project-automation bot moved this from Waiting for Code Review to Done in MSAL Customer Trust / QM Feb 21, 2024
@trwalke trwalke added this to the 4.60.0 milestone Mar 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@trwalke trwalke

Labels
bug confidential-client P2 public-client Supportability
Projects
MSAL Customer Trust / QM
Archived in project
Milestone
4.60.0
2 participants
@bgavrilMS @trwalke