Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Discovery flow changes AAD Authority URL from login.partner.microsoftonline.cn to public cloud endpoint #816

Open
yihezkel opened this issue May 8, 2024 · 0 comments
Open

[Bug] Discovery flow changes AAD Authority URL from login.partner.microsoftonline.cn to public cloud endpoint #816

yihezkel opened this issue May 8, 2024 · 0 comments
Labels
Bug Something isn't working, needs an investigation and a fix confidential-client For issues related to confidential client apps P2 Normal priority items, should be done after P1 public-client For questions/issues related to public client apps

Comments

@yihezkel
Copy link

yihezkel commented May 8, 2024

Library version used

1.15.0

Java version

8

Scenario

ConfidentialClient - service to service (AcquireTokenForClient)

Is this a new or an existing app?

The app is in production, I haven't upgraded MSAL, but started seeing this issue

Issue description and reproduction steps

A user in MoonCake is getting an error with our SDK when it reaches MSAL’s validation that the authority URL is in the TRUSTED_HOSTS_SET allow-list. The issue is that we map the user’s destination URL to https://login.partner.microsoftonline.cn, whereas TRUSTED_HOSTS_SET only allows https://login.chinacloudapi.cn for MoonCake. I looked at various docs and code throughout Azure products, and though it seems the URL you use is more common, it seems the other URL is valid as well. Further supporting that they’re both valid, my understanding is https://login.partner.microsoftonline.cn was used as an alias for https://login.chinacloudapi.cn, and the discovery endpoint (/common/.well-known/openid-configuration) for both resolve to identical configurations, other than the hostname aliases.

No error is thrown. Instead, the default AAD authority URL (login.microsoftonline.com) is returned, which our ADX SDK code then unsuccessfully tries to use for the customer’s MoonCake cluster.

We therefore request support be added for the other URL as well.

Issue is present in v1.9.0, v1.13.10 and v1.15.0

image

Relevant code snippets

No response

Expected behavior

AAD authority URL https://login.partner.microsoftonline.cn should be in the allow-list, so that when it's passed it, it's returned back.

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response
@yihezkel yihezkel added needs attention Automatically used when an issue is created through an issue template untriaged Automatically used when an issue is created through an issue template labels May 8, 2024
@Avery-Dunn Avery-Dunn added Bug Something isn't working, needs an investigation and a fix P2 Normal priority items, should be done after P1 and removed needs attention Automatically used when an issue is created through an issue template untriaged Automatically used when an issue is created through an issue template labels May 8, 2024
@bgavrilMS bgavrilMS added public-client For questions/issues related to public client apps confidential-client For issues related to confidential client apps labels May 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Something isn't working, needs an investigation and a fix confidential-client For issues related to confidential client apps P2 Normal priority items, should be done after P1 public-client For questions/issues related to public client apps
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bgavrilMS @yihezkel @Avery-Dunn