Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Original AADSTS error is hidden by WAM #698

Open
jiasli opened this issue May 9, 2024 · 7 comments
Open

[Bug] Original AADSTS error is hidden by WAM #698

jiasli opened this issue May 9, 2024 · 7 comments
Assignees
@iulico-1 @ashok672
Labels
ado tracked in ado public-client question

Comments

@jiasli
Copy link
Contributor

jiasli commented May 9, 2024

Describe the bug
Original AADSTS error is hidden by WAM.

To Reproduce
Steps to reproduce the behavior:

With browser-based flow, AADSTS error is shown which contains detailed message explaining what happened:

> az config set core.enable_broker_on_windows=false

> az login --scope https://graph.microsoft.com/User.ReadWrite
A web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`.
AADSTS65002: Consent between first party application '04b07795-8ddb-461a-bbee-02f9e1bf7b46' and first party resource '00000003-0000-0000-c000-000000000000' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. Trace ID: 63016864-b8bc-471b-ab7e-0d7905808d00 Correlation ID: 6dcd284f-5691-4e77-a342-29f87f82d0d6 Timestamp: 2024-05-09 07:56:22Z

However, when WAM is used, the original AADSTS error is hidden, leaving a less informative error message:

> az config set core.enable_broker_on_windows=true

> az login --scope https://graph.microsoft.com/User.ReadWrite
Please select the account you want to log in with.
(pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614466, Tag: 557973643

Expected behavior
WAM should expose the original AADSTS error.

What you see instead
A rephrased, less informative error message.

The MSAL Python version you are using
1.28.0
@jiasli
Copy link
Contributor Author

jiasli commented May 9, 2024
edited
Loading

This is the raw result returned by acquire_token_interactive() (reformatted):

{
    'error': 'broker_error', 
    'error_description': '(pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614466, Tag: 557973643', 
    'msal_telemetry': '{
        "msalruntime_telemetry": {
            "additional_query_parameters_count": "2",
            "all_error_tags": "7q6cl",
            "api_error_code": "3399614466",
            "api_error_context": "(pii)",
            "api_error_tag": "7q6cl",
            "api_name": "SignInInteractively",
            "api_status_code": "StatusInternal::IncorrectConfiguration",
            "auth_flow": "Broker",
            "authority_type": "Unknown",
            "authorization_type": "Interactive",
            "broker_app_used": "true",
            "client_id": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
            "correlation_id": "45212dc2-d3be-4b17-b6df-cbcd6300adae",
            "is_successful": "false",
            "msal_version": "1.1.0+local",
            "msalruntime_version": "0.14.2-alpha1",
            "original_authority": "https://login.microsoftonline.com/organizations",
            "read_token_last_error": "missing required parameter",
            "request_duration": "3513",
            "request_eligible_for_broker": "true",
            "start_time": "2024-05-09T11:04:16.000Z",
            "stop_time": "2024-05-09T11:04:20.000Z",
            "ui_event_count": "1",
            "was_request_throttled": "false"
        },
        "msal_python_telemetry": null
    }'
}

@rayluo
Copy link
Collaborator

rayluo commented May 9, 2024

MsalRuntime (the component that we used to talk to WAM) shows that error only when the pii logging was enabled. @jiasli you can give it a shot.

That being said, if Azure CLI ends up needing to enable pii all the time, that sounds defeating the purpose of having a pii flag in the first place. Perhaps we can revisit whether the AADSTS error description shall be classified as pii.

CC: @ashok672

This was referenced May 13, 2024
Draft
Merged
@jiasli
Copy link
Contributor Author

jiasli commented May 21, 2024

PR that introduced enable_pii_log: #590

@rayluo
Copy link
Collaborator

rayluo commented May 21, 2024

PR that introduced enable_pii_log: #590

Did that comment hint that you are satisfied with opting in via that flag, always 😱? If so, the current github issue can be closed. Otherwise, you may tag and/or assign MsalRuntime folks into this issue.

@jiasli
Copy link
Contributor Author

jiasli commented Jul 19, 2024

Did that comment hint that you are satisfied with opting in via that flag, always 😱?

No. My comment merely provides additional information.

@rayluo
Copy link
Collaborator

rayluo commented Jul 20, 2024

So, to clarify, the ask here is to have MsalRuntime to expose the "AADSTS xxxxx: details" even when PII is disabled. We will have @ashok672 to weigh in on this topic.

@iulico-1 iulico-1 added the ado tracked in ado label Aug 28, 2024
@jiasli jiasli mentioned this issue Jan 14, 2025
Open
@jiasli
Copy link
Contributor Author

jiasli commented Jan 14, 2025
edited
Loading

In Azure/azure-cli#30491, the customer describes the error messsage (pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614475, Tag: 508634112 as "strange", "obstruse" (abstruse) and "unhelpful".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@iulico-1 iulico-1

@ashok672 ashok672

Labels
ado tracked in ado public-client question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rayluo @jiasli @iulico-1 @ashok672 @gladjohn