[Bug] WAM fails for MSA: AADSTS9002313: Invalid request. Request is malformed or invalid.

[jiasli]

Describe the bug
WAM fails for MSA (Microsoft Account): AADSTS9002313: Invalid request. Request is malformed or invalid.

To Reproduce
With enable_pii_log turned on (Azure/azure-cli#28954):

> az login
...
Failed to authenticate TENANT_ID 'TENANT_NAME' due to error '
V2Error: invalid_grant AADSTS9002313: Invalid request. Request is malformed or invalid. 
Trace ID: 02b37a52-1706-48b9-9578-bcb1c4dc0900 
Correlation ID: 2bca5c76-c7c4-4dc9-a4dc-604f1a276ccb 
Timestamp: 2024-05-13 12:47:28Z. 
Status: Response_Status.Status_InteractionRequired, Error code: 3399614467, Tag: 558133255'

The token request for organizations is successful, but fails for a specific tenant TENANT_ID.

According to https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes, AADSTS9002313 seems to be caused by a request formatting issue on the client side:

InvalidRequest - Request is malformed or invalid. - The issue arises because there was something wrong with the request to a certain endpoint. The suggestion to this issue is to get a fiddler trace of the error occurring and looking to see if the request is properly formatted or not.

Expected behavior
WAM should succeed for MSA.

What you see instead
WAM fails for MSA

The MSAL Python version you are using

> pip list | Select-String msal

msal                                    1.28.0
msal-extensions                         1.2.0b1
pymsalruntime                           0.14.2

Additional context
This issue may be related to AzureAD/microsoft-authentication-library-for-dotnet#4696, but the error message is different.

[fengga]

@jiasli , I believe the issue has been resolved. Can we mark this as done?

[rayluo]

I believe the issue has been resolved. Can we mark this as done?

@fengga , was it fixed in the PyMsalRuntime 0.16.2a1? @jiasli , can you test that, too?

If I can get a confirmation from either of you, this issue will be closed by/after MSAL Python's next release which adopts the PyMsalRuntime 0.16.x

[jiasli]

@fengga, could you provide more details on the root cause and how it is fixed?

[fengga]

This error is returned from WAM, and our code indicates it should be resolved by make a new interactive call (we are returning Response_Status.Status_InteractionRequired). If a new interactive call cannot resolve the issue, it is an issue in our team or WAM team.
If you were asking why we received InteractionRequired, I'd say there would be so many reasons such as have not logged in for a long time or some security considerations. If you can collect WAM logs, WAM team can tell.
@jiasli , I remember previously you changed your logic when seeing Status_InteractionRequired you should make a new interactively call, is that working? Are you still receiving such kind of errors?

[fengga]

Closing this issue per offline conversation.