microsoft-authentication-library-for-android: AcquireTokenSilentAsync returns "Authority passed to silent parameters does not match with the cloud associated to the account."

I have a working app with a b2c configuration. Up until now I used the legacy b2c policy / authority URL’s: e.g. https://login.microsoftonline.com/tfp/<my-tenant>/B2C_1_SignUpPolicy.

Today I tried to change them to the new URL style: e.g. https://whatever.b2clogin.com/tfp/<my-tenant>/B2C_1_SignUpPolicy/

And suddenly I get the mentioned error from above when calling acquireTokenSilentAsync. I also compared with the sample app (https://github.com/Azure-Samples/ms-identity-android-java/) and couldn’t find a real difference.

I also started investigating myself and dug quite deep and found the exception is thrown here:

public class AcquireTokenSilentOperationParameters extends OperationParameters {
//.... what ever
    @Override
    public void validate() throws ArgumentException {
        super.validate();

        if (mAccount == null) {
            Logger.warn(TAG, "The account set on silent operation parameters is NULL.");
        } else if (!authorityMatchesAccountEnvironment()) {
            throw new ArgumentException(
                    ArgumentException.ACQUIRE_TOKEN_SILENT_OPERATION_NAME,
                    ArgumentException.AUTHORITY_ARGUMENT_NAME,
                    "Authority passed to silent parameters does not match with the cloud associated to the account."
            );
        }
    }

    private boolean authorityMatchesAccountEnvironment() {
        final String methodName = ":authorityMatchesAccountEnvironment";
        try {
            if (!AzureActiveDirectory.isInitialized()) {
                performCloudDiscovery();
            }
            final AzureActiveDirectoryCloud cloud = AzureActiveDirectory.getAzureActiveDirectoryCloudFromHostName(mAccount.getEnvironment());
            return cloud != null && cloud.getPreferredNetworkHostName().equals(getAuthority().getAuthorityURL().getAuthority());
        } catch (IOException e) {
            Logger.error(
                    TAG + methodName,
                    "Unable to perform cloud discovery",
                    e);
            return false;
        }
    }

I debugged into the method final AzureActiveDirectoryCloud cloud = AzureActiveDirectory.getAzureActiveDirectoryCloudFromHostName(mAccount.getEnvironment()); which returns null, because it contains only the following hosts:

my host (whatever.b2clogin.com) obviously doesn’t match there and therefore null is returned.

However I cannot believe that such a bug exists in this library. So I assume I configured something wrong. However I just can’t point my finger on what it could be.

Here is my configuration:

{
  "client_id": "whatever",
  "redirect_uri": "msalbwhatever://auth",
  "broker_redirect_uri_registered": false,
  "authorities": [
    {
      "type": "B2C",
      "authority_url": "https://whatever.b2clogin.com/tfp/whatever.onmicrosoft.com/B2C_1_SignInSignUpPolicy/",
      "default": true
    },
    {
      "type": "B2C",
      "authority_url": "https://whatever.b2clogin.com/tfp/whatever.onmicrosoft.com/B2C_1_SignUpPolicy/"
    },
    {
      "type": "B2C",
      "authority_url": "https://whatever.b2clogin.com/tfp/whatever.onmicrosoft.com/B2C_1_ResetPasswordPolicy/"
    }
  ],
  "account_mode": "MULTIPLE",
  "logging": {
    "pii_enabled": true,
    "log_level": "VERBOSE",
    "logcat_enabled": true
  }
}

Any help would be greatly appreciated!

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 20 (16 by maintainers)

Most upvoted comments

Tested this just now and I can confirm it’s now working as expected.

Thanks for the quick fix 👍

Nasicus on Jan 8, 2020

@duyvt88 I’m glad to hear that 😊

shahzaibj on Jun 12, 2020

Hi @duyvt88 If you are using B2C, then you need to declare your authorities in the MSAL configuration file for them to be known by MSAL - otherwise you would get this error. Did you declare your authorities in the config file? The instructions to do so are here: https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-android-b2c#configure-known-authorities-and-redirect-uri

@shahzaibj I fixed it. Thank you very much 😃

duyvt88 on Jun 12, 2020

@Nasicus Great to hear - thanks for confirming!

/cc @shahzaibj

iambmelt on Jan 8, 2020

@Nasicus We have decided to do a hotfix release for this issue. We have started the release process and the entire release process will take about 1-2 days to complete. We will give you an update once the release is available.

shahzaibj on Jan 6, 2020

@Nasicus we are considering doing a hotfix release for this and we will be discussing it in our scrum on Monday. We will provide you an update on our plan on Monday after our scrum.

shahzaibj on Jan 3, 2020

@shahzaibj At a glance, this looks to be related to changes introduced in https://github.com/AzureAD/microsoft-authentication-library-common-for-android/pull/714 – do you have capacity to investigate here?

iambmelt on Jan 2, 2020

Android specifically removed support for validateAuthority as it’s confusing to have to disable what is in fact a security feature for Azure AD B2C. Authority validation was originally added to ADAL to ensure that a client didn’t simply parse a 401 challenge and potentially use a malicious security token service. In Android, we check the list of authorities known to Microsoft and known to you the developer (expressed via configuration) to determine whether or not it’s safe to use an authority. This particular code path isn’t related to authority validation per-se… it’s actually an account validation bug related to multiple Azure AD Clouds. It just seems we forgot that B2C only exists in one cloud and that it can use a custom domain.

I should add that MSAL throws an Unknown Authority exception if we can’t determine whether the provided authority is safe.

shoatman on Jan 2, 2020