microsoft-authentication-library-for-dotnet: [Bug] Issue with on behalf of flow via MS ADFS 2019

Not sure if this is a bug or configuration issue.

Which Version of MSAL are you using ? MSAL 4.8.2

Platform net45

What authentication flow has the issue?

  • Desktop / Mobile
    • Interactive
    • Integrated Windows Auth
    • Username Password
    • Device code flow (browserless)
  • Web App
    • Authorization code
    • OBO
  • Web API
    • [X ] OBO

Other? - please describe;

Is this a new or existing app? This is a new app to understand and document the pattern in our environment.

Repro I have a Web Api (.Net 4.5) calling a Web Api (.Net 4.5). I’m getting the following exception when executing the following:

AuthenticationResult result = await app.AcquireTokenOnBehalfOf(scopes, userAssertion) .ExecuteAsync().ConfigureAwait(false);

Here is the full function:

            var authContext = ConfidentialClientApplicationBuilder.Create(mServiceCredentialOptions.ClientId)

            var bootstrapContext = (string)principal.Identities.First().BootstrapContext;
            var userAssertion = new UserAssertion(bootstrapContext, "urn:ietf:params:oauth:grant-type:jwt-bearer");
            AuthenticationResult result = await app.AcquireTokenOnBehalfOf(scopes, userAssertion)

Expected behavior I’m expecting an access token for the endpoint that I’m calling.

Actual behavior Full exception:

“ExceptionMessage”: “MSIS9601: The ‘resource’ parameter is missing in the request. Send the ‘resource’ parameter that contains the resource identifier’s value.”, “ExceptionType”: “Microsoft.Identity.Client.MsalServiceException”

Additional context/ Logs / Screenshots I’m finding this entry in ADFS eventlog:

Encountered error during OAuth token request.

Additional Data

Exception details: Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthAuthorizationMissingResourceException: MSIS9226: Received invalid OAuth request. The ‘resource’ parameter is missing or found empty. The ‘resource’ parameter must be provided specifying the relying party identifier for which the access is requested. at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthOnBehalfOfContextBase.ValidateCore()

The scopes passed into the function is: @“urn:Enterprise:PolicyInformation//openid”, @“urn:Enterprise:PolicyInformation//user_impersonation”

I have tried some many combinations (single forward slash, using the Client Id, etc.)

Captured the network trace and saw this: client_id=b5342232-4b42-4206-8cd0-5972e8420d42&client_info=1&client_secret=Removed&scope=offline_access+openid+profile+urn%3AEnterprise%3APolicyInformation%2Fopenid+urn%3AEnterprise%3APolicyInformation%2Fuser_impersonation&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=Removed

Noticed that the scope included additional scopes that I didn’t ask for. Is this correct?

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 19 (8 by maintainers)

Most upvoted comments

@ddops2468 - there was a fix in ADFS itself, which you get via an OS update. Sadly, I cannot find the email with the details / KB number. Consider opening a bug on ADFS itself for details.

The workaround that was confirmed by others is to add a missing param manually, by intercepting HTTP traffic in your app. Smth like:

internal class FixOBOClientHandler : HttpClientHandler
  protected async override Task<HttpResponseMessage> SendAsync(HttpRequestMessage msg, CancellationToken ct)
        var body = HttpUtility.ParseQueryString(await request.Content.ReadAsStringAsync);
        // some parsing to detect if this is OBO
        // some parsing to extract the scope
        // replace "scope" with "resource"

Then inject this HTTP handler via a client factory like as per