microsoft-authentication-library-for-dotnet: [Bug] Issue with on behalf of flow via MS ADFS 2019
Not sure if this is a bug or configuration issue.
Which Version of MSAL are you using ? MSAL 4.8.2
Platform net45
What authentication flow has the issue?
- Desktop / Mobile
- Interactive
- Integrated Windows Auth
- Username Password
- Device code flow (browserless)
- Web App
- Authorization code
- OBO
- Web API
- [X ] OBO
Other? - please describe;
Is this a new or existing app? This is a new app to understand and document the pattern in our environment.
Repro I have a Web Api (.Net 4.5) calling a Web Api (.Net 4.5). I’m getting the following exception when executing the following:
AuthenticationResult result = await app.AcquireTokenOnBehalfOf(scopes, userAssertion) .ExecuteAsync().ConfigureAwait(false);
Here is the full function:
var authContext = ConfidentialClientApplicationBuilder.Create(mServiceCredentialOptions.ClientId)
.WithAdfsAuthority(mAuthorityOptions.Authority)
.WithClientSecret(mServiceCredentialOptions.ClientSecret)
.Build();
var bootstrapContext = (string)principal.Identities.First().BootstrapContext;
var userAssertion = new UserAssertion(bootstrapContext, "urn:ietf:params:oauth:grant-type:jwt-bearer");
AuthenticationResult result = await app.AcquireTokenOnBehalfOf(scopes, userAssertion)
.ExecuteAsync().ConfigureAwait(false);
Expected behavior I’m expecting an access token for the endpoint that I’m calling.
Actual behavior Full exception:
“ExceptionMessage”: “MSIS9601: The ‘resource’ parameter is missing in the request. Send the ‘resource’ parameter that contains the resource identifier’s value.”, “ExceptionType”: “Microsoft.Identity.Client.MsalServiceException”
Additional context/ Logs / Screenshots I’m finding this entry in ADFS eventlog:
Encountered error during OAuth token request.
Additional Data
Exception details: Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthAuthorizationMissingResourceException: MSIS9226: Received invalid OAuth request. The ‘resource’ parameter is missing or found empty. The ‘resource’ parameter must be provided specifying the relying party identifier for which the access is requested. at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthOnBehalfOfContextBase.ValidateCore()
The scopes passed into the function is: @“urn:Enterprise:PolicyInformation//openid”, @“urn:Enterprise:PolicyInformation//user_impersonation”
I have tried some many combinations (single forward slash, using the Client Id, etc.)
Captured the network trace and saw this: client_id=b5342232-4b42-4206-8cd0-5972e8420d42&client_info=1&client_secret=Removed&scope=offline_access+openid+profile+urn%3AEnterprise%3APolicyInformation%2Fopenid+urn%3AEnterprise%3APolicyInformation%2Fuser_impersonation&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=Removed
Noticed that the scope included additional scopes that I didn’t ask for. Is this correct?
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 19 (8 by maintainers)
@ddops2468 - there was a fix in ADFS itself, which you get via an OS update. Sadly, I cannot find the email with the details / KB number. Consider opening a bug on ADFS itself for details.
The workaround that was confirmed by others is to add a missing param manually, by intercepting HTTP traffic in your app. Smth like:
Then inject this HTTP handler via a client factory like as per https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-provide-httpclient