microsoft-authentication-library-for-js: AAD errors are masked by misleading "network_error" from MSAL node

Core Library

MSAL Node (@azure/msal-node)

Core Library Version

Version 1.9.1

Wrapper Library

Not Applicable

Wrapper Library Version

none

Description

This issue is related to MSAL node and can be reproduced with any MSAL node sample. I have not tried other MSAL js flavours.

Use for example the Username-Password node sample. Configure everything but set a bad password.

Actual error:

{“errorCode”:“network_error”, “errorMessage”:“Network request failed. Please check network trace to determine root cause. | Fetch client threw: Error: HTTP status code 400 | Attempted to reach: https://login.microsoftonline.com/common/oauth2/v2.0/token”, “subError”:“”, “name”:“ClientAuthError”}

Expected error:

Error_code is invalid_grant Error_description is AADSTS50055: The password is expired

"{"error":"invalid_grant","error_description":"AADSTS50055: The password is expired.\r\nTrace ID: e59410c3-5316-43f7-84b9-28e298215600\r\nCorrelation ID: f8504f1a-8c13-4894-9af4-b4696246ad92\r\nTimestamp: 2022-06-08 13:50:55Z","error_codes":[50055],"timestamp":"2022-06-08 13:50:55Z","trace_id":"e59410c3-5316-43f7-84b9-28e298215600","correlation_id":"f8504f1a-8c13-4894-9af4-b4696246ad92","error_uri":"https://login.microsoftonline.com/error?code=50055\“,\“suberror\”:\“user_password_expired\”}”

Note: this message is available in the HttpClient class, but it is wiped out later.

Error Message

The network error message is very misleading. It is normal for AAD to reply with 400 Bad Request, but it doesn’t indicate a network error. Network errors fall in the 5xx category (and maybe the special 429 Too Many Requests).

Msal Logs

No response

MSAL Configuration

just use Username-Password sample with any client_id / tenant_id and set a bad password. Or use the client_credentials sample with a bad scope or a bad secret.

Relevant Code Snippets

Username-Password sample
Client_Credentials sample.

Reproduction Steps

See description

Expected Behavior

  1. Error code should be copied from the error from AAD
  2. Error message should also be copied from the error from AAD
  3. Error type should indicate that this is a service error. For error types like “invalid_grant”, the error type should indicate that “Interaction is required”

Identity Provider

Azure AD / MSA

Browsers Affected (Select all that apply)

None (Server)

Regression

No response

Source

Internal (Microsoft)

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 2
  • Comments: 15 (7 by maintainers)

Most upvoted comments

Can confirm, I’m getting proper error messages with 1.14.1 now!

+3
admehta01 on Oct 4, 2022

The fix was merged via https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/5175 and according to the release notes, it is available in node 1.14.1

https://github.com/AzureAD/microsoft-authentication-library-for-js/releases/tag/msal-node-v1.14.1

@bmahall @EmLauber - can we close this as done?

+3
bgavrilMS on Oct 4, 2022

@EmLauber +1 for this. This is breaking apps that are attempting acquireTokenSilent first, where we recommend to catch the interaction_required error and handle interactively. I can’t seem to find when this regression was introduced.

+3
derisen on Jun 20, 2022

@bmahall is currently working on this, no ETA yet.

+2
EmLauber on Aug 15, 2022

Great, thanks for confirming @admehta01 and thanks for getting this fix out @bmahall

+1
bgavrilMS on Oct 5, 2022

@bgavrilMS Thanks Bogdan, we’ll get this in our backlog to address. cc @EmLauber

+1
jasonnutter on Jun 8, 2022
Read more comments on GitHub
← microsoft-authentication-library-for-js: 0.1.3 broke AoT compiling (Function calls are not supported in decorators but 'MsalModule' was called)
microsoft-authentication-library-for-js: AADSTS50058 - Unable authenticate on MS Teams Desktop App →