microsoft-authentication-library-for-js: Getting ClientAuthError: endpoints_resolution_error: Error: could not resolve endpoints with @azure/msal-node 1.9.1
Core Library
MSAL Node (@azure/msal-node)
Core Library Version
1.9.1
Wrapper Library
Not Applicable
Wrapper Library Version
None
Description
Since upgrading from 1.9.0 to 1.9.1 we are running into the error listed in this issue below. We have a node application that runs on an interval to update profile pictures in Backstage a Developer Portal we are using. It’s very simple.
Rolling back to 1.9.0 the error goes away. I’m not sure what specifically is causing this issue but I feel like it is something in PR #4744. That being said there might be simply something that we need to include to resolve this like some additional configuration.
Any help with this would be greatly appreciated!
Error Message
ClientAuthError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientAuthError: openid_config_error: Could not retrieve endpoints. Check your authority and verify the .well-known/openid-configuration endpoint returns the required endpoints. Attempted to retrieve endpoints from: https://login.microsoftonline.com/{tenantId}/v2.0/.well-known/openid-configuration
Note that {tenantId}
in the URL above is our actual tenantId, just removed for security reasons.
Msal Logs
No response
MSAL Configuration
const clientConfig = {
auth: {
clientId,
clientSecret,
authority: `https://login.microsoftonline.com/${tenantId}`,
},
};
Relevant Code Snippets
const clientConfig = {
auth: {
clientId,
clientSecret,
authority: `https://login.microsoftonline.com/${tenantId}`,
},
};
const authClient = new ConfidentialClientApplication(clientConfig);
const tokens = await authClient.acquireTokenByClientCredential({
scopes: ['https://graph.microsoft.com/.default'],
});
Reproduction Steps
I’m not totally sure how to describe this:
- Upgrade to @azure/msal-node 1.9.1
- Run the application
Notice in the logs the error listed in this issue occurs
Expected Behavior
There should be no error and the process should continue to work as it did with version 1.9.0
Identity Provider
Azure AD / MSA
Browsers Affected (Select all that apply)
None (Server)
Regression
@azure/msal-node 1.9.0
Source
External (Customer)
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 1
- Comments: 84 (23 by maintainers)
@Robbie-Microsoft works! with 1.16.0. THANK YOU!
@cheenamalhotra thanks so much for our debugging session today! I believe I’ve identified the root cause of the issue and have linked the PR with a fix.
Big thanks to @cheenamalhotra for finding a consistent repro for this and to @Robbie-Microsoft for figuring out a fix.
TL;DR It was how I had the configuration typed, read on for the details.
Sorry everyone (@bgavrilMS) for the terribly slow follow up on this. I finally had time to take a deeper dive into this using the sample @Robbie-Microsoft shared. The sample worked so I started to break down the differences:
1.14.5
of@azure/msal-node
- still errors1.14.5
and the first change I made again was the configuration.Before:
After:
With this change everything started to work, no other code was changed. Why this fixed the error in my case is a mystery to me. Going to commit this and deploy, if this works there after a few days I’ll come back to this issue with my results and close it.
@awanlin apologies for the delay, we have been investigating a possibly related issue with msal-node’s network module that may be affecting the way network and HTTP errors are reported. Will update this issue when we have more information.
@thetminko Please upgrade your msal-node version from 1.18.2 to 2.1.0. If your issue still persists, then please create a new issue.
Hello,
I still have this issue.
In my package.json
My config
const azureAdConfig = { auth: { clientId: module.config.azure.clientId, authority:
https://login.microsoftonline.com/${module.config.azure.tenantId}
, clientSecret: module.config.azure.clientSecret, knownAuthorities: [https://login.microsoftonline.com/${module.config.azure.tenantId}
] }, system: { loggerOptions: { loggerCallback(loglevel, message, containsPii) { console.log(message); }, piiLoggingEnabled: false, logLevel: msal.LogLevel.Verbose, }, proxyUrl: module.config.azure.proxyUrl } };My server log:
[Thu, 06 Jul 2023 11:13:49 GMT] : @azure/msal-node@1.18.0 : Info - getAuthCodeUrl called [Thu, 06 Jul 2023 11:13:49 GMT] : @azure/msal-node@1.18.0 : Verbose - initializeRequestScopes called [Thu, 06 Jul 2023 11:13:49 GMT] : [7ffb7816-8a7e-4a3e-8d53-93a8ad2ecbc5] : @azure/msal-node@1.18.0 : Verbose - buildOauthClientConfiguration called [Thu, 06 Jul 2023 11:13:49 GMT] : [7ffb7816-8a7e-4a3e-8d53-93a8ad2ecbc5] : @azure/msal-node@1.18.0 : Verbose - building oauth client configuration with the authority: https://lod8c210-54c7-4039-a88b-4417f80773fe [Thu, 06 Jul 2023 11:13:49 GMT] : [7ffb7816-8a7e-4a3e-8d53-93a8ad2ecbc5] : @azure/msal-node@1.18.0 : Verbose - createAuthority called [Thu, 06 Jul 2023 11:13:49 GMT] : @azure/msal-node@1.18.0 : Verbose - Attempting to get cloud discovery metadata in the config [Thu, 06 Jul 2023 11:13:49 GMT] : @azure/msal-node@1.18.0 : Verbose - The host is included in knownAuthorities. Creating new cloud discovery metadata from the host. [Thu, 06 Jul 2023 11:13:49 GMT] : @azure/msal-node@1.18.0 : Verbose - Found cloud discovery metadata in the config. ClientAuthError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientAuthError: openid_config_error: Could not retr authority and verify the .well-known/openid-configuration endpoint returns the required endpoints. Attempted to retrieve endpoints from: https://login.microsoftonline.com/$mytenantId/v2.0/.well-known/openid-configuration at ClientAuthError.AuthError [as constructor] (/Users/eric/dev/ecosys/ecosys-src/ecosys-core-frontend/node_modules/@azure/msal-common/dist/index.cjs.js:499:24) at new ClientAuthError (/Users/eric/dev/ecosys/ecosys-src/ecosys-core-frontend/node_modules/@azure/msal-common/dist/index.cjs.js:819:28) at Function.ClientAuthError.createEndpointDiscoveryIncompleteError (/Users/eric/dev/ecosys/ecosys-src/ecosys-core-frontend/node_modules/@azure/msal-common/dist/index.cjs.js: at Function.<anonymous> (/Users/eric/dev/ecosys/ecosys-src/ecosys-core-frontend/node_modules/@azure/msal-common/dist/index.cjs.js:8391:47) at step (/Users/eric/dev/ecosys/ecosys-src/ecosys-core-frontend/node_modules/@azure/msal-common/dist/index.cjs.js:79:23) at Object.throw (/Users/eric/dev/ecosys/ecosys-src/ecosys-core-frontend/node_modules/@azure/msal-common/dist/index.cjs.js:60:53) at rejected (/Users/eric/dev/ecosys/ecosys-src/ecosys-core-frontend/node_modules/@azure/msal-common/dist/index.cjs.js:51:65) at processTicksAndRejections (internal/process/task_queues.js:95:5) { errorCode: ‘endpoints_resolution_error’, errorMessage: ‘Error: could not resolve endpoints. Please check network and try again. Detail: ClientAuthError: openid_config_error: Could not retrieve endpoints. Check your aell-known/openid-configuration endpoint returns the required endpoints. Attempted to retrieve endpoints from: https://login.microsoftonline.com/$mytenantId-configuration’, subError: ‘’
And IN my proxy, it’s look like microsoftonline close the connection with a 302
URL: http://login.microsoftonline.com/$mytenantId/v2.0/.well-known/openid-configuration Status: Redirect Response Code: 302 Found Method: GET Content Type: -
Content-Length: 0 Location: https://login.microsoftonline.com:443/$mytenantId/v2.0/.well-known/openid-configuration client-request-id: 81204f1b-f103-4066-8c03-c98294d230db Date: Thu, 06 Jul 2023 11:13:49 GMT Connection: close
If I curl same the URL with my proxy, I receive a 200 with the correct payload.
Thank you for your help
@chanphillip The linked PR should be in next Monday’s (March 6, 2023) build.
It seems to get fixed by updating the below dependencies:
Before (fails):
After (works):
Thanks @bgavrilMS and @Robbie-Microsoft for the hint 😃
I’m facing similar issue with v1.15.0… tried everything from comments above, but nothing seems to work. I also incorporated the custom
INetworkModule
from samples, but still no luck. Here’s my log, my codebase is opensource so I can share as well… it’s a VS Code extension… link to my config >> error triggers hereUnclear why authority URL is not being respected even though it’s received by
buildOauthClientConfiguration
correctly… would appreciate any tips!@awanlin Wanted to chime in here: I set up my auth block to look exactly like yours before it was changed, on msal-node v1.9.1 and v1.14.6, and I did not receive an error.
@bgavrilMS definitively the right email. Just copied and pasted again. Subject is: Fw: Logging from jsbinette msal 4879
@awanlin - if you don’t mind, let’s keep this open as other folks are still having problems. I’d like MSAL to at least throw a better error message.
@Robbie-Microsoft - can you please investigate why @awanlin 's config change fixes the issue? Maybe we can throw a better error message?
@jsbinette - can you provide verbose PII logging if you are able to reproduce the issue with MSAL alone? Feel free to email them to me if you wish at bogavril at microsoft com. They will not contain secrets or tokens, but will have some IDs.
@awanlin For what it’s worth, I am able to run the sample in my previous comment with msal-node versions 1.9.1 and 1.14.2.
Unless you are running in a private / air-gapped cloud, setting the
knownAuthorities
should not be required. MSAL tries to validate the authority against:guys i had the similar problem, for me the solution was switching version + clear node_modules and pipeline cache for it. not clear what the problem was but look some cache problem, and a fresh install solve it