microsoft-authentication-library-for-js: Getting ClientAuthError: endpoints_resolution_error: Error: could not resolve endpoints with @azure/msal-node 1.9.1

Core Library

MSAL Node (@azure/msal-node)

Core Library Version

1.9.1

Wrapper Library

Not Applicable

Wrapper Library Version

None

Description

Since upgrading from 1.9.0 to 1.9.1 we are running into the error listed in this issue below. We have a node application that runs on an interval to update profile pictures in Backstage a Developer Portal we are using. It’s very simple.

Rolling back to 1.9.0 the error goes away. I’m not sure what specifically is causing this issue but I feel like it is something in PR #4744. That being said there might be simply something that we need to include to resolve this like some additional configuration.

Any help with this would be greatly appreciated!

Error Message

ClientAuthError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientAuthError: openid_config_error: Could not retrieve endpoints. Check your authority and verify the .well-known/openid-configuration endpoint returns the required endpoints. Attempted to retrieve endpoints from: https://login.microsoftonline.com/{tenantId}/v2.0/.well-known/openid-configuration

Note that {tenantId} in the URL above is our actual tenantId, just removed for security reasons.

Msal Logs

No response

MSAL Configuration

const clientConfig = {
      auth: {
        clientId,
        clientSecret,
        authority: `https://login.microsoftonline.com/${tenantId}`,
      },
    };

Relevant Code Snippets

const clientConfig = {
      auth: {
        clientId,
        clientSecret,
        authority: `https://login.microsoftonline.com/${tenantId}`,
      },
    };

    const authClient = new ConfidentialClientApplication(clientConfig);

    const tokens = await authClient.acquireTokenByClientCredential({
      scopes: ['https://graph.microsoft.com/.default'],
    });

Reproduction Steps

I’m not totally sure how to describe this:

  1. Upgrade to @azure/msal-node 1.9.1
  2. Run the application

Notice in the logs the error listed in this issue occurs

Expected Behavior

There should be no error and the process should continue to work as it did with version 1.9.0

Identity Provider

Azure AD / MSA

Browsers Affected (Select all that apply)

None (Server)

Regression

@azure/msal-node 1.9.0

Source

External (Customer)

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 1
  • Comments: 84 (23 by maintainers)

Most upvoted comments

@Robbie-Microsoft works! with 1.16.0. THANK YOU!

@cheenamalhotra thanks so much for our debugging session today! I believe I’ve identified the root cause of the issue and have linked the PR with a fix.

Big thanks to @cheenamalhotra for finding a consistent repro for this and to @Robbie-Microsoft for figuring out a fix.

TL;DR It was how I had the configuration typed, read on for the details.

Sorry everyone (@bgavrilMS) for the terribly slow follow up on this. I finally had time to take a deeper dive into this using the sample @Robbie-Microsoft shared. The sample worked so I started to break down the differences:

  1. I upgrade my project to use 1.14.5 of @azure/msal-node - still errors
  2. I updated all my syntax to match exactly - suddenly it started to work, no errors
  3. Reverted the changes but stayed on 1.14.5 and the first change I made again was the configuration.

Before:

const clientConfig = {
      auth: {
        clientId,
        clientSecret,
        authority: `https://login.microsoftonline.com/${tenantId}`,
      },
    };

After:

const clientConfig: Configuration = {
      auth: {
        clientId: clientId,
        authority: `https://login.microsoftonline.com/${tenantId}`,
        clientSecret: clientSecret,
      },
    };

With this change everything started to work, no other code was changed. Why this fixed the error in my case is a mystery to me. Going to commit this and deploy, if this works there after a few days I’ll come back to this issue with my results and close it.

@awanlin apologies for the delay, we have been investigating a possibly related issue with msal-node’s network module that may be affecting the way network and HTTP errors are reported. Will update this issue when we have more information.

@thetminko Please upgrade your msal-node version from 1.18.2 to 2.1.0. If your issue still persists, then please create a new issue.

Hello,

I still have this issue.

In my package.json

     "@azure/msal-node": "1.18.0", //I've tried with 14, 16 and 17
    "http-proxy-agent": "^5.0.0",
    "https-proxy-agent": "^5.0.0"

My config

const azureAdConfig = { auth: { clientId: module.config.azure.clientId, authority: https://login.microsoftonline.com/${module.config.azure.tenantId}, clientSecret: module.config.azure.clientSecret, knownAuthorities: [https://login.microsoftonline.com/${module.config.azure.tenantId}] }, system: { loggerOptions: { loggerCallback(loglevel, message, containsPii) { console.log(message); }, piiLoggingEnabled: false, logLevel: msal.LogLevel.Verbose, }, proxyUrl: module.config.azure.proxyUrl } };

My server log:

[Thu, 06 Jul 2023 11:13:49 GMT] : @azure/msal-node@1.18.0 : Info - getAuthCodeUrl called [Thu, 06 Jul 2023 11:13:49 GMT] : @azure/msal-node@1.18.0 : Verbose - initializeRequestScopes called [Thu, 06 Jul 2023 11:13:49 GMT] : [7ffb7816-8a7e-4a3e-8d53-93a8ad2ecbc5] : @azure/msal-node@1.18.0 : Verbose - buildOauthClientConfiguration called [Thu, 06 Jul 2023 11:13:49 GMT] : [7ffb7816-8a7e-4a3e-8d53-93a8ad2ecbc5] : @azure/msal-node@1.18.0 : Verbose - building oauth client configuration with the authority: https://lod8c210-54c7-4039-a88b-4417f80773fe [Thu, 06 Jul 2023 11:13:49 GMT] : [7ffb7816-8a7e-4a3e-8d53-93a8ad2ecbc5] : @azure/msal-node@1.18.0 : Verbose - createAuthority called [Thu, 06 Jul 2023 11:13:49 GMT] : @azure/msal-node@1.18.0 : Verbose - Attempting to get cloud discovery metadata in the config [Thu, 06 Jul 2023 11:13:49 GMT] : @azure/msal-node@1.18.0 : Verbose - The host is included in knownAuthorities. Creating new cloud discovery metadata from the host. [Thu, 06 Jul 2023 11:13:49 GMT] : @azure/msal-node@1.18.0 : Verbose - Found cloud discovery metadata in the config. ClientAuthError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientAuthError: openid_config_error: Could not retr authority and verify the .well-known/openid-configuration endpoint returns the required endpoints. Attempted to retrieve endpoints from: https://login.microsoftonline.com/$mytenantId/v2.0/.well-known/openid-configuration at ClientAuthError.AuthError [as constructor] (/Users/eric/dev/ecosys/ecosys-src/ecosys-core-frontend/node_modules/@azure/msal-common/dist/index.cjs.js:499:24) at new ClientAuthError (/Users/eric/dev/ecosys/ecosys-src/ecosys-core-frontend/node_modules/@azure/msal-common/dist/index.cjs.js:819:28) at Function.ClientAuthError.createEndpointDiscoveryIncompleteError (/Users/eric/dev/ecosys/ecosys-src/ecosys-core-frontend/node_modules/@azure/msal-common/dist/index.cjs.js: at Function.<anonymous> (/Users/eric/dev/ecosys/ecosys-src/ecosys-core-frontend/node_modules/@azure/msal-common/dist/index.cjs.js:8391:47) at step (/Users/eric/dev/ecosys/ecosys-src/ecosys-core-frontend/node_modules/@azure/msal-common/dist/index.cjs.js:79:23) at Object.throw (/Users/eric/dev/ecosys/ecosys-src/ecosys-core-frontend/node_modules/@azure/msal-common/dist/index.cjs.js:60:53) at rejected (/Users/eric/dev/ecosys/ecosys-src/ecosys-core-frontend/node_modules/@azure/msal-common/dist/index.cjs.js:51:65) at processTicksAndRejections (internal/process/task_queues.js:95:5) { errorCode: ‘endpoints_resolution_error’, errorMessage: ‘Error: could not resolve endpoints. Please check network and try again. Detail: ClientAuthError: openid_config_error: Could not retrieve endpoints. Check your aell-known/openid-configuration endpoint returns the required endpoints. Attempted to retrieve endpoints from: https://login.microsoftonline.com/$mytenantId-configuration’, subError: ‘’

And IN my proxy, it’s look like microsoftonline close the connection with a 302

URL: http://login.microsoftonline.com/$mytenantId/v2.0/.well-known/openid-configuration Status: Redirect Response Code: 302 Found Method: GET Content Type: -

Content-Length: 0 Location: https://login.microsoftonline.com:443/$mytenantId/v2.0/.well-known/openid-configuration client-request-id: 81204f1b-f103-4066-8c03-c98294d230db Date: Thu, 06 Jul 2023 11:13:49 GMT Connection: close

If I curl same the URL with my proxy, I receive a 200 with the correct payload.

Thank you for your help

@chanphillip The linked PR should be in next Monday’s (March 6, 2023) build.

It seems to get fixed by updating the below dependencies:

Before (fails):

    "http-proxy-agent": "^2.1.0",
    "https-proxy-agent": "^2.2.1"

After (works):

    "http-proxy-agent": "^5.0.0",
    "https-proxy-agent": "^5.0.0",

Thanks @bgavrilMS and @Robbie-Microsoft for the hint 😃

I’m facing similar issue with v1.15.0… tried everything from comments above, but nothing seems to work. I also incorporated the custom INetworkModule from samples, but still no luck. Here’s my log, my codebase is opensource so I can share as well… it’s a VS Code extension… link to my config >> error triggers here

[Information]: Authority URL set to: https://login.microsoftonline.com/organizations - []
[Information]: [Thu, 23 Feb 2023 13:35:37 GMT] : @azure/msal-node@1.15.0 : Info - acquireTokenByDeviceCode called - []
[Verbose]: [Thu, 23 Feb 2023 13:35:37 GMT] : @azure/msal-node@1.15.0 : Verbose - initializeRequestScopes called - []
[Verbose]: [Thu, 23 Feb 2023 13:35:37 GMT] : [710b563e-4e25-4cec-aed6-7670724f6d53] : @azure/msal-node@1.15.0 : Verbose - buildOauthClientConfiguration called - []
[Verbose]: [Thu, 23 Feb 2023 13:35:37 GMT] : [710b563e-4e25-4cec-aed6-7670724f6d53] : @azure/msal-node@1.15.0 : Verbose - building oauth client configuration with the authority: https://login.microsoftonline.com/organizations - []
[Verbose]: [Thu, 23 Feb 2023 13:35:37 GMT] : [710b563e-4e25-4cec-aed6-7670724f6d53] : @azure/msal-node@1.15.0 : Verbose - createAuthority called - []
[Verbose]: [Thu, 23 Feb 2023 13:35:37 GMT] : @azure/msal-node@1.15.0 : Trace - Retrieving all cache keys - []
[Verbose]: [Thu, 23 Feb 2023 13:35:37 GMT] : @azure/msal-node@1.15.0 : Trace - Getting cache key-value store - []
[Verbose]: [Thu, 23 Feb 2023 13:35:37 GMT] : @azure/msal-node@1.15.0 : Verbose - Attempting to get cloud discovery metadata in the config - []
[Verbose]: [Thu, 23 Feb 2023 13:35:37 GMT] : @azure/msal-node@1.15.0 : Verbose - Did not find cloud discovery metadata in the config... Attempting to get cloud discovery metadata from the cache. - []
[Verbose]: [Thu, 23 Feb 2023 13:35:37 GMT] : @azure/msal-node@1.15.0 : Verbose - Did not find cloud discovery metadata in the cache... Attempting to get cloud discovery metadata from the network. - []
[Error]: [Thu, 23 Feb 2023 13:35:37 GMT] : @azure/msal-node@1.15.0 : Error - A non-MSALJS error was thrown while attempting to get the cloud instance discovery metadata.
Error: TypeError
Error Description: The "listener" argument must be of type function. Received an instance of Object - []
[Verbose]: [Thu, 23 Feb 2023 13:35:37 GMT] : @azure/msal-node@1.15.0 : Verbose - Did not find cloud discovery metadata from the network... Attempting to get cloud discovery metadata from hardcoded values. - []
[Verbose]: [Thu, 23 Feb 2023 13:35:37 GMT] : @azure/msal-node@1.15.0 : Verbose - Found cloud discovery metadata from hardcoded values. - []
[Verbose]: [Thu, 23 Feb 2023 13:35:37 GMT] : @azure/msal-node@1.15.0 : Trace - Getting cache key-value store - []
[Verbose]: [Thu, 23 Feb 2023 13:35:37 GMT] : @azure/msal-node@1.15.0 : Trace - Getting cache key-value store - []
[Verbose]: [Thu, 23 Feb 2023 13:35:37 GMT] : @azure/msal-node@1.15.0 : Trace - Setting cache key value store - []
[Error]: Login failed: ClientAuthError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. 
Detail: ClientAuthError: openid_config_error: Could not retrieve endpoints. Check your authority and verify the .well-known/openid-configuration endpoint returns the required endpoints. 
Attempted to retrieve endpoints from: https://undefined/organizations/v2.0/.well-known/openid-configuration - []
[Error]: ClientAuthError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. 
Detail: ClientAuthError: openid_config_error: Could not retrieve endpoints. Check your authority and verify the .well-known/openid-configuration endpoint returns the required endpoints. 
Attempted to retrieve endpoints from: https://undefined/organizations/v2.0/.well-known/openid-configuration - []

Unclear why authority URL is not being respected even though it’s received by buildOauthClientConfiguration correctly… would appreciate any tips!

TL;DR It was how I had the configuration typed, read on for the details.

Sorry everyone (@bgavrilMS) for the terribly slow follow up on this. I finally had time to take a deeper dive into this using the sample @Robbie-Microsoft shared. The sample worked so I started to break down the differences:

  1. I upgrade my project to use 1.14.5 of @azure/msal-node - still errors
  2. I updated all my syntax to match exactly - suddenly it started to work, no errors
  3. Reverted the changes but stayed on 1.14.5 and the first change I made again was the configuration.

Before:

const clientConfig = {
      auth: {
        clientId,
        clientSecret,
        authority: `https://login.microsoftonline.com/${tenantId}`,
      },
    };

After:

const clientConfig: Configuration = {
      auth: {
        clientId: clientId,
        authority: `https://login.microsoftonline.com/${tenantId}`,
        clientSecret: clientSecret,
      },
    };

With this change everything started to work, no other code was changed. Why this fixed the error in my case is a mystery to me. Going to commit this and deploy, if this works there after a few days I’ll come back to this issue with my results and close it.

@awanlin Wanted to chime in here: I set up my auth block to look exactly like yours before it was changed, on msal-node v1.9.1 and v1.14.6, and I did not receive an error.

const clientId = "CLIENT_ID";
const clientSecret = "CLIENT_SECRET";
const clientConfig: msal.Configuration = {
    auth: {
        clientId,
        clientSecret,
        authority: "AUTHORITY",
    },
    ...

@bgavrilMS definitively the right email. Just copied and pasted again. Subject is: Fw: Logging from jsbinette msal 4879

@awanlin - if you don’t mind, let’s keep this open as other folks are still having problems. I’d like MSAL to at least throw a better error message.

@Robbie-Microsoft - can you please investigate why @awanlin 's config change fixes the issue? Maybe we can throw a better error message?

@jsbinette - can you provide verbose PII logging if you are able to reproduce the issue with MSAL alone? Feel free to email them to me if you wish at bogavril at microsoft com. They will not contain secrets or tokens, but will have some IDs.

@awanlin For what it’s worth, I am able to run the sample in my previous comment with msal-node versions 1.9.1 and 1.14.2.

@awanlin To set the authority and knownAuthorities config parameters: authority: `https://login.microsoftonline.com/${tenantId}`, knownAuthorities: [`https://login.microsoftonline.com/${tenantId}`,],

Unless you are running in a private / air-gapped cloud, setting the knownAuthorities should not be required. MSAL tries to validate the authority against:

  • a list of known authorities which AAD knows
  • known authorities to you, the developer
  1. Is it possible that you got the tenantId wrong?
  2. Is it possible to get a network trace to see the actual node response? (you might have to send it via email as it’ll have some pii - bogavril at microsoft.com)

guys i had the similar problem, for me the solution was switching version + clear node_modules and pipeline cache for it. not clear what the problem was but look some cache problem, and a fresh install solve it