Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MSAL_Node fails to Login with Proxy Server #7189

Open
1 of 2 tasks
PhilipsonJoseph opened this issue Jul 4, 2024 · 10 comments
Open
1 of 2 tasks

MSAL_Node fails to Login with Proxy Server #7189

PhilipsonJoseph opened this issue Jul 4, 2024 · 10 comments
Assignees
@Robbie-Microsoft
Labels
bug-unconfirmed A reported bug that needs to be investigated and confirmed confidential-client Issues regarding ConfidentialClientApplications msal-node Related to msal-node package Needs: Attention 👋 Awaiting response from the MSAL.js team question Customer is asking for a clarification, use case or information.

Comments

@PhilipsonJoseph
Copy link

PhilipsonJoseph commented Jul 4, 2024
edited
Loading

Core Library

MSAL Node (@azure/msal-node)

Core Library Version

2.9.2

Wrapper Library

Not Applicable

Wrapper Library Version

None

Public or Confidential Client?

Confidential

Description

few of China cloud customers have reported issues where in they are getting error in our azure pipeline task "Error: Could not fetch access token for Azure. Status code: endpoints_resolution_error, status message: Error: could not resolve endpoints. Please check network and try again. Detail: ClientAuthError: openid_config_error: Could not retrieve endpoints. Check your authority and verify the .well-known/openid-configuration endpoint returns the required endpoints. Attempted to retrieve endpoints from:
https://login.partner.microsoftonline.cn/1338e9e4-3189-42f4-9a96-b67c3549f5c5/v2.0/.well-known/openid-configuration"

We are consuming MSAL_node(2.9.2) package through our azure pipeline tasks. Earlier we using MSAL_Node(1.14.5) with Node 16 and we seeing this error after upgrading to MSAL_Node(2.9.2) with Node 20

Error Message

Error: Could not fetch access token for Azure. Status code: endpoints_resolution_error, status message: Error: could not resolve endpoints. Please check network and try again. Detail: ClientAuthError: openid_config_error: Could not retrieve endpoints. Check your authority and verify the .well-known/openid-configuration endpoint returns the required endpoints. Attempted to retrieve endpoints from:
https://login.partner.microsoftonline.cn/1338e9e4-3189-42f4-9a96-b67c3549f5c5/v2.0/.well-known/openid-configuration

MSAL Logs

No response

Network Trace (Preferrably Fiddler)

  • Sent
  • Pending

MSAL Configuration

auth: {
                clientId: ******,
                authority: https://login.chinacloudapi.cn/
            },
            system: {
                loggerOptions: {
                    loggerCallback(loglevel, message, containsPii) {
                        loglevel == LogLevel.Error ? tl.error(message) : tl.debug(message);
                    },
                    piiLoggingEnabled: false,
                    logLevel: LogLevel.Info,
                }
            }

Relevant Code Snippets

https://github.com/microsoft/azure-pipelines-tasks-common-packages/blob/main/common-npm-packages/azure-arm-rest/azure-arm-common.ts#L289

Reproduction Steps

  1. Create a service connection to Azure china cloud
  2. Create a release Pipeline with any of the Azure pipeline task (https://github.com/microsoft/azure-pipelines-tasks/tree/master/Tasks/KubernetesV1)
  3. Run the pipeline we would see the login failure on task logs

Expected Behavior

Task is able to fetch the token without no issues

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

Chrome, Firefox, Edge, None (Server)

Regression

@azure/msal_node@1.14.5 with node 16

Source

Internal (Microsoft)
@PhilipsonJoseph PhilipsonJoseph added bug-unconfirmed A reported bug that needs to be investigated and confirmed question Customer is asking for a clarification, use case or information. labels Jul 4, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: Attention 👋 Awaiting response from the MSAL.js team label Jul 4, 2024
@github-actions github-actions bot added confidential-client Issues regarding ConfidentialClientApplications msal-node Related to msal-node package labels Jul 4, 2024
@bgavrilMS
Copy link
Member

@PhilipsonJoseph - can you please try to use https://login.partner.microsoftonline.cn/TENANT_ID as authority?

@Robbie-Microsoft - the error message doesn't seem to provide enough details.

@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Author Feedback Awaiting response from issue author and removed Needs: Attention 👋 Awaiting response from the MSAL.js team labels Jul 9, 2024
@PhilipsonJoseph
Copy link
Author

PhilipsonJoseph commented Jul 10, 2024
edited
Loading

@bgavrilMS We will try your suggestion. But we also observe the same error is happening when the agents are running behind proxy

@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Attention 👋 Awaiting response from the MSAL.js team and removed Needs: Author Feedback Awaiting response from issue author labels Jul 10, 2024
@PhilipsonJoseph
Copy link
Author

@bgavrilMS Sorry for the confusion Issue is not with the China Cloud when a cx uses a proxy we could observe this error, We are setting up INetworkModule incase if a customer uses proxy

@Robbie-Microsoft
Copy link
Collaborator

@PhilipsonJoseph Sorry to hear you're having problem when proxy is used. I agree that the best course of action is to write a custom INetworkModule. You can see our sample here for custom INetworkModule here.

@Robbie-Microsoft Robbie-Microsoft changed the title MSAL_Node fails to Login with China Could MSAL_Node fails to Login with China Cloud Jul 12, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Author Feedback Awaiting response from issue author and removed Needs: Attention 👋 Awaiting response from the MSAL.js team labels Jul 12, 2024
@PhilipsonJoseph
Copy link
Author

@Robbie-Microsoft @bgavrilMS We already using the custom INetworkModule. but the error occurs after updating from1.. to 2..

@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Attention 👋 Awaiting response from the MSAL.js team and removed Needs: Author Feedback Awaiting response from issue author labels Jul 15, 2024
@Robbie-Microsoft
Copy link
Collaborator

Can you post your custom INetworkModule here?

@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Author Feedback Awaiting response from issue author and removed Needs: Attention 👋 Awaiting response from the MSAL.js team labels Jul 16, 2024
@PhilipsonJoseph PhilipsonJoseph changed the title MSAL_Node fails to Login with China Cloud MSAL_Node fails to Login with Proxy Server Jul 17, 2024
@PhilipsonJoseph
Copy link
Author

@Robbie-Microsoft this is how we implemented custom network module. FYI it used to work fine with older version on MSAL

image
image

@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Attention 👋 Awaiting response from the MSAL.js team and removed Needs: Author Feedback Awaiting response from issue author labels Jul 17, 2024
@Robbie-Microsoft
Copy link
Collaborator

Where is fetch defined? Is that NodeJs's native fetch? Or is it from a 3rd party library?

@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Author Feedback Awaiting response from issue author and removed Needs: Attention 👋 Awaiting response from the MSAL.js team labels Jul 17, 2024
@PhilipsonJoseph
Copy link
Author

PhilipsonJoseph commented Jul 18, 2024
edited
Loading

@Robbie-Microsoft We are using node-fetch https://www.npmjs.com/package/node-fetch

@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Attention 👋 Awaiting response from the MSAL.js team and removed Needs: Author Feedback Awaiting response from issue author labels Jul 18, 2024
@chathurasachithra
Copy link 

auth: {
                clientId: ******,
                authority: https://login.chinacloudapi.cn/
          },
            system: {
                loggerOptions: {
                    loggerCallback(loglevel, message, containsPii) {
                        loglevel == LogLevel.Error ? tl.error(message) : tl.debug(message);
                    },
                    piiLoggingEnabled: false,
                    logLevel: LogLevel.Info,
                },
               proxyUrl: <your proxy>, 
               networkClient: proxyNetworkClient
            }

Try this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Robbie-Microsoft Robbie-Microsoft

Labels
bug-unconfirmed A reported bug that needs to be investigated and confirmed confidential-client Issues regarding ConfidentialClientApplications msal-node Related to msal-node package Needs: Attention 👋 Awaiting response from the MSAL.js team question Customer is asking for a clarification, use case or information.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@chathurasachithra @bgavrilMS @PhilipsonJoseph @Robbie-Microsoft