Microsoft-authentication-library-for-dotnet: [Bug] Error AADSTS9001023 when using AcquireTokenByUsernamePassword() and the correct permissions are set within the app settings in AAD

Created on 12 Jan 2020 · 6Comments · Source: AzureAD/microsoft-authentication-library-for-dotnet

Which Version of MSAL are you using ?
3.0.0 preview
Note that to get help, you need to run the latest version. Preview version are also ok.
For ADAL, please log issues to https://github.com/AzureAD/azure-activedirectory-library-for-dotnet

Platform

net4.5 framework
What authentication flow has the issue?

Desktop / Mobile
- [ ] Interactive
- [ ] Integrated Windows Auth
- [X] Username Password
- [ ] Device code flow (browserless)
Web App
- [ ] Authorization code
- [ ] OBO
Web API
- [ ] OBO

Other? - please describe;

Is this a new or existing app?

This is a new app or experiment

Repro

        static async Task<GraphServiceClient> Auth()
        {

            var clientApp = PublicClientApplicationBuilder.Create(ConfigurationManager.AppSettings["clientId"]).Build();
            string[] scopes = new string[] { "user.read" };
            string token = null;
            var app = PublicClientApplicationBuilder.Create(ConfigurationManager.AppSettings["clientId"]).Build();
            AuthenticationResult result = null;
            var accounts = await app.GetAccountsAsync();
            var securePassword = new SecureString();
            foreach (char c in "dummy")        // you should fetch the password
            securePassword.AppendChar(c);  // keystroke by keystroke
            result = await app.AcquireTokenByUsernamePassword(scopes, "[email protected]",securePassword).ExecuteAsync();
            token = result.AccessToken;
            GraphServiceClient graphClient = new GraphServiceClient(
                        "https://graph.microsoft.com/v1.0",
                        new DelegateAuthenticationProvider(
                            async (requestMessage) =>
                            {
                                requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", token);
                            }));
            return graphClient;
        }

Expected behavior
Hardcoded credentials are used to gather the Access Token
Actual behavior
Microsoft.Identity.Client.MsalServiceException: 'AADSTS9001023: The grant type is not supported over the /common or /consumers endpoints. Please use the /organizations or tenant-specific endpoint.

Additional context/ Logs / Screenshots
https://i.imgur.com/XwncoAm.png
https://i.imgur.com/0TtxAhi.png

Following the MSDoc here the application is configured correctly to allow multi tenancy. The purpose of my application is to allow any user to (eventually) pass in credentials via the command line as arguments, so it will work for any AAD tenant, not just one. The hardcoded credentials in the sample are not the credentials I use, I use a .onmicrosoft.com account (whom is a user in my AAD instance). Redirect URI is set to use /organizations instead of /common as well.

bug

Source

hausec

Most helpful comment

I'm going to leave this open as a bug for us to provide a better experience.

bgavrilMS on 13 Jan 2020

👍2

All 6 comments

TLDR:

var app = PublicClientApplicationBuilder.Create(ConfigurationManager.AppSettings["clientId"])
.WithAuthority(AadAuthorityAudience.AzureAdMultipleOrgs) 
.Build();

Longer Answer

A word of warning

please use the latest MSAL, we've fixed a bunch of stuff for the Username / Password (ROPC) flow.
please make sure you understand the security implications of handling passwords and the fact that your users will not be able to login if 2 factor auth is enabled https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Username-Password-Authentication#this-flow-is-not-recommended
This flow only works for corporate accounts. Live accounts (@hotmail, @outlook) will never support this flow because of security implications.

The problem:

You have configured the application correctly, however the default authority does not allow you call ROPC. An authority is the host name in the cloud (https://login.microsoftonline.com/) plus the tenant. The default authority MSAL uses is https://login.microsoftonline.com/common

Solution

Use the https://login.microsoftonline.com/organizations authority.

@jmprieur @henrik-me - we can improve the experience here in 2 ways - let me know and I will create a feature request. This is a very common issue SO, blog

[Good] 1. If developers don't specify an authority, the default authority should be /consumers when using ROPC instead of /common

AND / OR

[OK] 2. In ROPC, detect that the developer is using common and throw a better exception with a code snippet.

bgavrilMS on 13 Jan 2020

👍1

That was it! adding .WithAuthority(AadAuthorityAudience.AzureAdMultipleOrgs) fixed it. Thank you! Is that documented anywhere?

hausec on 13 Jan 2020

@hausec I think it is not properly documented - I added it to our wiki but really we should be throwing a better exception.

Our sample that showcases this flow does the right thing though:

https://github.com/Azure-Samples/active-directory-dotnetcore-console-up-v2

bgavrilMS on 13 Jan 2020

Perfect, thank you.

hausec on 13 Jan 2020

I'm going to leave this open as a bug for us to provide a better experience.

bgavrilMS on 13 Jan 2020

👍2

@bgavrilMS : I assume you mean organizations in bullet 1 or your solution options?
I think we should open a feature to do both step 1 and step 2. @jmprieur ?