[Enhancement][L] Enable OBO for SP (ADAL to MSAL Migration Issue)

[niruatweb]

Work

• See Penguinwizzard@de00f61 for a solution
• Evaluate if solution will work, e.g. token cache
• Create an E2E test using PPE env where this is allowed.

Which Version of MSAL are you using ?
4.13.0. I have described the issue in stack overflow. https://stackoverflow.microsoft.com/questions/198842. Generating OBO for SPN fails with "client info is null"

Platform
net45

What authentication flow has the issue?

• Web API
  • OBO for SPNs

Other? - please describe;
OBO for users work fine but not for groups.

Is this a new or existing app?
YES

Repro

  new UserAssertion(userBearerToken, "urn:ietf:params:oauth:grant-type:jwt-bearer"))
    .WithAuthority(aadAuthenticationAuthority)
    .ExecuteAsync();

==== Complete Stack Trace ===
Microsoft.Identity.Client.MsalClientException: client info is null
   at Microsoft.Identity.Client.Core.ClientInfo.CreateFromJson(String clientInfo)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<CacheTokenResponseAndCreateAuthenticationResultAsync>d__17.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Identity.Client.Internal.Requests.OnBehalfOfRequest.<ExecuteAsync>d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<RunAsync>d__14.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.<ExecuteAsync>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at Microsoft.Rdx.GatewayService.Engine.Authentication.AadApplicationAuthenticator.<AcquireTokenAsync>d__7.MoveNext() in E:\CXTLRepos\TSI\Backend\Source\Product\GatewayService\Engine\Authentication\AadApplicationAuthenticator.cs:line 57”

Expected behavior
OBO should be generated

Actual behavior
Exception. Response comes from token endpoint but fails during deserialization of response.

Possible Solution
Fix in the requestBase.cs

Additional context/ Logs / Screenshots
Add any other context about the problem here, such as logs and screebshots. Logging is described at https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/logging

[jmprieur]

@niruatweb: there is no user with a SP. it's not possible to use a UserAssertion?

[niruatweb]

Hi @jmprieur , but how would i be able to get groups of the spn in this case. Can't i get an groups of SPN or deamon app?

[dkershaw10]

@niruatweb Are you trying to find the groups that the service principal owns, or something else? Please clarify.

[niruatweb]

@dkershaw10 i am trying find the group ids of which service principal is part of.

[dkershaw10]

Gotcha - so you want all the groups that the service principal is a member of. Microsoft Graph can give you this answer.
See https://docs.microsoft.com/en-us/graph/api/serviceprincipal-list-memberof?view=graph-rest-1.0&tabs=http OR https://docs.microsoft.com/en-us/graph/api/serviceprincipal-list-transitivememberof?view=graph-rest-1.0&tabs=http

If you are looking for this information to show up as a claim in the access token, I don't know if that is supported. We'd have to get others involved who work on the Identity STS. It would be worth creating a new and separate question on Microsoft Stack Overflow for that.

[niruatweb]

Groups are coming as part of access token. I believe i still need to pass OBO in this case. I hope MSAL bug to get OBO will be fixed soon.

[niruatweb]

Hi @jmprieur I have three options to generate OBO,

1. Wait for your fix for MSAL.
2. Use ADAL for this scenario only. I haven't tried if ADAL works
3. Call OAuth directly?. Creating client assertion is tricky, it is handled properly in MSAL library. I have to copy some of that code.

I will go with one of the option based on the time it would take for MSAL fix. What is your suggestion? How many days does it take?

[jmprieur]

cc: @henrik-me, @bgavrilMS, @trwalke @neha-bhargava
@niruatweb : do you have a repro that you could share with us (app coordinates)?
(Jean-Marc.Prieur at Microsoft dot com)

[niruatweb]

@jmprieur Below is the code, let me know if you want that cert that i am pointing as thumbprint.

''' var _confidentialClientApp = MSAL.ConfidentialClientApplicationBuilder
.Create((string)"4370834b-eb27-4dfc-b2cc-4028b4d82d1c") .WithCertificate(GetCertificateByThumbprint("766D2D978F190227EF13D066048E160029D39BA5"))
.Build();

        string aadAuthenticationAuthority = StringUtils.FormatInvariant("{0}/{1}/oauth2/authorize?resource={2}", "https://#.windows-ppe.net", "f686d426-8d16-42db-81b7-ab578e110ccd", "120d688d-1518-4cf7-bd38-182f158850b6");

       IReadOnlyList <string> scopes = new List<string>() { "120d688d-1518-4cf7-bd38-182f158850b6/.default" };

    var authenticationResult = await _confidentialClientApp.AcquireTokenForClient(scopes)
            .WithAuthority(aadAuthenticationAuthority)
                                        .ExecuteAsync();
        string userToken = authenticationResult.AccessToken;

        var _confidentialApp = MSAL.ConfidentialClientApplicationBuilder
            .Create((string)"120d688d-1518-4cf7-bd38-182f158850b6")
            .WithCertificate(GetCertificateByThumbprint("766D2D978F190227EF13D066048E160029D39BA5"))
            .Build();

        scopes = new List<string>() { "User.ReadBasic.All", "GroupMember.Read.All" };

        aadAuthenticationAuthority = StringUtils.FormatInvariant("{0}/{1}/oauth2/authorize?resource={2}", "https://#.windows-ppe.net", "f686d426-8d16-42db-81b7-ab578e110ccd", "https://graph.microsoft-ppe.com/");
        authenticationResult = await _confidentialApp.AcquireTokenOnBehalfOf(TestConstants.scopes, new MSAL.UserAssertion(userToken, "urn:ietf:params:oauth:grant-type:jwt-bearer"))
            .WithAuthority(aadAuthenticationAuthority)
                                        .ExecuteAsync();'''

[jmprieur]

See possible solution: Penguinwizzard@de00f61

@bgavrilMS @henrik-me can we add this to the following release?

[jmprieur]

@jmprieur to provide API review doc for this

[jmprieur]

If we want to test this, we can/should use PPE

daemon app calls web API call graph. The web API calls graph on behalf of the daemon