Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multi-tenant authentication does not work with a client secret credentials #23693

Closed
2 of 5 tasks
vitalymelni opened this issue Nov 3, 2022 · 1 comment
Closed
2 of 5 tasks

Multi-tenant authentication does not work with a client secret credentials #23693

vitalymelni opened this issue Nov 3, 2022 · 1 comment
Assignees
@KarishmaGhiya @mpodwysocki
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@vitalymelni
Copy link

  • Package Name: @azure/identity
  • Package Version: 3.0.0
  • Operating system: macOS 12.6
  • nodejs
    • version: v16.16.0
  • typescript
    • version: 4.8.3
  • Is the bug related to documentation in

Describe the bug
Trying to authenticate with a tenant id that is different then the tenant id in the client secret, does not work, even when passing the options "additionallyAllowedTenants" correctly (with '*' or with both the tenant ids)

To Reproduce
Steps to reproduce the behavior:

  1. Register an app in Azure AD and create a client secret credentials for it
  2. Give permissions to the app to other tenant
  3. Run the following code:
import { ClientSecretCredential } from '@azure/identity';
import { Client } from '@microsoft/microsoft-graph-client';
import { TokenCredentialAuthenticationProvider } from '@microsoft/microsoft-graph-client/authProviders/azureTokenCredentials';

const tokenCreds = new ClientSecretCredential(
  '<first-tenant-id>',
  '<client-id>',
  '<client-secret>',
  { additionallyAllowedTenants: ['*'] },
);

const authProvider = new TokenCredentialAuthenticationProvider(tokenCreds, {
  scopes: ['https://graph.microsoft.com/.default'],
  getTokenoptions: { tenantId: '<second-tenant-id>' },
});

const client = Client.initWithMiddleware({
  authProvider,
});

client.api('/organization').get().then((res) => console.log(res));
  1. the code fails with the following error (on the last line):
The current credential is not configured to acquire tokens for tenant <first-tenant-id>. To enable acquiring tokens for this tenant add it to the AdditionallyAllowedTenants on the credential options, or add "*" to AdditionallyAllowedTenants to allow acquiring tokens for any tenant.

Expected behavior
The code should work

Additional context
The issue seems to be here:
https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/src/msal/nodeFlows/msalNodeCommon.ts#L306

It looks like this line does not take into account the "additionallyAllowedTenants" option and doesn't pass it to the "processMultiTenantRequest", which uses a default empty array:

azure-sdk-for-js/sdk/identity/identity/src/util/processMultiTenantRequest.ts

Line 19 in 0ea9f14

additionallyAllowedTenantIds: string[] = []

@ghost ghost added needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Nov 3, 2022
@azure-sdk azure-sdk added Azure.Identity Client This issue points to a problem in the data-plane of the library. needs-team-triage Workflow: This issue needs the team to triage. labels Nov 3, 2022
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Nov 3, 2022
@xirzec xirzec removed the needs-team-triage Workflow: This issue needs the team to triage. label Nov 3, 2022
This was referenced Nov 3, 2022
Merged
Merged
@mpodwysocki
Copy link
Member

Fixed as per #23704 and #23734

@github-actions github-actions bot locked and limited conversation to collaborators Apr 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@KarishmaGhiya KarishmaGhiya

@mpodwysocki mpodwysocki

Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@xirzec @KarishmaGhiya @mpodwysocki @azure-sdk @vitalymelni