[Bug] Incorrect authority in AuthResult using instance_aware

[NakulSabharwal95]

I used the below mentioned configuration and tried logging into a non-public cloud. I got logged in, successfully got access token as well, everything is correct Except Authority is not of respective cloud. It seems library is overriding the authority it gets in their result.

Also, when I enable instance_aware manually using query params it works fine except authority but when I use WithMultiCloudSupport(true) it doesn't work.

Which version of MSAL.NET are you using?
MSAL.NET 4.46.0

Platform
.NET Framework: 4.7

What authentication flow has the issue?

• Desktop
  • Integrated Windows Authentication

Is this a new or existing app?
The app is in production, I haven't upgraded MSAL, but started seeing this issue.

Repro
1.Use this configuration of WAM

return PublicClientApplicationBuilder.Create(clientId)
.WithDefaultRedirectUri()
.WithAuthority(authority, tenant)
.WithExtraQueryParameters(new Dictionary<string, string>()
{{"instance_aware", "true" }
})
.WithWindowsBroker().WithMsalLogging();

2.Login using a non-public cloud account which is not added to your OS.

Expected behavior
Environment of respective cloud in AuthResult (account used is non-public).

Actual behavior
Got Public Environment in AuthResult but the account was non-public cloud.

Possible solution
Do not override the auth result, instead return the authority as it is at least for non-public cloud OR fix WithMultiCloudSupport(true) with WAM.

[bgavrilMS]

Can repro.

[NakulSabharwal95]

@bgavrilMS Thanks for Reproing. What's the ETA for this to be fixed ?

[bgavrilMS]

@NakulSabharwal95 - correct me if I am wrong, but the scenario where you domain join the new account still fails right?

[NakulSabharwal95]

@bgavrilMS I don't have a non-public domain joined machine, so I was not able to test domain joined scenario.
Can you test it by creating a domain joined machine to non-public cloud and try logging in.

[bgavrilMS]

Clarification. I can still repro the following issue:

1. machine is domain joined to public cloud tenant (e.g. Microsoft)
2. login with work and school account from other cloud
3. when prompted about adding the account to Windows or "This app only", add it to Windows.

Actual: the browser shows some "nonce malformed" error

If however at step 3 you press "This app only", then you get a token, but the authority in the AuthResult is wrong.

[NakulSabharwal95]

What happens if we don't press "This app only" instead to All Microsoft apps?

Also, its a known issue that public domain joined device when logs into non-public account then it doesn't work correctly and shows nonce error. But I haven't been able to test it on non-public domain joined device I expect it may work correctly on it.
But if a device

[bgavrilMS]

I'm just saying that until this issue with the nonce is fixed via Windows update, this feature is unusable.

[NakulSabharwal95]

@bgavrilMS Is "nonce malformed" issue reproducible on non-public domain joined account using an account belonging to same cloud?

Also, handing of WAM WithWindowsBroker().WithMultiCloudSupport(true) should be similar to WithWindowsBroker().WithExtraQueryParameters({"instance_aware", "true" }). Can WithMultiCloudSupport(true) be fixed such that it adds instance_aware query param and returns correct authority. By doing this at least the authentication of non-os account (non-public account) would be complete, since that "nonce malformed" error is related to os accounts only.

[bgavrilMS]

Yes @NakulSabharwal95 - that is the fix in the attached PR. Adding those extra query params is not a supported scenario to get the multi-cloud feature working. WithMultiCloudSupport(true) is the only way.

[NakulSabharwal95]

@bgavrilMS Can you provide preview build of that PR? then I can test it on my machine.

[bgavrilMS]

@NakulSabharwal95 - sent via Teams

[gladjohn]

MSAL 4.47.0 has been released, This issue is now fixed.