Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Querying the MS Graph as part of the OnTokenValidated fails with error that "Input id_token cannot be used as ..." #747

Open
peterhutgasunie opened this issue Dec 6, 2023 · 0 comments
Open

Querying the MS Graph as part of the OnTokenValidated fails with error that "Input id_token cannot be used as ..." #747

peterhutgasunie opened this issue Dec 6, 2023 · 0 comments
Labels
question Further information is requested

Comments

@peterhutgasunie
Copy link

Microsoft.Identity.Web version

2.16.0

Web app sign-in

Not applicable

Web API (call Graph or downstream APIs)

Not applicable

Deploy to Azure

5-WebApp-AuthZ/5-2-Groups

Auth Z

Not applicable

Description

I would like to retrieve the member groups for a user as part of authentication process to add claims based on these groups in a Web App. Sample 5-2-Groups does that but fails when it uses the GraphServiceClient in OnTokenValidated. I had actually hoped to use a IClaimsTransformer, but I receive the same errors. Using the GraphServiceClient later on works fine (as the sample does in the UserProfileController).

Querying the MS Graph as part of the OnTokenValidated fails with error that "Input id_token cannot be used as 'urn:ietf:params:oauth:grant-type:jwt-bearer' grant. "

This appears to be related to the workaround used that puts 'context.SecurityToken' into the HttpContext.Items as Cached_Graph_Token_Key, but SecurityToken is an ID token.

Without the workaround the error changes to "No account or login hint was passed to the AcquireTokenSilent call. " (this is the error I have in another project that I hoped to resolve with this sample).

Reproduction steps

  1. Clone samples
  2. Fill in Azure AD configuration for sample 5-2-Groups
  3. Run the sample 5-2-Groups
  4. Login with user for which 'HasOverageOccurred' is true (or change code to always return true)
  5. Login succeeds but console message reports the error 'AADSTS240002: Input id_token cannot be used as ...'

Error message

"AADSTS240002: Input id_token cannot be used as 'urn:ietf:params:oauth:grant-type:jwt-bearer' grant. Trace ID: ff0f8af9-bae1-4edf-8cb5-a1c8970f1800 Correlation ID: 2aad8c5b-9859-46e5-b6d4-3bc63a51f312 Timestamp: 2023-12-06 11:53:57Z"

Without 'JwtSecurityTokenUsedToCallWebAPI' workaround:
"IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user. See https://aka.ms/ms-id-web/ca_incremental-consent. "
Innerexception: "No account or login hint was passed to the AcquireTokenSilent call. " ErrorCode: "user_null"

Id Web logs

dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
Microsoft.IdentityModel Version: 7.0.3.0. Date 12/06/2023 12:15:25. PII logging is OFF. See https://aka.ms/IdentityModel/PII for details.
IDX20805: Obtaining information from metadata endpoint: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX21811: Deserializing the string: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' obtained from metadata endpoint into openIdConnectConfiguration object.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX21812: Retrieving json web keys from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX20805: Obtaining information from metadata endpoint: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX21813: Deserializing json web keys: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10806: Deserializing json: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' into 'Microsoft.IdentityModel.Tokens.JsonWebKeySet'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX21328: Generating nonce for openIdConnect message.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX21342: 'RequireStateValidation' = false, not validating the state.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:28Z] ConfidentialClientApplication 17180427 created
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:28Z - 2807160c-e055-4387-bf8a-869015356df1] MSAL MSAL.NetCore with assembly version '4.57.0.0'. CorrelationId(2807160c-e055-4387-bf8a-869015356df1)
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1]
=== Request Data ===
Authority Provided? - True
Scopes - User.Read Group.Read.All
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenByAuthorizationCode
IsConfidentialClient - True
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 2807160c-e055-4387-bf8a-869015356df1
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:

info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] === Token Acquisition (ConfidentialAuthCodeRequest) started:
Scopes: User.Read Group.Read.All
Authority Host: login.microsoftonline.com
warn: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Only in-memory caching is used. The cache is not persisted and will be lost if the machine is restarted. It also does not scale for a web app or web API, where the number of users can grow large. In production, web apps and web APIs should use distributed caching like Redis. See https://aka.ms/msal-net-cca-token-cache-serialization
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [Instance Discovery] Instance discovery is enabled and will be performed
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [Region discovery] Not using a regional authority.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? False.
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Fetching instance discovery from the network from host login.microsoftonline.com.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Starting [Oauth2Client] Sending GET request
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Starting [HttpManager] ExecuteAsync
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [HttpManager] Sending request. Method: GET. Host: https://login.microsoftonline.com.
info: System.Net.Http.HttpClient.Default.LogicalHandler[100]
Start processing HTTP request GET https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=https%3A%2F%2Flogin.microsoftonline.com%2FTENANTID%2Foauth2%2Fv2.0%2Fauthorize
info: System.Net.Http.HttpClient.Default.ClientHandler[100]
Sending HTTP request GET https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=https%3A%2F%2Flogin.microsoftonline.com%2FTENANTID%2Foauth2%2Fv2.0%2Fauthorize
info: System.Net.Http.HttpClient.Default.ClientHandler[101]
Received HTTP response headers after 373.2987ms - 200
info: System.Net.Http.HttpClient.Default.LogicalHandler[101]
End processing HTTP request after 388.4963ms - 200
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [HttpManager] Received response. Status code: OK.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Finished [HttpManager] ExecuteAsync in 404 ms
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Finished [Oauth2Client] Sending GET request in 411 ms
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Starting [OAuth2Client] Deserializing response
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Finished [OAuth2Client] Deserializing response in 9 ms
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? True.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [Instance Discovery] After hitting the discovery endpoint, the network provider found an entry for login.microsoftonline.com ? True.
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Authority validation enabled? True.
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Authority validation - is known env? True.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Starting TokenClient:SendTokenRequestAsync
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [TokenClient] Before adding the client assertion / secret
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [TokenClient] After adding the client assertion / secret
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [Token Client] Fetching MsalTokenResponse ....
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Starting [Oauth2Client] Sending POST request
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Starting [HttpManager] ExecuteAsync
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [HttpManager] Sending request. Method: POST. Host: https://login.microsoftonline.com.
info: System.Net.Http.HttpClient.Default.LogicalHandler[100]
Start processing HTTP request POST https://login.microsoftonline.com/TENANTID/oauth2/v2.0/token
info: System.Net.Http.HttpClient.Default.ClientHandler[100]
Sending HTTP request POST https://login.microsoftonline.com/TENANTID/oauth2/v2.0/token
info: System.Net.Http.HttpClient.Default.ClientHandler[101]
Received HTTP response headers after 202.6479ms - 200
info: System.Net.Http.HttpClient.Default.LogicalHandler[101]
End processing HTTP request after 209.044ms - 200
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [HttpManager] Received response. Status code: OK.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Finished [HttpManager] ExecuteAsync in 218 ms
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Finished [Oauth2Client] Sending POST request in 227 ms
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Starting [OAuth2Client] Deserializing response
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Finished [OAuth2Client] Deserializing response in 26 ms
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Finished TokenClient:SendTokenRequestAsync in 281 ms
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Checking client info returned from the server..
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Saving token response to cache..
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1]
[MsalTokenResponse]
Error:
ErrorDescription:
Scopes: Group.Read.All User.Read profile openid email
ExpiresIn: 86399
RefreshIn: 43199
AccessToken returned: True
AccessToken Type: Bearer
RefreshToken returned: True
IdToken returned: True
ClientInfo returned: True
FamilyId:
WamAccountId exists: False

info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [Region discovery] Not using a regional authority.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? True.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [SaveTokenResponseAsync] Entering token cache semaphore. Count Real semaphore: True. Count: 1.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [SaveTokenResponseAsync] Entered token cache semaphore.
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [SaveTokenResponseAsync] Saving AT in cache and removing overlapping ATs...
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Looking for scopes for the authority in the cache which intersect with User.Read Group.Read.All
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z] [Internal cache] Total number of cache partitions found while getting access tokens: 0
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Intersecting scope entries count - 0
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Matching entries after filtering by user - 0
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [SaveTokenResponseAsync] Saving Id Token and Account in cache ...
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [SaveTokenResponseAsync] Saving RT in cache...
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Not saving to ADAL legacy cache.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] [SaveTokenResponseAsync] Released token cache semaphore.
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1]
=== Token Acquisition finished successfully:
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] AT expiration time: 12/7/2023 12:15:28 PM +00:00, scopes: Group.Read.All User.Read profile openid email. source: IdentityProvider
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] Fetched access token from host login.microsoftonline.com.
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1]
[LogMetricsFromAuthResult] Cache Refresh Reason: NotApplicable
[LogMetricsFromAuthResult] DurationInCacheInMs: 0
[LogMetricsFromAuthResult] DurationTotalInMs: 848
[LogMetricsFromAuthResult] DurationInHttpInMs: 604

info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:29Z - 2807160c-e055-4387-bf8a-869015356df1] TokenEndpoint: ****
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10242: Security token: '[PII of type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' has a valid signature.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10237: ValidateIssuerSigningKey property on ValidationParameters is set to false. Exiting without validating the issuer signing key.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10239: Lifetime of the token is valid.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10234: Audience Validated.Audience: 'a489f663-32be-439b-a4ea-6c1a4d5fbdc4'
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10246: ValidateTokenReplay property on ValidationParameters is set to false. Exiting without validating the token replay.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10255: TypeValidator property on ValidationParameters is null and ValidTypes is either null or empty. Exiting without validating the token type.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10245: Creating claims identity from the validated token: '[PII of type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10241: Security token validated. token: '[PII of type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] MSAL MSAL.NetCore with assembly version '4.57.0.0'. CorrelationId(00000000-0000-0000-0000-000000000000)
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] === OnBehalfOfParameters ===
SendX5C: False
ForceRefresh: False
UserAssertion set: True
SearchInCacheForLongRunningObo: False
LongRunningOboCacheKey set: False

info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z]
=== Request Data ===
Authority Provided? - True
Scopes - user.read
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenOnBehalfOf
IsConfidentialClient - True
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 00000000-0000-0000-0000-000000000000
UserAssertion set: True
LongRunningOboCacheKey set: False
Region configured:

info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] === Token Acquisition (OnBehalfOfRequest) started:
Scopes: user.read
Authority Host: login.microsoftonline.com
warn: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] Only in-memory caching is used. The cache is not persisted and will be lost if the machine is restarted. It also does not scale for a web app or web API, where the number of users can grow large. In production, web apps and web APIs should use distributed caching like Redis. See https://aka.ms/msal-net-cca-token-cache-serialization
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [Instance Discovery] Instance discovery is enabled and will be performed
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [Region discovery] Not using a regional authority.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? True.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [Instance Discovery] The network provider found an entry for login.microsoftonline.com.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] Starting [OBO Request] Looking in the cache for an access token
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [Internal cache] Total number of cache partitions found while getting access tokens: 1
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [FindAccessTokenAsync] Discovered 0 access tokens in cache using partition key: e_O8al3uH5q3u-EWZRke17bMrdxmXW07uF8QhnPnSVE
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [FindAccessTokenAsync] No access tokens found in the cache. Skipping filtering.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] Finished [OBO Request] Looking in the cache for an access token in 11 ms
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [OBO request] Fetching tokens via normal OBO flow.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] Starting TokenClient:SendTokenRequestAsync
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [TokenClient] Before adding the client assertion / secret
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [TokenClient] After adding the client assertion / secret
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [Token Client] Fetching MsalTokenResponse ....
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] Starting [Oauth2Client] Sending POST request
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] Starting [HttpManager] ExecuteAsync
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:33Z] [HttpManager] Sending request. Method: POST. Host: https://login.microsoftonline.com.
info: System.Net.Http.HttpClient.Default.LogicalHandler[100]
Start processing HTTP request POST https://login.microsoftonline.com/TENANTID/oauth2/v2.0/token
info: System.Net.Http.HttpClient.Default.ClientHandler[100]
Sending HTTP request POST https://login.microsoftonline.com/TENANTID/oauth2/v2.0/token
info: System.Net.Http.HttpClient.Default.ClientHandler[101]
Received HTTP response headers after 89.1471ms - 400
info: System.Net.Http.HttpClient.Default.LogicalHandler[101]
End processing HTTP request after 95.8244ms - 400
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] [HttpManager] Received response. Status code: BadRequest.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Finished [HttpManager] ExecuteAsync in 104 ms
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Response status code does not indicate success: 400 (BadRequest).
warn: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Request retry failed.
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Finished [Oauth2Client] Sending POST request in 113 ms
dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] [Oauth2Client] Processing error response
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] HttpStatusCode: 400: BadRequest
fail: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] === Token Acquisition (1006) failed.
Host: login.microsoftonline.com.
fail: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Exception type: Microsoft.Identity.Client.MsalServiceException
, ErrorCode: invalid_request
HTTP StatusCode 400
CorrelationId ce33fc66-6de0-460b-8cd1-a3d335b9be4b

dbug: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Finished TokenClient:SendTokenRequestAsync in 416 ms
warn: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Fetching a new AT failed. Is exception retry-able? False. Is there an AT in the cache that is usable? False
warn: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Either the exception does not indicate a problem with AAD or the token cache does not have an AT that is usable.
fail: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.57.0.0 MSAL.NetCore .NET 7.0.14 Microsoft Windows 10.0.22631 [2023-12-06 12:15:34Z] Exception type: Microsoft.Identity.Client.MsalServiceException
, ErrorCode: invalid_request
HTTP StatusCode 400
CorrelationId ce33fc66-6de0-460b-8cd1-a3d335b9be4b

     at Microsoft.Identity.Client.Internal.Requests.RequestBase.HandleTokenRefreshErrorAsync(MsalServiceException e, MsalAccessTokenCacheItem cachedAccessTokenItem)
     at Microsoft.Identity.Client.Internal.Requests.OnBehalfOfRequest.ExecuteAsync(CancellationToken cancellationToken)
     at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)

Call to Microsoft Graph failed: AADSTS240002: Input id_token cannot be used as 'urn:ietf:params:oauth:grant-type:jwt-bearer' grant. Trace ID: b4cfa2a9-388d-4770-9b57-edb3ad4e7400 Correlation ID: ce33fc66-6de0-460b-8cd1-a3d335b9be4b Timestamp: 2023-12-06 12:15:33Z

Relevant code snippets

https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/9e67d5be760284f45ba07233c1168b44f44b91a9/5-WebApp-AuthZ/5-2-Groups/Services/GraphHelper.cs#L137

Regression

No response

Expected behavior

The access token obtained by the user after login for Microsoft Graph is used correctly to obtain the member groups of the user in either OnTokenValidated or IClaimsTransformer and claims are added to the user principal for these groups.
@peterhutgasunie peterhutgasunie added the question Further information is requested label Dec 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@peterhutgasunie