Getting Error Time to Time - ClientAuthError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again .

[hansakaRightS]

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

3.0.4

Wrapper Library

MSAL Angular (@azure/msal-angular)

Wrapper Library Version

3.1.0

Public or Confidential Client?

Public

Description

we are getting this error on our application. from our logs we can see some users were not able to login to the system.

ClientAuthError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientAuthError: openid_config_error: Could not retrieve endpoints. Check your authority and verify the .well-known/openid-configuration endpoint returns the required endpoints. Attempted to retrieve endpoints from: https://login.company.com/company.onmicrosoft.com/b2c_1a_signup_signin/v2.0/.well-known/openid-configuration

we are concerns about this kind of errors, we can see this error everyday on our logs. we would like to get more information about this.

Update: - MsalService.instance.getAllAccounts()?.length were 0 for some of these users. and also we didn't find any successful login from any of the IPs that faced this issue while we were monitoring.

{
  "dependencies": {
    "@azure/msal-angular": "3.0.4",
    "@azure/msal-browser": "3.1.0",
  }
}

Error Message

ClientAuthError: endpoints_resolution_error: Error: could not resolve endpoints. Please check network and try again. Detail: ClientAuthError: openid_config_error: Could not retrieve endpoints. Check your authority and verify the .well-known/openid-configuration endpoint returns the required endpoints. Attempted to retrieve endpoints from: https://login.company.com/company.onmicrosoft.com/b2c_1a_signup_signin/v2.0/.well-known/openid-configuration

MSAL Logs

No response

Network Trace (Preferrably Fiddler)

• Sent
• Pending

MSAL Configuration

{
auth: {
        clientId: clientId,
        authority: "B2C_1A_SIGNUP_SIGNIN",
        redirectUri: '/',
        navigateToLoginRequestUrl: false
    },
    cache: {
        cacheLocation: "LocalStoarage",
        storeAuthStateInCookie: false
    }
}

Relevant Code Snippets

this.adService.msalBroadcast$()
        .pipe(
          mergeMap(res => {
              if (res.eventType === EventType.LOGIN_FAILURE) {                                      
              if (res.error) {
                msg += res.error;
              }
              return of(new LogError(msg));
            }
          })
        )

Reproduction Steps

1. Press Login Button to login.

some users experience this error when they try to login

Expected Behavior

Should be able to log in without facing this issue

Identity Provider

Azure B2C Custom Policy

Browsers Affected (Select all that apply)

Chrome, Firefox, Edge, Safari, None (Server), Other

Regression

No response

Source

External (Customer)

[hansakaRightS]

Update: - MsalService.instance.getAllAccounts()?.length were 0 for some of these users.
also we didn't find any successful login from any of the IPs that faced this issue while we were monitoring.

[sameerag]

@hansakaRightS please add your authority to knownAuthorities as this does not seem to an AAD endpoint. Docs here.

[hansakaRightS]

@sameerag We have our configuration like bellow. and we have the knownAuthorities like this.

    const msalConfig: Configuration = {
        auth: {
            clientId: environment.activeDirectory.clientId,
            authority: `https://${environment.activeDirectory.loginDomain}/${environment.activeDirectory.domain}/B2C_1A_SIGNUP_SIGNIN`,
            knownAuthorities: [
                environment.activeDirectory.loginDomain,
                environment.activeDirectory.editDomain
            ],
            redirectUri: '/',
            navigateToLoginRequestUrl: false
        },
        cache: {
            cacheLocation: BrowserCacheLocation.LocalStorage,
            storeAuthStateInCookie: isIE
        },
        system: {
            loggerOptions: {
                loggerCallback(logLevel: LogLevel, message: string) { },
                logLevel: LogLevel.Error,
                piiLoggingEnabled: false,
            },
            allowNativeBroker: false
        }
    }
    ```

[vella-nicholas]

hi @sameerag I work with @hansakaRightS the domains are as follows:

"loginDomain": "login.ourDomain.com",
"editDomain": "appName.b2clogin.com",

The error specifically reads: "Could not retrieve endpoints. Check your authority and verify the .well-known/openid-configuration endpoint returns the required endpoints."

We follow the URL and we can get the configuration.

This is issue is similar to what we are experiencing #7066

[vincentB23]

@vella-nicholas @hansakaRightS
Not sure if it's any help for you, but I too faced this error today after applying some changes to our previously working code. I'm pretty sure I found the origin of my issue, but I'm a bit baffled and will need to look further into it to really explain what happens.

Anyway, here is my FIRST explanation. I still have questions and I can't explain it really, but maybe it already helps you...
I noticed the issue is in the following code:

<das-header>
    <das-header-action (click)="login()"> Login </das-header-action>

    <das-header-action (click)="login($event)"> Login but pass event </das-header-action>

    <button (click)="login()">Login button</button>
</das-header>

das-header and das-header-actions are custom components from our own library. I've stripped everything else out of this snippet which is not related to the issue itself.

This code snippet has three possible actions.

1. The first one calls login which will call the msalService.loginRedirect function.
2. The second one calls login but passes the PointerEvent. On the instance of PointerEvent, we will first call preventDefault() and then call the msalService.loginRedirect function.
3. The third one calls login (like the first one), but it's from a HTML button instead of das-header-action.

In our case, action 1 results in the ClientAuthError (in about 19/20 cases we have the error, very rarely it works). Action 2 and 3 ALWAYS works.

It seems like this PointerEvent that is emitted, confuses the MSAL library in one way or another which causes the loginRedirect to fail. However, I have no idea WHY this happens or why this SEEMS to be the case. I will try to further look into the issue and find actual complete answers in the next few days, but at least this is what I found out today.

EDIT: Ok so I quickly checked this morning, and turns out that our component das-header-action is an HTML a tag with a href attribute. Seems weird that the component is configured like that, but that's another issue on its own... However, because it's an HTML a element, if I don't catch the event, Angular will eventually reload my page and this causes issues for MSAL, however I still don't understand why it always gave me the ClientAuthError. I see no link between the ClientAuthError and reloading Angular, but ok.

[vella-nicholas]

Thank you @vincentB23 we will check this out, keep us updated with more findings. Are you using popup for login by any chance?