-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
setClientCredential() errors when no clientCertificate
property is set
#7201
Comments
It's about this code, where microsoft-authentication-library-for-js/lib/msal-node/src/client/ConfidentialClientApplication.ts Lines 223 to 226 in 2ff18f2
|
@RoelVB Thanks for reporting this. What app type are you using? |
Encountered this using |
Thanks, I'll be looking into this immediately as well as any tests that may have missed this regression. |
@RoelVB Sorry, I'm not able to reproduce this yet. Are you acquiring a token via |
@Robbie-Microsoft This is the code that works on 2.10.0, but not on 2.11.0: This is the code that requests the token: If you want you can clone that repo to test. From the top of my head:
CLIENTID="01234567-89ab-cdef-0123-456789abcdef"
CLIENTSECRET="VGhpcyBpcyB2ZXJ5IHNlY3JldCE="
CLIENTTENANT="contoso"
MAILBOX="[email protected]"
ADDITIONALRECIPIENT="[email protected]"
|
Per the code in the first link, you are providing However, I don't know why you'd receive the error you posted above: "TypeError: Cannot read properties of undefined (reading 'thumbprint')". I'll look into this tomorrow. Let me know if deleting the clientSecret line and using ONLY |
Sorry, the supplied code can be a little confusing. I will probably be able to do some more tests in about 8-9 hours from now. |
@Robbie-Microsoft This works: auth: {
authority: '<url>',
clientId: '<guid>',
clientSecret: '<secret>',
} This throws the error mentioned: auth: {
authority: '<url>',
clientId: '<guid>',
clientSecret: '<secret>',
clientCertificate: undefined,
} So as of 2.11.0 the code checks if the key exists, but not if it's actually defined. The 2.10.0 code had this to make sure it's defined: microsoft-authentication-library-for-js/lib/msal-node/src/client/ConfidentialClientApplication.ts Lines 224 to 227 in e6d18c5
And because of this line, the issues is not caught while building (or by your IDE): microsoft-authentication-library-for-js/lib/msal-node/src/config/Configuration.ts Line 192 in aa24330
Because now all auth properties are typed as "defined".
|
I came to the same conclusion as you and then came back to this page to see that you posted what I was thinking :) . I was able to reproduce your error by passing this into the config for the
I think this is technically an error on your end, as I believe you would have prevented this error on your end if you typed your config as With your current setup, you could do something like:
Regardless, the code microsoft-authentication-library-for-js/lib/msal-node/src/config/Configuration.ts Lines 228 to 234 in 5eabb42
is not working as expected, and should throw an error if I will get a PR out soon that checks if |
You mean this microsoft-authentication-library-for-js/lib/msal-node/src/config/Configuration.ts Lines 121 to 127 in 5eabb42
That's what I use and it accepts auth.clientCertificate to be undefined .
But for some reason the typing is changed here, and used internally, which will make you miss some potential issues: microsoft-authentication-library-for-js/lib/msal-node/src/config/Configuration.ts Lines 191 to 197 in 5eabb42
|
Ok. I see what you're saying now. I could fix your issue by changing microsoft-authentication-library-for-js/lib/msal-node/src/client/ConfidentialClientApplication.ts Lines 223 to 226 in 5eabb42
to
However, I don't believe it's our intention to allow you to pass in microsoft-authentication-library-for-js/lib/msal-node/src/config/Configuration.ts Lines 48 to 57 in 5eabb42
We do convert Let me discuss this with @bgavrilMS and confirm that we don't want to allow developers to pass in |
So this method should transform microsoft-authentication-library-for-js/lib/msal-node/src/config/Configuration.ts Lines 210 to 243 in 22651b3
In my case this line: auth: { ...DEFAULT_AUTH_OPTIONS, ...auth }, Actually does this: auth: { ...{clientCertificate: {/* default config */}}, ...{clientCertificate: undefined} }, Which results in: auth: { clientCertificate: undefined }, A fix for this could be: auth: { ...DEFAULT_AUTH_OPTIONS, ...auth, clientCertificate: { ...DEFAULT_AUTH_OPTIONS.clientCertificate, ...auth.clientCertificate } }, But to be sure, you would also have to do this for |
Using
TypeScript rules implies that |
We encountered the same issue with the BotFramework SDK. We're using the client ID and client secret as the client credential. Below are the call stacks. And it seems there is no way to get around this. |
Core Library
MSAL Node (@azure/msal-node)
Core Library Version
2.11.0
Wrapper Library
Not Applicable
Wrapper Library Version
None
Public or Confidential Client?
Confidential
Description
This commit stops checking if
config.auth.clientCertificate
is actually defined.CC: @Robbie-Microsoft
Error Message
TypeError: Cannot read properties of undefined (reading 'thumbprint')
MSAL Logs
No response
Network Trace (Preferrably Fiddler)
MSAL Configuration
Relevant Code Snippets
Reproduction Steps
Try authenticating without setting the
clientCertificate
property in theauth
Expected Behavior
Auth using
clientSecret
Identity Provider
Entra ID (formerly Azure AD) / MSA
Browsers Affected (Select all that apply)
None (Server)
Regression
2.10.0
Source
External (Customer)
The text was updated successfully, but these errors were encountered: