Regional Auth routing to invalid auth url

[riteshbhoi]

Core Library

MSAL Node (@azure/msal-node)

Core Library Version

2.9.2

Wrapper Library

Not Applicable

Wrapper Library Version

None

Public or Confidential Client?

Confidential

Description

We implemented a ConfidentialClientApplication and used it to call acquireTokenByClientCredential(clientCredentialRequest) with clientCredentialRequest being identical to the example in the docs for the purpose of using regional auth.

We added the region (westus in our case) to the azureRegion field just like in the example, but the request wasn't routed to a regional endpoint.

const privateClient = new ConfidentialClientApplication({
    auth: {
      clientId: clientId,
      authority: `https://login.microsoftonline.us/${tenantId}`,
      clientCertificate: {
        thumbprint: clientCertificateData.thumbprint,
        privateKey: clientCertificateData.privateKey,
        x5c: clientCertificateData.x5c
      }
    }
  });

response = await privateClient.acquireTokenByClientCredential({
  scopes: ['https://graph.microsoft.us/.default'],
  azureRegion: 'westus'
});

Authentication call (for tenant id 5b750121-f135-44ef-b08e-61da0ff7c4d6) is routed to below URL which doesn't exist.
https://westus.login.microsoftonline.us/5b750121-f135-44ef-b08e-61da0ff7c4d6/oauth2/v2.0/token/

Same issue is happening for https://login.partner.microsoftonline.cn/ authority as well.

Error Message

No response

MSAL Logs

No response

Network Trace (Preferrably Fiddler)

• Sent
• Pending

MSAL Configuration

auth: {
clientId: clientId,
authority: `https://login.microsoftonline.us/${tenantId}`,
clientCertificate: {
    thumbprint: clientCertificateData.thumbprint,
    privateKey: clientCertificateData.privateKey,
    x5c: clientCertificateData.x5c
  }
}

Relevant Code Snippets

const privateClient = new ConfidentialClientApplication({
    auth: {
      clientId: clientId,
      authority: `https://login.microsoftonline.us/${tenantId}`,
      clientCertificate: {
        thumbprint: clientCertificateData.thumbprint,
        privateKey: clientCertificateData.privateKey,
        x5c: clientCertificateData.x5c
      }
    }
  });

response = await privateClient.acquireTokenByClientCredential({
  scopes: ['https://graph.microsoft.us/.default'],
  azureRegion: 'westus'
});

Reproduction Steps

1. Run the code snippet with the provided msal config (substituting the values with the ones found in the logs)
2. Check the logs to see which endpoints the request is routed to

Expected Behavior

Auth call should be routed to a valid auth URL

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

None (Server)

Regression

No response

Source

Internal (Microsoft)

[Robbie-Microsoft]

Can you please post your verbose logs here?

[riteshbhoi]

Here is the verbose log. If you see at the end, auth is routed to https://westus.login.microsoftonline.us/5b750121-f135-44ef-b08e-61da0ff7c4d6/oauth2/v2.0/token/ endpoint and this endpoint is not valid.

MSAL log [level: 2]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/[email protected] : Info - acquireTokenByClientCredential called
MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/[email protected] : Verbose - initializeRequestScopes called
MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [d4d14c2d-dbaa-4801-8ea2-96c275fa9031] : @azure/[email protected] : Verbose - buildOauthClientConfiguration called
MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [d4d14c2d-dbaa-4801-8ea2-96c275fa9031] : @azure/[email protected] : Verbose - createAuthority called
MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/[email protected] : Verbose - Attempting to get cloud discovery metadata  from authority configuration
MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/[email protected] : Verbose - Did not find cloud discovery metadata in the config... Attempting to get cloud discovery metadata from the hardcoded values.
MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/[email protected] : Verbose - Found cloud discovery metadata from hardcoded values.
MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/[email protected] : Verbose - Attempting to get endpoint metadata from authority configuration
MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/[email protected] : Verbose - Did not find endpoint metadata in the config... Attempting to get endpoint metadata from the hardcoded values.
MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/[email protected] : Verbose - Replacing tenant domain name 5b750121-f135-44ef-b08e-61da0ff7c4d6 with id {tenantid}
MSAL log [level: 2]: [Wed, 07 Aug 2024 01:22:18 GMT] : [d4d14c2d-dbaa-4801-8ea2-96c275fa9031] : @azure/[email protected] : Info - Building oauth client configuration with the following authority: https://westus.login.microsoftonline.us/5b750121-f135-44ef-b08e-61da0ff7c4d6/oauth2/v2.0/token/.
MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/[email protected] : Verbose - Replacing tenant domain name 5b750121-f135-44ef-b08e-61da0ff7c4d6 with id {tenantid}
MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [d4d14c2d-dbaa-4801-8ea2-96c275fa9031] : @azure/[email protected] : Verbose - Client credential client created
MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/[email protected] : Verbose - Replacing tenant domain name 5b750121-f135-44ef-b08e-61da0ff7c4d6 with id {tenantid}
MSAL log [level: 3]: [Wed, 07 Aug 2024 01:22:18 GMT] : [ZU7IMd6LTSbkIPGqJY9YD5.1.13] : @azure/[email protected] : Verbose - Replacing tenant domain name 5b750121-f135-44ef-b08e-61da0ff7c4d6 with id {tenantid}
MSAL log [level: 2]: [Wed, 07 Aug 2024 01:22:18 GMT] : [d4d14c2d-dbaa-4801-8ea2-96c275fa9031] : @azure/[email protected] : Info - Sending token request to endpoint: https://westus.login.microsoftonline.us/5b750121-f135-44ef-b08e-61da0ff7c4d6/oauth2/v2.0/token/

[riteshbhoi]

@Robbie-Microsoft let me know if you need any other information

[bgavrilMS]

@riteshbhoi - the authority seems correct. You tell MSAL that the region is "westus" and the authority is "login.microsoftonline.us/tenant" and MSAL computes the authority as being "westus.login.microsoftonline.us/tenant".

Maybe you got your region wrong? Sovereign cloud regions are not the same as public cloud regions.

[riteshbhoi]

@bgavrilMS Thing is when we are trying to access https://westus.login.microsoftonline.us/<tenant>. This URL is not resolving, and we are getting response code 0. My questions - is this the right and expected URL? And in that case, why this URL is not resolving from our azure function apps hosted in PME?

[bgavrilMS]

Let's continue over email @riteshbhoi - bogavril

[riteshbhoi]

Outcome of offline discussion was to manually inject regions for nonglobal cloud authorities. Also nonglobal cloud authorities regions doesn't align with global azure regions such as west us2, west us 3 etc, so make sure you validate the availability of the authorities in these clouds before manual injection.