Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Intermittent "AADSTS900054" Error Using MSAL Browser with NAA in Mac Outlook Desktop App #7433

Open
2 tasks
AnkurSaini07 opened this issue Nov 20, 2024 · 1 comment
Open
2 tasks

Intermittent "AADSTS900054" Error Using MSAL Browser with NAA in Mac Outlook Desktop App #7433

AnkurSaini07 opened this issue Nov 20, 2024 · 1 comment
Labels
bug-unconfirmed A reported bug that needs to be investigated and confirmed more-information-needed Use this label when you are waiting on information from the issue creator msal-browser Related to msal-browser package Needs: Attention 👋 Awaiting response from the MSAL.js team public-client Issues regarding PublicClientApplications question Customer is asking for a clarification, use case or information.

Comments

@AnkurSaini07
Copy link

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

3.26.1

Wrapper Library

Not Applicable

Wrapper Library Version

None

Public or Confidential Client?

Public

Description

Description

I am using the MSAL Browser npm library to implement authentication, leveraging the new NAA (Network Authentication Agent) feature. While it works as expected on Windows (Chrome and Outlook) and Mac (Chrome), I encountered an issue on the Mac Outlook desktop app. The issue persisted for 2 days but eventually resolved itself without any changes to the code or configuration.

Problem

When attempting to acquire a token silently using acquireTokenSilent, it failed. As a fallback, I executed acquireTokenPopup, which also failed.
naa_error

This issue occurred specifically on the Mac Outlook desktop app, which has multiple accounts configured. The same setup works fine on Windows Outlook desktop app, Mac (Chrome), and Windows (Chrome).

Observations

  • The issue does not occur on:
    • Chrome (Windows and Mac)
    • Windows Outlook desktop app
  • Only affects the Mac Outlook desktop app.
  • This setup includes multiple accounts in Outlook, which may be relevant to the issue.

Error Message

Additional Information

Error details (from the screenshot):

  • Request ID: 5a97e1fc-77fa-41c1-b945-b1181dc9500
  • Correlation ID: 01932303-6213-733f-a60d-76e57847a0b8
  • Timestamp: 2024-11-12T11:47:39Z
  • Message: AADSTS900054: Specified Broker Client ID does not match ID in provided grant.

MSAL Logs

No response

Network Trace (Preferrably Fiddler)

  • Sent
  • Pending

MSAL Configuration

{
                auth: {
                    clientId: AppConfig.config.currentApp.msAppId,
                    authority: "https://login.microsoftonline.com/common",
                },
                cache: {
                    cacheLocation: BrowserCacheLocation.LocalStorage,
                    cacheMigrationEnabled: true,
                    storeAuthStateInCookie: true,
                    secureCookies: true,
                },
            };

Relevant Code Snippets

class MSALService {
  public static async initialize() {
    if (!MsalService._msalInstance) {
      const msalConfig: Configuration = {
        auth: {
          clientId: AppConfig.config.currentApp.msAppId,
          authority: "https://login.microsoftonline.com/common",
        },
        cache: {
          cacheLocation: BrowserCacheLocation.LocalStorage,
          cacheMigrationEnabled: true,
          storeAuthStateInCookie: true,
          secureCookies: true,
        },
      };

      MsalService._msalInstance = nestedApp
        ? await createNestablePublicClientApplication(msalConfig)
        : await createStandardPublicClientApplication(msalConfig);
    }
    return MsalService._msalInstance;
  }

  private static async getToken(_scopes?: Array<string>): Promise<AuthenticationResult> {
    const msalInstance = await MsalService.initialize();
    const loginHint = await MsalService.getLoginHint();
    const scopes = _scopes || AppConfig.accessTokenScopes;
    try {
      const result = await msalInstance.acquireTokenSilent({
        scopes,
        cacheLookupPolicy: CacheLookupPolicy.Default,
      });
      if (result.account.username !== loginHint) {
        throw new Error("Force_Login");
      }
      return result;
    } catch (err) {
      const authenticatePromise = !nestedApp
        ? MsalService.openAddinLoginPopup(scopes)
        : msalInstance.acquireTokenPopup({
          scopes,
          loginHint,
        });
      return authenticatePromise.then(result => {
        msalInstance.setActiveAccount(result.account);
        return result;
      });
    }
  }
}

Reproduction Steps

Steps to Reproduce

  1. Set up MSAL Browser with NAA.
  2. Configure Outlook desktop app on Mac with multiple accounts.
  3. Attempt authentication:
    • Observe failure during acquireTokenSilent.
    • Observe failure during fallback with acquireTokenPopup, leading to the error.
  4. Note: The issue resolved itself after 2 days without any code or configuration changes.

Expected Behavior

  • Token acquisition should work seamlessly across all supported platforms, including the Mac Outlook desktop app.

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

Other

Regression

No response
@AnkurSaini07 AnkurSaini07 added bug-unconfirmed A reported bug that needs to be investigated and confirmed question Customer is asking for a clarification, use case or information. labels Nov 20, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: Attention 👋 Awaiting response from the MSAL.js team label Nov 20, 2024
@github-actions GitHub Actions
Copy link
Contributor

Invalid Issue Template:
Please update the original issue and make sure to fill out the entire issue template so we can better assist you.

@github-actions github-actions bot added more-information-needed Use this label when you are waiting on information from the issue creator msal-browser Related to msal-browser package public-client Issues regarding PublicClientApplications labels Nov 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug-unconfirmed A reported bug that needs to be investigated and confirmed more-information-needed Use this label when you are waiting on information from the issue creator msal-browser Related to msal-browser package Needs: Attention 👋 Awaiting response from the MSAL.js team public-client Issues regarding PublicClientApplications question Customer is asking for a clarification, use case or information.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AnkurSaini07