Null Ref when IdToken is not returned #1604
Comments
|
@jennyf19 See this line: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/418e4880ce3307befb25c7af600a886560cadcaa/Microsoft.Identity.Web/StartupHelpers.cs#L101 for ASP.NET core and https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect/blob/aed83053c39e9acb5a9b031fa67d05161e5faaa2/WebApp/App_Start/Startup.Auth.cs#L41 for ASP.NET? I would think that the code redemption just provides the scopes that were requested during the first leg (going to the Authorize endpoint) |
|
Let's discuss this at standup. |
|
@jmprieur : How do you envision that we should ensure we get the idtoken? How do we handle the error? provide a message saying how to fix this for web applications? Is this something the webextensions.withMicrosoftIdentityPlatform is supposed to address? Ideas on what we do short term to improve supportability? |
|
@jennyf19 : which scenario is this addressing? As JM says web apps using asp.net and aspnet core should be changed as it's done in the samples. However I was thinking this was solving it for someone else for some other scenario? |
|
webextensions.withMicrosoftIdentityPlatform ? do you mean Microsoft.Identity.Web, @henrik-me : if that's the case, yes, it handles it. BTW, I'm not opposed in adding the openid scope but only in flows where we need it (not in Client credentials). In the case of AcquireTokenByAuthorizationCode does it add more network calls, @jennyf19 ? also does it prevent from having other scopes? |
|
@jmprieur @henrik-me I'll just revert the changes and include the one for the null ref check. in msal we are sending openId w/all the calls, so was doing something similar here, but i'll leave it. It's not an extra network call as it's already included in the request. No reason to spend time on a non-issue. |
|
@jennyf19 I actually checked today that the v2.0 endpoint demands the openid claim for grant_type == "authorization_code". |
|
@jmprieur yes...it is one of the three required scopes for v2, but I don't see a good reason to make the changes now in ADAL. @henrik-me - what are your thoughts? I can just do the null ref check and that's it. Seems like the best option. |
|
What I would not want is that because we request the scope, something negative side effect happen like changing the session, which will break existing ADAL apps. Maybe the right fix is indeed to just check for the null ref as you propose, @jennyf19 |
|
fixed in adal 5.1.0 |
Which Version of ADAL are you using ?
5.0.5 - v4.
Repro
ADAL does not send the scope OpenId w/the AuthCode flow, so no idToken is returned. The idToken is used when writing to the MSAL cache.
In
CacheFallbackOperations.WriteMsalRefreshToken, we don't check for null inresult.Result.UserInfo.GivenName, so there is a null ref thrown here.Expected behavior
Actual behavior
System.NullReferenceException: Object reference not set to an instance of an object. at Microsoft.IdentityModel.Clients.ActiveDirectory.TokenCache.StoreToCacheCommon(AdalResultWrapper result, String authority, String resource, String clientId, TokenSubjectType subjectType, RequestContext requestContext) in D:\a\1\s\src\Microsoft.IdentityModel.Clients.ActiveDirectory\TokenCache.cs:line 692
The text was updated successfully, but these errors were encountered: