-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error authenticating to Azure DevOps with OAuth "Application ... is configured for use by Azure Active Directory users only" #1297
Comments
@mjcheetham can probably speak more on this, but it looks like MSAL is trying to acquire a token for [email protected] and is running into issues with the Client App (which we share with VS). As a sanity check, is [email protected] a Microsoft Account (I'm assuming it's not a work or school account)? |
Yes, an ordinary Microsoft account. |
@hickford could you please try setting the Note that these MSAL logs are very verbose, and may contain secrets. We do our best to ensure secrets are masked by default however. Azure DevOps doesn't support the "v2" Microsoft identity platform, which unified the AAD and MSA models. Instead it uses "MSA passthrough" which is a hack to allow "v1" relying parties to accept both AAD and MSA tokens, by exchanging native MSA tokens for an AAD token from a 'fake' AAD tenant for all MSAs. (Yes, it's.. creative!) The error here usually means we tried to use
cc: @bgavrilMS |
MSAL logs do not contain secrets, it never logs tokens or passwords etc. At most they can contain private data such as email address.
Sent from Outlook for iOS<https://aka.ms/o0ukef>
…________________________________
From: Matthew John Cheetham ***@***.***>
Sent: Monday, June 19, 2023 11:47:10 PM
To: git-ecosystem/git-credential-manager ***@***.***>
Cc: Bogdan Gavril ***@***.***>; Mention ***@***.***>
Subject: Re: [git-ecosystem/git-credential-manager] Error authenticating to Azure DevOps with OAuth "Application ... is configured for use by Azure Active Directory users only" (Issue #1297)
@hickford<https://github.com/hickford> could you please try setting the GCM_TRACE_MSAUTH=1 environment variable?
Note that these MSAL logs are very verbose, and may contain secrets. We do our best to ensure secrets are masked by default however.
Azure DevOps doesn't support the "v2" Microsoft identity platform, which unified the AAD and MSA models. Instead it uses "MSA passthrough" which is a hack to allow "v1" relying parties to accept both AAD and MSA tokens, by exchanging native MSA tokens for an AAD token from a 'fake' AAD tenant for all MSAs. (Yes, it's.. creative!)
The error here usually means we tried to use login.microsoftonline.com/common or /consumers as the authority.. but from you trace I can see already we're using /organizations which is correct for MSA-PT apps:
16:04:34.077914 ...AuthorityCache.cs:57 trace: [GetAuthority] Looking up cached authority for organization 'matthickford0459'...
16:04:34.175252 ...sHostProvider.cs:246 trace: [GetAzureAccessTokenAsync] Authority is 'https://login.microsoftonline.com/organizations'.
cc: @bgavrilMS<https://github.com/bgavrilMS>
—
Reply to this email directly, view it on GitHub<#1297 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AC5UN2ETU65ELWQ7OFNU5SDXMDJG5ANCNFSM6AAAAAAZK6I4H4>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
@mjcheetham @bgavrilMS To check my understanding, there appear to be two OAuth authorization servers you can use to authenticate Azure DevOps . Which does GCM uses?
|
09:00:03.756179 ...re/Application.cs:95 trace: [RunInternalAsync] Version: 2.1.2.0 09:00:03.784643 ...re/Application.cs:96 trace: [RunInternalAsync] Runtime: .NET 6.0.18 09:00:03.784775 ...re/Application.cs:97 trace: [RunInternalAsync] Platform: Linux (x86-64) 09:00:03.784817 ...re/Application.cs:98 trace: [RunInternalAsync] OSVersion: Linux penguin 5.15.112-19373-g62629859bf76 #1 SMP PREEMPT Sun Jun 11 18:47:30 PDT 2023 x86_64 GNU/Linux 09:00:03.784885 ...re/Application.cs:99 trace: [RunInternalAsync] AppPath: /home/matthickford/.dotnet/tools/git-credential-manager 09:00:03.785327 ...e/Application.cs:100 trace: [RunInternalAsync] InstallDir: /home/matthickford/.dotnet/tools/.store/git-credential-manager/2.1.2/git-credential-manager/2.1.2/tools/net6.0/any/ 09:00:03.785485 ...e/Application.cs:101 trace: [RunInternalAsync] Arguments: get 09:00:03.851632 ...GitCommandBase.cs:33 trace: [ExecuteAsync] Start 'get' command... 09:00:03.902567 ...GitCommandBase.cs:47 trace: [ExecuteAsync] Detecting host provider for input: 09:00:03.917334 ...GitCommandBase.cs:48 trace: [ExecuteAsync] protocol=https 09:00:03.917513 ...GitCommandBase.cs:48 trace: [ExecuteAsync] host=dev.azure.com 09:00:03.917551 ...GitCommandBase.cs:48 trace: [ExecuteAsync] path=matthickford0459/testdevazuredotcom/_git/testdevazuredotcom 09:00:03.917583 ...GitCommandBase.cs:48 trace: [ExecuteAsync] username=matthickford0459 09:00:03.917613 ...GitCommandBase.cs:48 trace: [ExecuteAsync] wwwauth[]=Basic realm="https://tfsproduks1.visualstudio.com/" 09:00:03.921198 ...viderRegistry.cs:149 trace: [GetProviderAsync] Performing auto-detection of host provider. 09:00:03.921347 ...viderRegistry.cs:162 trace: [GetProviderAsync] Auto-detect probe timeout is 2 ms. 09:00:03.922492 ...viderRegistry.cs:170 trace: [GetProviderAsync] Checking against 4 host providers registered with priority 'Normal'. 09:00:03.922790 ...GitCommandBase.cs:50 trace: [ExecuteAsync] Host provider 'Azure Repos' was selected. 09:00:03.923733 ...sHostProvider.cs:403 trace: [UsePersonalAccessTokens] Azure Repos credential type override set to 'oauth' 09:00:03.924615 ...sHostProvider.cs:237 trace: [GetAzureAccessTokenAsync] Determining Microsoft Authentication authority for Azure DevOps organization 'matthickford0459'... 09:00:03.924676 ...AuthorityCache.cs:57 trace: [GetAuthority] Looking up cached authority for organization 'matthickford0459'... 09:00:03.965598 ...sHostProvider.cs:246 trace: [GetAzureAccessTokenAsync] Authority is 'https://login.microsoftonline.com/organizations'. 09:00:03.965641 ...sHostProvider.cs:268 trace: [GetAzureAccessTokenAsync] Looking up user for organization 'matthickford0459'... 09:00:03.965911 ...BindingManager.cs:94 trace: [GetBinding] Looking up organization binding for 'matthickford0459'... 09:00:03.969803 ...sHostProvider.cs:272 trace: [GetAzureAccessTokenAsync] User is '[email protected]'. 09:00:03.969859 ...sHostProvider.cs:275 trace: [GetAzureAccessTokenAsync] Getting Azure AD access token... 09:00:03.974060 ...Authentication.cs:66 trace: [GetTokenAsync] OS broker is not available or enabled. 09:00:04.021264 ...uthentication.cs:393 trace: [RegisterTokenCacheAsync] Configuring Microsoft Authentication token cache to instance shared with Microsoft developer tools... 09:00:04.141824 ...uthentication.cs:449 trace: [RegisterTokenCacheAsync] Microsoft developer tools token cache configured. 09:00:04.143908 ...uthentication.cs:296 trace: [GetAccessTokenSilentlyAsync] Attempting to acquire token silently for user '[email protected]'... 09:00:04.153306 ...uthentication.cs:514 trace: [MSAL] [Info] False MSAL 4.52.0.0 MSAL.NetCore .NET 6.0.18 Linux 5.15.112-19373-g62629859bf76 #1 SMP PREEMPT Sun Jun 11 18:47:30 PDT 2023 [2023-06-22 08:00:04Z - 082eb1d7-91aa-4f5d-be10-b15a470b4590] MSAL MSAL.NetCore with assembly version '4.52.0.0'. CorrelationId(082eb1d7-91aa-4f5d-be10-b15a470b4590) 09:00:04.158655 ...uthentication.cs:514 trace: [MSAL] [Info] False MSAL 4.52.0.0 MSAL.NetCore .NET 6.0.18 Linux 5.15.112-19373-g62629859bf76 #1 SMP PREEMPT Sun Jun 11 18:47:30 PDT 2023 [2023-06-22 08:00:04Z - 082eb1d7-91aa-4f5d-be10-b15a470b4590] === AcquireTokenSilent Parameters === 09:00:04.158719 ...uthentication.cs:514 trace: [MSAL] [Info] False MSAL 4.52.0.0 MSAL.NetCore .NET 6.0.18 Linux 5.15.112-19373-g62629859bf76 #1 SMP PREEMPT Sun Jun 11 18:47:30 PDT 2023 [2023-06-22 08:00:04Z - 082eb1d7-91aa-4f5d-be10-b15a470b4590] LoginHint provided: True 09:00:04.158779 ...uthentication.cs:514 trace: [MSAL] [Info] False MSAL 4.52.0.0 MSAL.NetCore .NET 6.0.18 Linux 5.15.112-19373-g62629859bf76 #1 SMP PREEMPT Sun Jun 11 18:47:30 PDT 2023 [2023-06-22 08:00:04Z - 082eb1d7-91aa-4f5d-be10-b15a470b4590] Account provided: False 09:00:04.158823 ...uthentication.cs:514 trace: [MSAL] [Info] False MSAL 4.52.0.0 MSAL.NetCore .NET 6.0.18 Linux 5.15.112-19373-g62629859bf76 #1 SMP PREEMPT Sun Jun 11 18:47:30 PDT 2023 [2023-06-22 08:00:04Z - 082eb1d7-91aa-4f5d-be10-b15a470b4590] ForceRefresh: False 09:00:04.162042 ...uthentication.cs:514 trace: [MSAL] [Info] False MSAL 4.52.0.0 MSAL.NetCore .NET 6.0.18 Linux 5.15.112-19373-g62629859bf76 #1 SMP PREEMPT Sun Jun 11 18:47:30 PDT 2023 [2023-06-22 08:00:04Z - 082eb1d7-91aa-4f5d-be10-b15a470b4590] === Request Data === Authority Provided? - True Scopes - 499b84ac-1321-427f-aa17-267ca6975798/.default Extra Query Params Keys (space separated) - ApiId - AcquireTokenSilent IsConfidentialClient - False SendX5C - False LoginHint ? False IsBrokerConfigured - False HomeAccountId - False CorrelationId - 082eb1d7-91aa-4f5d-be10-b15a470b4590 UserAssertion set: False LongRunningOboCacheKey set: False Region configured: |
GCM always uses MSAL + AAD to generate access tokens for Azure DevOps. In |
Thanks for the logs @hickford! It looks like there's something strange going on inside of the MSAL account filtering with MSAs:
|
@mjcheetham Thanks for the explanation. Why is the PAT preferred to access token? The scope is more limited? |
For completeness, here's the log from 21:33:26.733288 ...re/Application.cs:95 trace: [RunInternalAsync] Version: 2.1.2.0 21:33:26.739127 ...re/Application.cs:96 trace: [RunInternalAsync] Runtime: .NET 6.0.18 21:33:26.739148 ...re/Application.cs:97 trace: [RunInternalAsync] Platform: Linux (x86-64) 21:33:26.739151 ...re/Application.cs:98 trace: [RunInternalAsync] OSVersion: Linux penguin 5.15.112-19373-g62629859bf76 #1 SMP PREEMPT Sun Jun 11 18:47:30 PDT 2023 x86_64 GNU/Linux 21:33:26.739158 ...re/Application.cs:99 trace: [RunInternalAsync] AppPath: /home/matthickford/.dotnet/tools/git-credential-manager 21:33:26.739195 ...e/Application.cs:100 trace: [RunInternalAsync] InstallDir: /home/matthickford/.dotnet/tools/.store/git-credential-manager/2.1.2/git-credential-manager/2.1.2/tools/net6.0/any/ 21:33:26.739213 ...e/Application.cs:101 trace: [RunInternalAsync] Arguments: get 21:33:26.774166 ...GitCommandBase.cs:33 trace: [ExecuteAsync] Start 'get' command... 21:33:26.783980 ...GitCommandBase.cs:47 trace: [ExecuteAsync] Detecting host provider for input: 21:33:26.786022 ...GitCommandBase.cs:48 trace: [ExecuteAsync] protocol=https 21:33:26.786068 ...GitCommandBase.cs:48 trace: [ExecuteAsync] host=dev.azure.com 21:33:26.786071 ...GitCommandBase.cs:48 trace: [ExecuteAsync] path=matthickford0459/testdevazuredotcom/_git/testdevazuredotcom 21:33:26.786082 ...GitCommandBase.cs:48 trace: [ExecuteAsync] username=matthickford0459 21:33:26.786085 ...GitCommandBase.cs:48 trace: [ExecuteAsync] wwwauth[]=Basic realm="https://tfsproduks1.visualstudio.com/" 21:33:26.788999 ...viderRegistry.cs:149 trace: [GetProviderAsync] Performing auto-detection of host provider. 21:33:26.789155 ...viderRegistry.cs:162 trace: [GetProviderAsync] Auto-detect probe timeout is 2 ms. 21:33:26.790312 ...viderRegistry.cs:170 trace: [GetProviderAsync] Checking against 4 host providers registered with priority 'Normal'. 21:33:26.790638 ...GitCommandBase.cs:50 trace: [ExecuteAsync] Host provider 'Azure Repos' was selected. 21:33:26.791620 ...sHostProvider.cs:403 trace: [UsePersonalAccessTokens] Azure Repos credential type override set to 'pat' 21:33:26.791998 ...osHostProvider.cs:85 trace: [GetCredentialAsync] Looking for existing credential in store with service=https://dev.azure.com/matthickford0459 account=... 21:33:26.801784 ...osHostProvider.cs:90 trace: [GetCredentialAsync] No existing credentials found. 21:33:26.801837 ...osHostProvider.cs:93 trace: [GetCredentialAsync] Creating new credential... 21:33:26.803119 ...sHostProvider.cs:195 trace: [GeneratePersonalAccessTokenAsync] Determining Microsoft Authentication Authority... 21:33:26.809017 ...eDevOpsRestApi.cs:43 trace: [GetAuthorityAsync] HTTP: HEAD https://dev.azure.com/matthickford0459 21:33:26.810200 ...pClientFactory.cs:60 trace: [CreateClient] Creating new HTTP client instance... 21:33:26.812809 ...pClientFactory.cs:80 trace: [CreateClient] Git's SSL/TLS backend is: OpenSsl 21:33:27.103664 ...eDevOpsRestApi.cs:46 trace: [GetAuthorityAsync] HTTP: Response code ignored. 21:33:27.103699 ...eDevOpsRestApi.cs:47 trace: [GetAuthorityAsync] Inspecting headers... 21:33:27.104202 ...eDevOpsRestApi.cs:79 trace: [GetAuthorityAsync] Found X-VSS-ResourceTenant header with MSA tenant ID (empty GUID). 21:33:27.104447 ...sHostProvider.cs:197 trace: [GeneratePersonalAccessTokenAsync] Authority is 'https://login.microsoftonline.com/organizations'. 21:33:27.104458 ...sHostProvider.cs:200 trace: [GeneratePersonalAccessTokenAsync] Getting Azure AD access token... 21:33:27.106159 ...Authentication.cs:66 trace: [GetTokenAsync] OS broker is not available or enabled. 21:33:27.113246 ...uthentication.cs:393 trace: [RegisterTokenCacheAsync] Configuring Microsoft Authentication token cache to instance shared with Microsoft developer tools... 21:33:27.199843 ...uthentication.cs:449 trace: [RegisterTokenCacheAsync] Microsoft developer tools token cache configured. 21:33:27.207064 ...uthentication.cs:164 trace: [GetTokenAsync] Performing interactive auth with system web view... 21:33:27.213245 ...uthentication.cs:514 trace: [MSAL] [Info] False MSAL 4.52.0.0 MSAL.NetCore .NET 6.0.18 Linux 5.15.112-19373-g62629859bf76 #1 SMP PREEMPT Sun Jun 11 18:47:30 PDT 2023 [2023-06-22 20:33:27Z - 78a3eef5-95fd-43ca-80e8-fd821395a2b5] MSAL MSAL.NetCore with assembly version '4.52.0.0'. CorrelationId(78a3eef5-95fd-43ca-80e8-fd821395a2b5) 21:33:27.216968 ...uthentication.cs:514 trace: [MSAL] [Info] False MSAL 4.52.0.0 MSAL.NetCore .NET 6.0.18 Linux 5.15.112-19373-g62629859bf76 #1 SMP PREEMPT Sun Jun 11 18:47:30 PDT 2023 [2023-06-22 20:33:27Z - 78a3eef5-95fd-43ca-80e8-fd821395a2b5] DefaultBrowserOptions configured 21:33:27.217047 ...uthentication.cs:514 trace: [MSAL] [Info] False MSAL 4.52.0.0 MSAL.NetCore .NET 6.0.18 Linux 5.15.112-19373-g62629859bf76 #1 SMP PREEMPT Sun Jun 11 18:47:30 PDT 2023 [2023-06-22 20:33:27Z - 78a3eef5-95fd-43ca-80e8-fd821395a2b5] HtmlMessageSuccess? False 21:33:27.217079 ...uthentication.cs:514 trace: [MSAL] [Info] False MSAL 4.52.0.0 MSAL.NetCore .NET 6.0.18 Linux 5.15.112-19373-g62629859bf76 #1 SMP PREEMPT Sun Jun 11 18:47:30 PDT 2023 [2023-06-22 20:33:27Z - 78a3eef5-95fd-43ca-80e8-fd821395a2b5] HtmlMessageError? False 21:33:27.217154 ...uthentication.cs:514 trace: [MSAL] [Info] False MSAL 4.52.0.0 MSAL.NetCore .NET 6.0.18 Linux 5.15.112-19373-g62629859bf76 #1 SMP PREEMPT Sun Jun 11 18:47:30 PDT 2023 [2023-06-22 20:33:27Z - 78a3eef5-95fd-43ca-80e8-fd821395a2b5] BrowserRedirectSuccess? False 21:33:27.217193 ...uthentication.cs:514 trace: [MSAL] [Info] False MSAL 4.52.0.0 MSAL.NetCore .NET 6.0.18 Linux 5.15.112-19373-g62629859bf76 #1 SMP PREEMPT Sun Jun 11 18:47:30 PDT 2023 [2023-06-22 20:33:27Z - 78a3eef5-95fd-43ca-80e8-fd821395a2b5] BrowserRedirectError? False 21:33:27.217236 ...uthentication.cs:514 trace: [MSAL] [Info] False MSAL 4.52.0.0 MSAL.NetCore .NET 6.0.18 Linux 5.15.112-19373-g62629859bf76 #1 SMP PREEMPT Sun Jun 11 18:47:30 PDT 2023 [2023-06-22 20:33:27Z - 78a3eef5-95fd-43ca-80e8-fd821395a2b5] HidePrivacyPrompt False 21:33:27.217244 ...uthentication.cs:514 trace: [MSAL] [Info] False MSAL 4.52.0.0 MSAL.NetCore .NET 6.0.18 Linux 5.15.112-19373-g62629859bf76 #1 SMP PREEMPT Sun Jun 11 18:47:30 PDT 2023 [2023-06-22 20:33:27Z - 78a3eef5-95fd-43ca-80e8-fd821395a2b5] === InteractiveParameters Data === LoginHint provided: False User provided: False UseEmbeddedWebView: System ExtraScopesToConsent: Prompt: select_account HasCustomWebUi: False |
Historically PATs were the only option we supported. OAuth support was added around about the same time as the Windows broker support was added. There are still some issues to be ironed out (as you have found!) before we can switch the default. There's be some inertia here trying to fix some of the issues that span GCM+MSAL+Windows+AzureDevOps. The scope of the PAT is also more limited, true. But PATs may have longer lifetimes that Microsoft identity access tokens (typically 1-8 hours). |
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
@mjcheetham, @ldennington - I was under the impression that GCM had this flow tested (OAuth with MSA account). Is there a regression. MSAL has a non so great experience API usage for this, but still it will work. It's described here AzureAD/microsoft-authentication-library-for-dotnet#3077 |
I've opened a PR to add the workaround in GCM for MSA silent auth: #1321 |
When we have a Microsoft Account (MSA) in the cache and attempt to do a silent authentication, if we're an MSA-PT app we need to specify the special MSA transfer tenant ID to make sure we get the a token silently, correctly. See the [issue](AzureAD/microsoft-authentication-library-for-dotnet#3077) in the MSAL repo for more information. Fixes: #1297
**Changes since 2.2.2:** - Fix a GCM/Git Trace2 file locking issue - Issue: #1323 - PR: #1340 - Remove symlinks to `git-credential-manager-core` exe - Issue: #1322 - PR: #1327 - Add fallback http uri to `diagnose` command - Issue: #1215 - PR: #1339 - Workaround MSAL tenant issue with silent auth - Issue: #1297 - PR: #1321
I tried to authenticate to Azure DevOps with
credential.azreposCredentialType=oauth
. I'm using GCM 2.1.2 on Linux (installed with dotnet tool):gave me error
GCM trace:
Workaround:
credential.azreposCredentialType=pat
works as expectedThe text was updated successfully, but these errors were encountered: