Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] On behalf of supplier doesn't pass tenant id to silent supplier #881

Open
q-benwillis opened this issue Nov 22, 2024 · 0 comments
Open

[Bug] On behalf of supplier doesn't pass tenant id to silent supplier #881

q-benwillis opened this issue Nov 22, 2024 · 0 comments
Labels
needs attention Automatically used when an issue is created through an issue template untriaged Automatically used when an issue is created through an issue template

Comments

@q-benwillis
Copy link

Library version used

1.17.2

Java version

17.0.11

Scenario

ConfidentialClient - web api (AcquireTokenOnBehalfOf)

Is this a new or an existing app?

This is a new app or experiment

Issue description and reproduction steps

It seems that when the OBO supplier attempts to acquire the token silently from the cache it doesn't pass the Tenant ID in the SilentParameters which means that the token cannot be found in the cache.

I'm sending OnBehalfOfParameters with the Tenant ID:

OnBehalfOfParameters.builder(scopes, userAssertion).tenant(tenantId).build

This is all I'm seeing in the logs:

2024-11-22T11:56:56.127Z DEBUG 24 --- [app] [onPool-worker-3] c.m.a.m.AcquireTokenByOnBehalfOfSupplier : SkipCache set to false. Attempting cache lookup
2024-11-22T11:56:56.128Z DEBUG 24 --- [app] [onPool-worker-3] c.m.a.m.AcquireTokenByOnBehalfOfSupplier : Cache lookup failed: Token not found in the cache

However if I dig a little deeper I can see that the cache miss is because the cached token realm doesn't match the authority tenant here. If I follow this back I can see that the authority tenant can come from the request parameters here. However it looks like this isn't happening because the OnBehalfOfSupplier doesn't add the tenant to the SilentParameters here.

Relevant code snippets

val userAssertion = new UserAssertion(???)
val scopes = Set(???)
val tenantId = ???

val parameters = OnBehalfOfParameters.builder(scopes, userAssertion).tenant(tenantId).build

// Call confidential client with below parameters and request should succeed and write OBO token to cache
client.acquireToken(parameters)

// Call confidential client with again with same parameters and request does not find previous token from cache
client.acquireToken(parameters)

Expected behavior

The second request should be able to retrieve the token from the cache

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response
@q-benwillis q-benwillis added needs attention Automatically used when an issue is created through an issue template untriaged Automatically used when an issue is created through an issue template labels Nov 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs attention Automatically used when an issue is created through an issue template untriaged Automatically used when an issue is created through an issue template
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@q-benwillis