Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Error of System.UnauthorizedAccessException: IDW10201: Neither scope or roles claim was found in the bearer token is being unexpectedly thrown #1710

Closed
1 of 8 tasks
madelineleclair opened this issue Apr 18, 2022 · 7 comments
Closed
1 of 8 tasks

[Bug] Error of System.UnauthorizedAccessException: IDW10201: Neither scope or roles claim was found in the bearer token is being unexpectedly thrown #1710

madelineleclair opened this issue Apr 18, 2022 · 7 comments
Labels
bug Something isn't working more info needed
Milestone
1.25.0

Comments

@madelineleclair
Copy link

Which version of Microsoft Identity Web are you using?
Microsoft Identity Web 1.22.2, 1.9.0, and 1.8.2

Where is the issue?

  • Web app
    • Sign-in users
    • Sign-in users and call web APIs
  • Web API
    • Protected web APIs (validating tokens)
    • Protected web APIs (validating scopes)
    • Protected web APIs call downstream web APIs
  • Token cache serialization
    • In-memory caches
    • Session caches
    • Distributed caches
  • Other (please describe)

Is this a new or an existing app?
The app is in production and I have upgraded to a new version of Microsoft Identity Web.

Context
We have been experiencing a transient issue where the error below is thrown for tokens without scopes or roles:

System.UnauthorizedAccessException: IDW10201: Neither scope or roles claim was found in the bearer token.

We have been experiencing the issue for about 1 year in production. It started when we began using Microsoft Identity Web. We have tried upgrading to later versions, such as 1.22.2, but the issue still persists. As per the documentation, we have configured "AllowWebApiToBeAuthorizedByACL": true in our app settings for tokens we don't want to validate scopes/roles for. Without this setting, we experience the error consistently. With the setting enabled, we get transient failures in production. When looking at our logs, we have noticed that if the error is thrown for multiple requests, it is thrown on the same pod. We are trying to identify the root cause of this error so we don't have to leave a workaround in place.

Expected behavior
When "AllowWebApiToBeAuthorizedByACL": true is enabled in app settings, the error of System.UnauthorizedAccessException: IDW10201: Neither scope or roles claim was found in the bearer token. is not thrown.
@jmprieur jmprieur added the bug Something isn't working label Apr 19, 2022
@jennyf19
Copy link
Collaborator

@madelineleclair Would you be able to provide logs for one of the failed cases?

@madelineleclair
Copy link
Author

@jennyf19 I've enabled the logging for Microsoft.Identity.Web at the debug level, but I'm only seeing a few new log lines. To give you some context on how we're using Microsoft Identity Web, our setup in Startup.cs is below. Only 3 out of the 4 configurations have "AllowWebApiToBeAuthorizedByACL": true enabled. The 2nd one (ServiceTwo) doesn't.

            services.AddAuthentication()
                    .AddMicrosoftIdentityWebApi(
                        _config,
                        "Auth:ServiceOne:AzureAd",
                        Constants.ServiceOneJwtBearerAuthenticationScheme,
                        subscribeToJwtBearerMiddlewareDiagnosticsEvents: true
                    );
            services.AddAuthentication()
                    .AddMicrosoftIdentityWebApi(
                        _config,
                        "Auth:ServiceTwo:AzureAd",
                        Constants.ServiceTwoJwtBearerAuthenticationScheme,
                        subscribeToJwtBearerMiddlewareDiagnosticsEvents: true
                    );
            services.AddAuthentication()
                    .AddMicrosoftIdentityWebApi(
                        _config,
                        "Auth:ServiceTwo:AzureAd",
                        Constants.ServiceThreeJwtBearerAuthenticationScheme,
                        subscribeToJwtBearerMiddlewareDiagnosticsEvents: true
                    );
            services.AddAuthentication()
                    .AddMicrosoftIdentityWebApi(
                        _config,
                        "Auth:ServiceTwo:AzureAd",
                        Constants.ServiceFourJwtBearerAuthenticationScheme,
                        subscribeToJwtBearerMiddlewareDiagnosticsEvents: true
                    );

            services.Configure<JwtBearerOptions>(Constants.ServiceOneJwtBearerAuthenticationScheme, options =>
            {
             // config options
            });
            services.Configure<JwtBearerOptions>(Constants.ServiceTwoJwtBearerAuthenticationScheme, options =>
            {
             // config options
            });
            services.Configure<JwtBearerOptions>(Constants.ServiceThreeJwtBearerAuthenticationScheme, options =>
            {
             // config options
            });
            services.Configure<JwtBearerOptions>(Constants.ServiceFourJwtBearerAuthenticationScheme, options =>
            {
             // config options
            });

            services.AddAuthorization(options =>
            {
                options.AddPolicy(Constants.ServiceOneAuthorizationPolicy, policy =>
                {
                    //config options
                });
                options.AddPolicy(Constants.ServiceTwoAuthorizationPolicy, policy =>
                {
                    //config options
                });
                options.AddPolicy(Constants.ServiceThreeAuthorizationPolicy, policy =>
                {
                    //config options
                });
                options.AddPolicy(Constants.ServiceFourAuthorizationPolicy, policy =>
                {
                    //config options
                });
            }

When looking at logs, I see the following for correlation id ead62e62-2f5b-4d70-ae28-52326754dfdf:

  • Begin OnMessageReceivedAsync.
  • End OnMessageReceivedAsync.
  • Begin OnTokenValidatedAsync.
  • Encountered authentication workaround for ServiceOneJwtBearerAuthenticationScheme. IDW10201: Neither scope or roles claim was found in the bearer token.

The last message comes from us logging a warning when we catch the error of System.UnauthorizedAccessException: IDW10201: Neither scope or roles claim was found in the bearer token using options.Events.OnTokenValidated. Let me know if you need anything else.

@sciocoder
Copy link
Contributor

sciocoder commented May 28, 2022
edited
Loading

@madelineleclair Diagnostics is enabled?
I am facing a similar problem and I have found that is caused by the diagnostics middleware. It is a singleton and in case of multiple schema the events of the last one are used.

@jennyf19 #1741 could be it a solution?

@jennyf19
Copy link
Collaborator

jennyf19 commented Jun 4, 2022

Included in 1.25.0 release

@jennyf19 jennyf19 closed this as completed Jun 4, 2022
@jennyf19
Copy link
Collaborator

jennyf19 commented Jun 4, 2022

Thanks for the contribution @sciocoder

@jennyf19 jennyf19 added this to the 1.25.0 milestone Jun 4, 2022
@sciocoder
Copy link
Contributor

It was a pleasure. thanks for the opportunity! :)

@madelineleclair
Copy link
Author

@sciocoder Thank you for your help!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working more info needed
Projects
None yet
Milestone
1.25.0
Development

No branches or pull requests
4 participants
@sciocoder @jmprieur @jennyf19 @madelineleclair