NullReferenceException is thrown when using DefaultTokenAcquisitionHost and trying to acquire a token

[MZOLN]

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

2.13.3

Web app

Sign-in users

Web API

Protected web APIs (validating tokens)

Token cache serialization

In-memory caches

Description

NRE thrown in the pasted stack.
The issue is that the defaultokenacquisitionhost returns a null redirecturi but msal assumes that it`s not null

Reproduction steps

Create console app
Call downstream api

Error message

System.NullReferenceException

HResult=0x80004003

Message=Object reference not set to an instance of an object.

Source=Microsoft.Identity.Web.TokenAcquisition

StackTrace:

at Microsoft.Identity.Web.MergedOptions.PrepareAuthorityInstanceForMsal() in /_/src/Microsoft.Identity.Web.TokenAcquisition/MergedOptions.cs:line 452

at Microsoft.Identity.Web.TokenAcquisition.BuildConfidentialClientApplication(MergedOptions mergedOptions) in /_/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs:line 580

at Microsoft.Identity.Web.TokenAcquisition.GetOrBuildConfidentialClientApplication(MergedOptions mergedOptions) in /_/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs:line 566

at Microsoft.Identity.Web.TokenAcquisition.d__14.MoveNext() in /_/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs:line 235

This exception was originally thrown at this call stack:

Microsoft.Identity.Web.MergedOptions.PrepareAuthorityInstanceForMsal() in MergedOptions.cs

Microsoft.Identity.Web.TokenAcquisition.BuildConfidentialClientApplication(Microsoft.Identity.Web.MergedOptions) in TokenAcquisition.cs

Microsoft.Identity.Web.TokenAcquisition.GetOrBuildConfidentialClientApplication(Microsoft.Identity.Web.MergedOptions) in TokenAcquisition.cs

Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForUserAsync(System.Collections.Generic.IEnumerable<string>, string, string, string, System.Security.Claims.ClaimsPrincipal, Microsoft.Identity.Web.TokenAcquisitionOptions) in TokenAcquisition.cs

Id Web logs

No response

Relevant code snippets

Run ConsoleApp2 on MISE repo

Regression

Id Web 2.13.3

Expected behavior

Token is acquired.

[jennyf19]

@MZOLN Do you have everything in the appsettings.json? Is the authority, instance, etc... all present?

[MZOLN]

Those are the settings:
{
"AzureAd": {
//"Instance": "https://login.microsoftonline.com/",
//"ClientId": "a4c2469b-cf84-4145-8f5f-cb7bacf814bc",
//"TenantId": "7f58f645-c190-4ce5-9de4-e2b7acd2a6ab",
//"Audience": "a4c2469b-cf84-4145-8f5f-cb7bacf814bc",
"Instance": "https://login.microsoftonline.com/",
"ClientId": "a4c2469b-cf84-4145-8f5f-cb7bacf814bc", // your client Id, e.g. a4c2469b-cf84-4145-8f5f-cb7bacf814bc
"TenantId": "7f58f645-c190-4ce5-9de4-e2b7acd2a6ab", // your tenant id, e.g. 7f58f645-c190-4ce5-9de4-e2b7acd2a6ab
"ShowPII": true,
"MinimumDataClassificationCategory": "SystemMetadata",
"Logging": {
"LogLevel": "Warning"
},
"Modules": {
"TrV2": {
"ModuleType": "TrV2Module",
"Enabled": true
}
}
},

....

DownstreamApi:
.....

    "me": {
        "BaseUrl": "https://graph.microsoft.com/v1.0",
        "RelativePath": "/me",
        "Scopes": [ "user.read" ],
        "AcquireTokenOptions": {
            "AuthenticationOptionsName": "S2SAuthentication"
        }

Is anything missing?

[Jan1503]

I encounter the same issue with 2.13.3.
It's working in 2.13.2.
Haven't found the time to further debug it, just switched back to 2.13.2.

Short Stack Trace:
System.NullReferenceException: at Microsoft.Identity.Web.MergedOptions.PrepareAuthorityInstanceForMsal (Microsoft.Identity.Web.TokenAcquisition, Version=2.13.3.0, Culture=neutral, PublicKeyToken=0a613f4dd989e8ae) at Microsoft.Identity.Web.TokenAcquisition.BuildConfidentialClientApplication (Microsoft.Identity.Web.TokenAcquisition, Version=2.13.3.0, Culture=neutral, PublicKeyToken=0a613f4dd989e8ae) at Microsoft.Identity.Web.TokenAcquisition.GetOrBuildConfidentialClientApplication (Microsoft.Identity.Web.TokenAcquisition, Version=2.13.3.0, Culture=neutral, PublicKeyToken=0a613f4dd989e8ae) at Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForAppAsync (Microsoft.Identity.Web.TokenAcquisition, Version=2.13.3.0, Culture=neutral, PublicKeyToken=0a613f4dd989e8ae) at Microsoft.Identity.Web.TokenAcquisition+<GetAccessTokenForAppAsync>d__17.MoveNext (Microsoft.Identity.Web.TokenAcquisition, Version=2.13.3.0, Culture=neutral, PublicKeyToken=0a613f4dd989e8ae) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)`

[jmprieur]

@Jan1503 : Marcin's error was with is code (he forgot to configure the MicrosoftIdentityApplicationOptions)
how did you configure your application?

Do you use AddMicrosoftWebApp or AddMicrosoftWebApi?
Do you configure the MicrosoftIdentityApplicationOptions passing-in an authentication scheme?

[Jan1503]

@jmprieur : Here's my auth-config:

public static IServiceCollection AddDefaultAuthentication(this IServiceCollection services,
        IConfigurationSection azureAdConfigurationSection)
    {
        ArgumentNullException.ThrowIfNull(azureAdConfigurationSection);
        
        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
            .AddMicrosoftIdentityWebApi(jwt =>
            {
                IdentityModelEventSource.ShowPII = true;
                var opt = new MicrosoftIdentityOptions();
                azureAdConfigurationSection.Bind(opt);

                jwt.Authority = $"https://sts.windows.net/{opt.TenantId}/v2.0";
                jwt.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidIssuer = $"https://sts.windows.net/{opt.TenantId}",
                    ValidAudiences = new List<string>
                    {
                        opt.ClientId!,
                        $"api://{opt.ClientId}"
                    }
                };
                jwt.Events = new JwtBearerEvents
                {
                    OnAuthenticationFailed = ctx => Task.CompletedTask
                };
            }, azureAdConfigurationSection.Bind)

            .EnableTokenAcquisitionToCallDownstreamApi(options => { })
            .AddInMemoryTokenCaches();

        return services;
    }

[jmprieur]

@Jan1503 this should be fixed in 2.15.0 that is going to release tomorrow

[slabarque]

Still not fixed apparently. I'm having this issue with the daemon_console sample from https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/1-Call-MSGraph

I was following this Quickstart guide:
https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-console-app-netcore-acquire-token