Acquiring token silently with account set to None fails in Azure Government

[marlonsingleton]

Describe the bug
A clear and concise description of what the bug is.

UPDATE by Ray: There is also an internal issue created here, which is currently under investigation by our service side team.

To Reproduce
Steps to reproduce the behavior:

1. Go to our off-the-shelf samples and pick one that is closest to your usage scenario. You should not need to modify the sample.
2. Follow the description of the sample, typically at the beginning of it, to prepare a config.json containing your test configurations
3. Run such sample, typically by python sample.py config.json
4. See the error
5. In this bug report, tell us the sample you choose, paste the content of the config.json with your test setup (which you can choose to skip your credentials, and/or mail it to our developer's email).

import msal
import os
import sys
from pprint import pprint

SCOPES = ["https://graph.microsoft.us/.default"]

app = msal.ConfidentialClientApplication(
    client_id="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    client_credential=['CLIENT_SECRET'],
    authority='https://login.microsoftonline.us/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
)

result = app.acquire_token_silent(scopes=SCOPES, account=None)
if not result:
    result = app.acquire_token_for_client(scopes=SCOPES)

if 'access_token' not in result:
    msg = "Could not acquire Azure access token: {error}: {descr}".format(
        error=result.get('error'),
        descr=result.get('error_description'),
    )
    pprint(msg)
    sys.exit(1)

pprint("Finished")
pprint(result)

Expected behavior

#result should equal None, evaluate if statement then acquire token for client
#works as expected in Azure Public cloud

result = app.acquire_token_silent(scopes=SCOPES, account=None)
if not result:
    result = app.acquire_token_for_client(scopes=SCOPES)

What you see instead

Traceback starts with:
 httplib_response = self._make_request(

Traceback ends with:
(Caused by SSLError(SSLCertVerificationError("hostname 'login.usgovcloudapi.net' doesn't match either of 'graph.aadg.microsoftonline.us', '*.b2clogin.us'")))

The MSAL Python version you are using
Paste the output of this
python -c "import msal; print(msal.__version__)"
MSAL version '1.4.1'

Additional context
Add any other context about the problem here.

#This returns token without issue

#result = app.acquire_token_silent(scopes=SCOPES, account=None)
#if not result:
result = app.acquire_token_for_client(scopes=SCOPES)

[rayluo]

Thanks for following our issue template, @marlonsingleton !

Your code snippet happened to supply a list for the client_credential, it should really be a string. But perhaps that was just your typo when drafting this bug report? If you haven't already, please run this out-of-box confidential client sample to reproduce it, just to be sure.

Traceback starts with:

 httplib_response = self._make_request(

Traceback ends with:

(Caused by SSLError(SSLCertVerificationError(
"hostname 'login.usgovcloudapi.net' doesn't match either of
'graph.aadg.microsoftonline.us', '*.b2clogin.us'")))

Perhaps you can send us your full error trace (which would typically contain only script file names and line numbers, but no other sensitive info) to understand what happened. That starting (?) line httplib_response = self._make_request( does not even seem to exist inside this MSAL library's code base. We assume there would be some other activities before that.

Regardless, the ending error SSLError(SSLCertVerificationError sounds like an cert validation issue. I'll loop in my colleague @abhidnya13 who has more hands-on experience in this area than me.

[abhidnya13]

I tried to reproduce this error and was able to get it reproduced. What I found out is, in the acquire_token_silent call, the step where authority aliasing is performed, there is an alias returned for login.microsoftonline.us which is https://login.usgovcloudapi.net. The reason why this error is returned is because the open-id config call for this endpoint fails because it expects a certain cert to be installed on your machine as @rayluo mentioned a possible cert validation issue. So, temporarily, I was able to get it working by initializing the application with verify=False but we will still have to investigate the cause for this cert error. Looking into it right now, will keep you guys posted here.

[abhidnya13]

After investigating looks like there is SSL validation failure from https://login.usgovcloudapi.net endpoint. Service team to investigate the issue.

[coverprice]

MAG customer who filed the original bug report with MAG support here.

Your code snippet happened to supply a list for the client_credential, it should really be a string. But perhaps that was just your typo when drafting this bug report?

Confirmed, that was a typo from my original repro code. The original was os.environ['CLIENT_SECRET'].

And to confirm, I am also seeing the TLS validation failure. The requests call attempts to connect to login.microsoftonline.us, but the certificate returned by the server is for graph.aadg.microsoftonline.us, so TLS validation fails.

[marlonsingleton]

@abhidnya13 thanks! I was also able to repro before posting this issue. Any thoughts why acquire_token_for_client(scopes=SCOPES) returns a bearer token?

[abhidnya13]

@marlonsingleton acquire_token_silent(...) performs authority aliasing which basically means it tries to see if there is a token in the cache for the input authority and if we can't find one using the input authority, all its authority aliases are used to search for a token. In the case of login.microsoftonline.us the server returns the alias login.usgovcloudapi.net and so when when this authority is initialized, it does network calls at which the SSL validation failure happens. This type of aliasing is not done for acquire_token_for_client() scenarios and so the token is successfully returned.

[rayluo]

Closing notes: This was triggered by multiple reasons combined. Now a workaround has been shipped in MSAL Python 1.4.2.