Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid JWT access token #2386

Closed
mbikovitsky opened this issue Oct 24, 2023 · 2 comments · Fixed by #2388
Closed

Invalid JWT access token #2386

mbikovitsky opened this issue Oct 24, 2023 · 2 comments · Fixed by #2388
Assignees
@peombwa
Labels
Bug

Comments

@mbikovitsky
Copy link

Describe the bug

Authenticating with a personal account throws an Invalid JWT access token error.

To Reproduce

  1. Execute Connect-MgGraph -Scopes "User.Read" -TenantId consumers
  2. Authenticate in the opened browser window with a personal Microsoft account.
  3. Observe the error in the terminal window.

Expected behavior

Authentication succeeds.

Debug Output

DEBUG: InteractiveBrowserCredential.Authenticate invoked. Scopes: [ User.Read ] ParentRequestId:
DEBUG: Executing interactive authentication workflow inline.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:52Z - df0b43df-1be5-4c4d-aa81-27db585bd657] MSAL MSAL.NetCore with assembly version '4.49.1.0'. CorrelationId(df0b43df-1be5-4c4d-aa81-27db585bd657)
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:52Z - df0b43df-1be5-4c4d-aa81-27db585bd657] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False

DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:52Z - df0b43df-1be5-4c4d-aa81-27db585bd657]
=== Request Data ===
Authority Provided? - True
Scopes - User.Read
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenInteractive
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - df0b43df-1be5-4c4d-aa81-27db585bd657
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:

DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:52Z - df0b43df-1be5-4c4d-aa81-27db585bd657] === Token Acquisition (InteractiveRequest) started:
         Scopes: User.Read
        Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:52Z - df0b43df-1be5-4c4d-aa81-27db585bd657] [Instance Discovery] Instance discovery is enabled and will be performed
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:52Z - df0b43df-1be5-4c4d-aa81-27db585bd657] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:52Z - df0b43df-1be5-4c4d-aa81-27db585bd657] Fetching instance discovery from the network from host login.microsoftonline.com.
DEBUG: Request [86be4b3a-8749-46f0-8121-73360e87532e] GET https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=REDACTED
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-CPU:REDACTED
x-client-OS:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-app-name:REDACTED
x-app-ver:REDACTED
x-ms-client-request-id:86be4b3a-8749-46f0-8121-73360e87532e
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.9.0 (.NET 7.0.11; Microsoft Windows 10.0.19045)
client assembly: Azure.Identity
DEBUG: Response [86be4b3a-8749-46f0-8121-73360e87532e] 200 OK (00.4s)
Cache-Control:max-age=86400, private
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
Access-Control-Allow-Origin:REDACTED
Access-Control-Allow-Methods:REDACTED
P3P:REDACTED
client-request-id:REDACTED
x-ms-request-id:a3d24e24-03ef-4e57-92d2-61f4e0614100
x-ms-ests-server:REDACTED
X-XSS-Protection:REDACTED
Set-Cookie:REDACTED
Date:Tue, 24 Oct 2023 19:58:53 GMT
Content-Type:application/json; charset=utf-8
Content-Length:953

DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:52Z - df0b43df-1be5-4c4d-aa81-27db585bd657] Authority validation enabled? True.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:52Z - df0b43df-1be5-4c4d-aa81-27db585bd657] Authority validation - is known env? True.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:52Z - df0b43df-1be5-4c4d-aa81-27db585bd657] Using system browser.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:53Z - df0b43df-1be5-4c4d-aa81-27db585bd657] Listening for authorization code on http://localhost:59783/
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - df0b43df-1be5-4c4d-aa81-27db585bd657] Processing a response message to the browser. HttpStatus:OK
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - df0b43df-1be5-4c4d-aa81-27db585bd657] An authorization code was retrieved from the /authorize endpoint.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - df0b43df-1be5-4c4d-aa81-27db585bd657] Exchanging the auth code for tokens.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - df0b43df-1be5-4c4d-aa81-27db585bd657] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False

DEBUG: Request [edda36b1-9d30-47fa-9535-dbdf4631de78] POST https://login.microsoftonline.com/consumers/oauth2/v2.0/token
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-CPU:REDACTED
x-client-OS:REDACTED
x-anchormailbox:REDACTED
x-client-current-telemetry:REDACTED
x-client-last-telemetry:REDACTED
x-ms-lib-capability:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-app-name:REDACTED
x-app-ver:REDACTED
Content-Type:application/x-www-form-urlencoded
x-ms-client-request-id:edda36b1-9d30-47fa-9535-dbdf4631de78
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.9.0 (.NET 7.0.11; Microsoft Windows 10.0.19045)
client assembly: Azure.Identity
DEBUG: Response [edda36b1-9d30-47fa-9535-dbdf4631de78] 200 OK (00.5s)
Cache-Control:no-store, no-cache
Pragma:no-cache
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
P3P:REDACTED
client-request-id:REDACTED
x-ms-request-id:ffaa2d16-8d56-4a22-be1f-fa11e8d96700
x-ms-ests-server:REDACTED
x-ms-clitelem:REDACTED
X-XSS-Protection:REDACTED
Set-Cookie:REDACTED
Date:Tue, 24 Oct 2023 19:58:59 GMT
Content-Type:application/json; charset=utf-8
Expires:-1
Content-Length:3384

DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - df0b43df-1be5-4c4d-aa81-27db585bd657] Checking client info returned from the server..
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - df0b43df-1be5-4c4d-aa81-27db585bd657] Saving token response to cache..
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - df0b43df-1be5-4c4d-aa81-27db585bd657] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - df0b43df-1be5-4c4d-aa81-27db585bd657] [SaveTokenResponseAsync] Saving AT in cache and removing overlapping ATs...
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - df0b43df-1be5-4c4d-aa81-27db585bd657] Looking for scopes for the authority in the cache which intersect with User.Read
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - df0b43df-1be5-4c4d-aa81-27db585bd657] Intersecting scope entries count - 1
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - df0b43df-1be5-4c4d-aa81-27db585bd657] Matching entries after filtering by user - 1
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - df0b43df-1be5-4c4d-aa81-27db585bd657] [SaveTokenResponseAsync] Saving Id Token and Account in cache ...
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - df0b43df-1be5-4c4d-aa81-27db585bd657] [SaveTokenResponseAsync] Saving RT in cache...
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - df0b43df-1be5-4c4d-aa81-27db585bd657] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - df0b43df-1be5-4c4d-aa81-27db585bd657] [AdalCacheOperations] Serializing token cache with 1 items.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - df0b43df-1be5-4c4d-aa81-27db585bd657]
        === Token Acquisition finished successfully:
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - df0b43df-1be5-4c4d-aa81-27db585bd657]  AT expiration time: 24/10/2023 20:58:58 +00:00, scopes: openid profile User.Read. source: IdentityProvider
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - df0b43df-1be5-4c4d-aa81-27db585bd657] Fetched access token from host login.microsoftonline.com.
DEBUG: InteractiveBrowserCredential.Authenticate succeeded. Scopes: [ User.Read ] ParentRequestId:  ExpiresOn: 2023-10-24T20:58:58.5682029+00:00
DEBUG: InteractiveBrowserCredential.GetToken invoked. Scopes: [ User.Read ] ParentRequestId:
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - 46ffb995-5999-423b-9687-15e077cc892b] MSAL MSAL.NetCore with assembly version '4.49.1.0'. CorrelationId(46ffb995-5999-423b-9687-15e077cc892b)
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - 46ffb995-5999-423b-9687-15e077cc892b] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - 46ffb995-5999-423b-9687-15e077cc892b] LoginHint provided: False
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - 46ffb995-5999-423b-9687-15e077cc892b] Account provided: True
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - 46ffb995-5999-423b-9687-15e077cc892b] ForceRefresh: False
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - 46ffb995-5999-423b-9687-15e077cc892b]
=== Request Data ===
Authority Provided? - True
Scopes - User.Read
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 46ffb995-5999-423b-9687-15e077cc892b
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:

DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - 46ffb995-5999-423b-9687-15e077cc892b] === Token Acquisition (SilentRequest) started:
         Scopes: User.Read
        Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - 46ffb995-5999-423b-9687-15e077cc892b] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - 46ffb995-5999-423b-9687-15e077cc892b] Access token is not expired. Returning the found cache entry. [Current time (10/24/2023 19:58:58) - Expiration
Time (10/24/2023 20:58:58 +00:00) - Extended Expiration Time (10/24/2023 20:58:58 +00:00)]
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - 46ffb995-5999-423b-9687-15e077cc892b] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - 46ffb995-5999-423b-9687-15e077cc892b] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - 46ffb995-5999-423b-9687-15e077cc892b]
        === Token Acquisition finished successfully:
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.19045 [2023-10-24 19:58:58Z - 46ffb995-5999-423b-9687-15e077cc892b]  AT expiration time: 24/10/2023 20:58:58 +00:00, scopes: openid profile User.Read. source: Cache
DEBUG: InteractiveBrowserCredential.GetToken succeeded. Scopes: [ User.Read ] ParentRequestId:  ExpiresOn: 2023-10-24T20:58:58.0000000+00:00
Connect-MgGraph: Invalid JWT access token.

Module Version

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.8.0                 Microsoft.Graph.Authentication      {Add-MgEnvironment, Connect-MgGraph, Disconnect-MgGraph, Get-MgContext…}

Environment Data

Name                           Value
----                           -----
PSVersion                      7.3.8
PSEdition                      Core
GitCommitId                    7.3.8
OS                             Microsoft Windows 10.0.19045
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0
@mbikovitsky
Copy link
Author

From the stack trace, it looks like the error originates here: https://github.com/microsoftgraph/msgraph-sdk-powershell/blob/2.8.0/src/Authentication/Authentication.Core/Utilities/JwtHelpers.cs#L79

Message        : Invalid JSON Web Token (JWT).
ParamName      :
TargetSite     : Microsoft.Graph.PowerShell.Authentication.Core.Models.JwtContent DecodeJWT(System.String)
Data           : {}
InnerException :
HelpLink       :
Source         : Microsoft.Graph.Authentication.Core
HResult        : -2147024809
StackTrace     :    at Microsoft.Graph.PowerShell.Authentication.Core.Utilities.JwtHelpers.DecodeJWT(String jwtString)
                    at Microsoft.Graph.PowerShell.Authentication.Core.Utilities.JwtHelpers.DecodeToObject[T](String jwtString)

@peombwa
Copy link
Member

peombwa commented Oct 25, 2023

Thanks for following up on this.

It does appear that the access token issued by the STS for personal accounts is not a JWT and does not comply with https://tools.ietf.org/html/rfc7519, hence the error.

The SDK needs to be modified to only decode the access token when it is a JWT (work and school accounts are used). See related question at https://stackoverflow.com/questions/66210139/why-my-valid-ms-access-token-cant-be-parsed-with-jwt-ms for more details.

@peombwa peombwa mentioned this issue Oct 25, 2023
Merged
@peombwa peombwa self-assigned this Oct 25, 2023
@timayabi2020 timayabi2020 mentioned this issue Feb 14, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@peombwa peombwa

Labels
Bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes Invalid JWT token using a personal account microsoftgraph/msgraph-sdk-powershell
3 participants
@mbikovitsky @peombwa @ddyett