Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] PoP auth on macOS gives ServerNonceInvalidSignature error from Graph endpoint #761

Open
pvaneck opened this issue Oct 23, 2024 · 4 comments
Open

[Bug] PoP auth on macOS gives ServerNonceInvalidSignature error from Graph endpoint #761

pvaneck opened this issue Oct 23, 2024 · 4 comments
Assignees
@fengga
Labels
public-client

Comments

@pvaneck
Copy link

pvaneck commented Oct 23, 2024

Describe the bug

Running the following script works on Windows with WAM, but not on macOS with Company Portal:

https://gist.github.com/pvaneck/d304306a303c8d6ad8ccac52d995f4a8

Instead, on macOS, the request with the PoP token yields a 401 response with the following error:

{"error":{"code":"InvalidAuthenticationToken","message":"ServerNonceInvalidSignature","innerError":{"date":"2024-10-23T01:24:12","request-id":"488ed87e-30cb-466f-85a1-f898e60351e1","client-request-id":"488ed87e-30cb-466f-85a1-f898e60351e1"}}}

Any ideas what could be causing this?

To Reproduce

Install the latest msal and pymsalruntime, and run the following script which runs through the PoP authentication flow with Microsoft Graph.

https://gist.github.com/pvaneck/d304306a303c8d6ad8ccac52d995f4a8

Expected behavior

The request to the Graph endpoint should yield a 200 response.

What you see instead

A 401 response is returned with a ServerNonceInvalidSignature error.

The MSAL Python version you are using

msal==1.31.0
pymsalruntime==0.17.1
@rayluo
Copy link
Collaborator

rayluo commented Oct 23, 2024

Looks like MSAL Python and mac broker got you a token back, but somehow MS Graph did not accept that token. Assigning to @fengga for investigatino.

@xiangyan99
Copy link

Looks like MSAL Python and mac broker got you a token back, but somehow MS Graph did not accept that token. Assigning to @fengga for investigatino.

It worked on windows broker. So please take a look. :)

@fengga
Copy link
Contributor

fengga commented Oct 23, 2024

Hi @pvaneck, I just tested on my mac, https://gist.github.com/pvaneck/d304306a303c8d6ad8ccac52d995f4a8 will succeed, everything looks good on my machine.
Can you check if you get tokens from mac broker by calling app.acquire_token_interactive()?

@pvaneck
Copy link
Author

pvaneck commented Oct 23, 2024

@fengga I do get a PoP token, and comparing the tokens I get on Windows versus Mac on jwt.ms, the structure and contents are pretty similar. Are there any other dependencies that are used for signing that I should check? I am on an M3 Pro Mac with macOS 15.0.1 with Python 3.12.7.

  • openssl: 3.3.2
  • cryptography: 43.0.1
  • PyJWT: 2.9.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fengga fengga

Labels
public-client
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rayluo @pvaneck @xiangyan99 @fengga