Bug 56295 – office365/state: MSGraphError: HTTP response status: 401 (https://login.microsoftonline.com/**/oauth)

Bug 56295 - office365/state: MSGraphError: HTTP response status: 401 (https://login.microsoftonline.com/**/oauth)


Summary:	office365/state: MSGraphError: HTTP response status: 401 (https://login.micro...

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Office 365
Version:	UCS 5.0
Hardware:	Other Windows NT

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Mail maintainers
QA Contact:	Mail maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2023-07-07 17:37 CEST by Maximilian Janßen
Modified:	2023-11-13 08:44 CET (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	4: A User would return the product
User Pain:	0.343
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:	Yes
Flags outvoted (downgraded) after PO Review:
Ticket number:	2022091821000049, 2023083121000238
Bug group (optional):	External feedback
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Maximilian Janßen

2023-07-07 17:37:30 CEST

Similar to Bug 56279 and Bug 56188, but different request


Version: 5.0-2 errata425

Remark: Connection fails on o365 joining

Error:
Internal server error during "office365/state".
Request: office365/state

Traceback (most recent call last):
  File "%PY3%/univention/office365/microsoft/exceptions/core_exceptions.py", line 266, in inner
    return func(*args, **kwargs)
  File "%PY3%/univention/office365/microsoft/core.py", line 853, in _call_graph_api
    raise MSGraphError(response, expected_status=expected_status)
univention.office365.microsoft.exceptions.core_exceptions.MSGraphError: HTTP response status: 401
HTTP response expected status: [200]
> request url: https://login.microsoftonline.com/***/oaut[..]

> request header: {
  "User-Agent": "Univention Microsoft 365 Connector",
  "Accept-Encoding": "gzip, deflate",
  "Accept": "*/*",
  "Connection": "keep-alive",
  "Content-Type": "application/x-www-form-urlencoded",
  "Content-Length": "1023"
}

> request body:
client_id=***&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=***&grant_type=client_credentials&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default

> response header: {
  "Cache-Control": "no-store, no-cache",
  "Pragma": "no-cache",
  "Content-Type": "application/json; charset=utf-8",
  "Expires": "-1",
  "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
  "X-Content-Type-Options": "nosniff",
  "P3P": "CP=\"DSP CUR OTPi IND OTRi ONL FIN\"",
  "x-ms-request-id": "***",
  "x-ms-ests-server": "***",
  "X-XSS-Protection": "0",
  "Set-Cookie": "fpc=***; expires=Mon, 17-Oct-2022 23:31:02 GMT; path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=***;
path=/; secure; samesite=none; httponly, stsservicecookie=***; path=/; secure; samesite=none; httponly",
  "Date": "Sat, 17 Sep 2022 23:31:01 GMT",
  "Content-Length": "1135"
}

> response body: {
  "error": "invalid_client",
  "error_description": "***: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found.,
Thumbprint of key used by client: '***', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app
Id '***'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and
https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-[..] to build a query request URL, such as
'https://graph.microsoft.com/beta/applications/***[..]'].\r\nTrace ID: ***\r\nCorrelation ID:
***\r\nTimestamp: 2022-09-17 23:31:02Z",
  "error_codes": [
    700027
  ],
  "timestamp": "2022-09-17 23:31:02Z",
  "trace_id": "***",
  "correlation_id": "***",
  "error_uri": "https://login.microsoftonline.com/error?code=700027"
}



During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "%PY3%/univention/management/console/base.py", line 344, in __error_handling
    six.reraise(etype, exc, etraceback)
  File "%PY3%/six.py", line 693, in reraise
    raise value
  File "%PY3%/univention/management/console/base.py", line 247, in execute
    function.__func__(self, request, *args, **kwargs)
  File "%PY3%/univention/management/console/modules/decorators.py", line 321, in _response
    result = _multi_response(self, request)
  File "%PY3%/univention/management/console/modules/decorators.py", line 181, in _response
    return function(self, request)
  File "%PY3%/univention/management/console/modules/decorators.py", line 443, in _response
    return list(function(self, iterator, *nones))
  File "%PY3%/univention/management/console/modules/decorators.py", line 289, in _fake_func
    yield function(self, *args)
  File "%PY3%/univention/management/console/modules/office365/__init__.py", line 205, in state
    core = MSGraphApiCore(account)
  File "%PY3%/univention/office365/microsoft/core.py", line 67, in __init__
    response_handlers=response_handlers
  File "%PY3%/univention/office365/microsoft/core.py", line 105, in get_token
    response_handlers=response_handlers
  File "%PY3%/univention/office365/microsoft/exceptions/core_exceptions.py", line 272, in inner
    raise exception_class(e)
univention.office365.microsoft.exceptions.core_exceptions.UnauthorizedError: Authorization failed
HTTP response status: 401
HTTP response expected status: [200]
> request url: https://login.microsoftonline.com/***/oaut[..]

> request header: {
  "User-Agent": "Univention Microsoft 365 Connector",
  "Accept-Encoding": "gzip, deflate",
  "Accept": "*/*",
  "Connection": "keep-alive",
  "Content-Type": "application/x-www-form-urlencoded",
  "Content-Length": "1023"
}

> request body:
client_id=***&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion***&grant_type=client_credentials&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default

> response header: {
  "Cache-Control": "no-store, no-cache",
  "Pragma": "no-cache",
  "Content-Type": "application/json; charset=utf-8",
  "Expires": "-1",
  "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
  "X-Content-Type-Options": "nosniff",
  "P3P": "CP=\"DSP CUR OTPi IND OTRi ONL FIN\"",
  "x-ms-request-id": "***",
  "x-ms-ests-server": "2.1.13672.7 - NEULR2 ProdSlices",
  "X-XSS-Protection": "0",
  "Set-Cookie": "fpc=***; expires=Mon, 17-Oct-2022 23:31:02 GMT; path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=***;
path=/; secure; samesite=none; httponly, stsservicecookie=***; path=/; secure; samesite=none; httponly",
  "Date": "Sat, 17 Sep 2022 23:31:01 GMT",
  "Content-Length": "1135"
}

> response body: {
  "error": "invalid_client",
  "error_description": "***: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found.,
Thumbprint of key used by client: '***', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app
Id '***'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and
https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-[..] to build a query request URL, such as
'https://graph.microsoft.com/beta/applications/***[..]'].\r\nTrace ID: ***\r\nCorrelation ID:
***\r\nTimestamp: 2022-09-17 23:31:02Z",
  "error_codes": [
    700027
  ],
  "timestamp": "2022-09-17 23:31:02Z",
  "trace_id": "***",
  "correlation_id": "***",
  "error_uri": "https://login.microsoftonline.com/error?code=700027"
}

Role: domaincontroller_master