Skip to content

Retrieving token via ConfidentialClientApplication fails due MaxListenersExceededWarning #7420

New issue
New issue
Open
Open
Retrieving token via ConfidentialClientApplication fails due MaxListenersExceededWarning#7420
Labels
Needs: Attention 👋Awaiting response from the MSAL.js teambug-unconfirmedA reported bug that needs to be investigated and confirmedconfidential-clientIssues regarding ConfidentialClientApplicationsmsal-nodeRelated to msal-node packagequestionCustomer is asking for a clarification, use case or information.
@onetocny

Description

@onetocny
onetocny
opened on Nov 15, 2024

Core Library

MSAL Node (@azure/msal-node)

Core Library Version

2.16.1

Wrapper Library

Not Applicable

Public or Confidential Client?

Confidential

Description

We are team responsible for pipeline tasks for Azure Pipelines. Tasks are simple applications running under Node server. To authenticate against Azure we are using msal-node library. One of our customers started to experience intermittent issue that occurs inside ConfidentialClientApplication.acquireTokenByClientCredential. After several attempts we were able to reproduce the issue as well. The issue occurs under following circumstances:

  • Authority is China Cloud (login.chinacloudapi.cn),
  • Task runs on Node version 20 under Ubuntu 22.04,
  • Issue occurs very intermittently ~1% of all cases.

According to the logs (see below) issue probably happens due to MaxListenersExceededWarning issue. That might also be the reason why the issue is so intermittent.

Error Message

{
   "errorCode":"openid_config_error",
   "errorMessage":"Could not retrieve endpoints. Check your authority and verify the .well-known/openid-configuration endpoint returns the required endpoints.: https://login.partner.microsoftonline.cn/d821ee8e-409c-4e92-8945-2127b8c879d5/v2.0/.well-known/openid-configuration",
   "subError":"",
   "name":"ClientAuthError"
}

Stack trace

ClientAuthError: endpoints_resolution_error: Endpoints cannot be resolved\n    
  at createClientAuthError (/home/vsts/work/_tasks/AzureKeyVault_1e244d32-2dd4-4165-96fb-b7441ca9331e/2.249.3/node_modules/azure-pipelines-tasks-azure-arm-rest/node_modules/msalv2/lib/msal-node.cjs:861:12)\n    
  at createDiscoveredInstance (/home/vsts/work/_tasks/AzureKeyVault_1e244d32-2dd4-4165-96fb-b7441ca9331e/2.249.3/node_modules/azure-pipelines-tasks-azure-arm-rest/node_modules/msalv2/lib/msal-node.cjs:6071:15)\n    
  at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n    
  at async ConfidentialClientApplication.buildOauthClientConfiguration (/home/vsts/work/_tasks/AzureKeyVault_1e244d32-2dd4-4165-96fb-b7441ca9331e/2.249.3/node_modules/azure-pipelines-tasks-azure-arm-rest/node_modules/msalv2/lib/msal-node.cjs:10525:37)\n    
  at async ConfidentialClientApplication.acquireTokenByClientCredential (/home/vsts/work/_tasks/AzureKeyVault_1e244d32-2dd4-4165-96fb-b7441ca9331e/2.249.3/node_modules/azure-pipelines-tasks-azure-arm-rest/node_modules/msalv2/lib/msal-node.cjs:11676:44)

MSAL Logs

[Thu, 14 Nov 2024 17:06:07 GMT] : [] : @azure/[email protected] : Info - acquireTokenByClientCredential called
[Thu, 14 Nov 2024 17:06:07 GMT] : [] : @azure/[email protected] : Verbose - initializeRequestScopes called
[Thu, 14 Nov 2024 17:06:07 GMT] : [c6ee8f32-afa6-48ec-b710-2bf2826d5ba3] : @azure/[email protected] : Verbose - buildOauthClientConfiguration called
[Thu, 14 Nov 2024 17:06:07 GMT] : [c6ee8f32-afa6-48ec-b710-2bf2826d5ba3] : @azure/[email protected] : Verbose - createAuthority called
[Thu, 14 Nov 2024 17:06:07 GMT] : [] : @azure/[email protected] : Trace - Executing function authorityResolveEndpointsAsync
[Thu, 14 Nov 2024 17:06:07 GMT] : [] : @azure/[email protected] : Trace - Retrieving all cache keys
[Thu, 14 Nov 2024 17:06:07 GMT] : [] : @azure/[email protected] : Trace - Getting cache key-value store
[Thu, 14 Nov 2024 17:06:07 GMT] : [] : @azure/[email protected] : Trace - Executing function authorityUpdateCloudDiscoveryMetadata
[Thu, 14 Nov 2024 17:06:07 GMT] : [] : @azure/[email protected] : Verbose - Attempting to get cloud discovery metadata  from authority configuration
[Thu, 14 Nov 2024 17:06:07 GMT] : [] : @azure/[email protected] : Verbose - Known Authorities: 
[Thu, 14 Nov 2024 17:06:07 GMT] : [] : @azure/[email protected] : Verbose - Authority Metadata: N/A
[Thu, 14 Nov 2024 17:06:07 GMT] : [] : @azure/[email protected] : Verbose - Canonical Authority: https://login.chinacloudapi.cn/d821ee8e-409c-4e92-8945-2127b8c879d5/
[Thu, 14 Nov 2024 17:06:07 GMT] : [] : @azure/[email protected] : Verbose - Did not find cloud discovery metadata in the config... Attempting to get cloud discovery metadata from the hardcoded values.
[Thu, 14 Nov 2024 17:06:07 GMT] : [] : @azure/[email protected] : Verbose - Found cloud discovery metadata from hardcoded values.
[Thu, 14 Nov 2024 17:06:07 GMT] : [] : @azure/[email protected] : Trace - Returning result from authorityUpdateCloudDiscoveryMetadata
[Thu, 14 Nov 2024 17:06:07 GMT] : [] : @azure/[email protected] : Trace - Executing function authorityUpdateEndpointMetadata
[Thu, 14 Nov 2024 17:06:07 GMT] : [] : @azure/[email protected] : Verbose - Attempting to get endpoint metadata from authority configuration
[Thu, 14 Nov 2024 17:06:07 GMT] : [] : @azure/[email protected] : Verbose - Did not find endpoint metadata in the config... Attempting to get endpoint metadata from the hardcoded values.
[Thu, 14 Nov 2024 17:06:07 GMT] : [] : @azure/[email protected] : Verbose - Did not find endpoint metadata in hardcoded values... Attempting to get endpoint metadata from the network metadata cache.
[Thu, 14 Nov 2024 17:06:07 GMT] : [] : @azure/[email protected] : Trace - Executing function authorityGetEndpointMetadataFromNetwork
[Thu, 14 Nov 2024 17:06:07 GMT] : [] : @azure/[email protected] : Verbose - Authority.getEndpointMetadataFromNetwork: attempting to retrieve OAuth endpoints from https://login.partner.microsoftonline.cn/d821ee8e-409c-4e92-8945-2127b8c879d5/v2.0/.well-known/openid-configuration
(node:3217261) MaxListenersExceededWarning: Possible EventEmitter memory leak detected. 11 close listeners added to [TLSSocket]. Use emitter.setMaxListeners() to increase limit
[Thu, 14 Nov 2024 17:06:08 GMT] : [] : @azure/[email protected] : Verbose - Authority.getEndpointMetadataFromNetwork: Error: AggregateError
[Thu, 14 Nov 2024 17:06:08 GMT] : [] : @azure/[email protected] : Trace - Returning result from authorityGetEndpointMetadataFromNetwork
[Thu, 14 Nov 2024 17:06:08 GMT] : [] : @azure/[email protected] : Trace - Error occurred in authorityUpdateEndpointMetadata
[Thu, 14 Nov 2024 17:06:08 GMT] : [] : @azure/[email protected] : Trace - {"errorCode":"openid_config_error","errorMessage":"Could not retrieve endpoints. Check your authority and verify the .well-known/openid-configuration endpoint returns the required endpoints.: https://login.partner.microsoftonline.cn/d821ee8e-409c-4e92-8945-2127b8c879d5/v2.0/.well-known/openid-configuration","subError":"","name":"ClientAuthError"}
[Thu, 14 Nov 2024 17:06:08 GMT] : [] : @azure/[email protected] : Trace - Error occurred in authorityResolveEndpointsAsync
[Thu, 14 Nov 2024 17:06:08 GMT] : [] : @azure/[email protected] : Trace - {"errorCode":"openid_config_error","errorMessage":"Could not retrieve endpoints. Check your authority and verify the .well-known/openid-configuration endpoint returns the required endpoints.: https://login.partner.microsoftonline.cn/d821ee8e-409c-4e92-8945-2127b8c879d5/v2.0/.well-known/openid-configuration","subError":"","name":"ClientAuthError"}
[Thu, 14 Nov 2024 17:06:08 GMT] : [] : @azure/[email protected] : Trace - Item key: server-telemetry-***
[Thu, 14 Nov 2024 17:06:08 GMT] : [] : @azure/[email protected] : Trace - Getting cache key-value store
[Thu, 14 Nov 2024 17:06:08 GMT] : [] : @azure/[email protected] : Trace - Item key: server-telemetry-***
[Thu, 14 Nov 2024 17:06:08 GMT] : [] : @azure/[email protected] : Trace - Getting cache key-value store
[Thu, 14 Nov 2024 17:06:08 GMT] : [] : @azure/[email protected] : Trace - Setting cache key value store

Network Trace (Preferrably Fiddler)

  • Sent
  • Pending

MSAL Configuration

{
    auth: {
        clientId: clientId,
        authority: authorityURL,
        clientSecret: secret
    },
    system: {
        loggerOptions: {
            loggerCallback(loglevel, message, _) {
                tl.debug(message);
            },
            piiLoggingEnabled: true,
            logLevel: LogLevel.Trace
        }
    }
}

Relevant Code Snippets

const msal = new ConfidentialClientApplication(config);
const request: ClientCredentialRequest = {
    scopes: [this.activeDirectoryResourceId + "/.default"]
};
const response = await msal.acquireTokenByClientCredential(request);

Reproduction Steps

In Azure Devops:

  1. Set up ARM service connection targeting Azure China using secrets,
  2. Create simple build pipeline,
  3. Use MS hosted pool with ubuntu-22.04 VM image,
  4. Add AzureKeyVaultV2 task
  5. Run pipeline

Expected Behavior

ConfidentialClientApplication.acquireTokenByClientCredential returns response.

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

None (Server)

Regression

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Needs: Attention 👋Awaiting response from the MSAL.js teambug-unconfirmedA reported bug that needs to be investigated and confirmedconfidential-clientIssues regarding ConfidentialClientApplicationsmsal-nodeRelated to msal-node packagequestionCustomer is asking for a clarification, use case or information.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions