[Bug] panic during AcquireTokenSilent #580
Description
Which version of MSAL Go are you using?
1.4.2
Where is the issue?
- Public client
- Device code flow
- Username/Password (ROPC grant)
- Authorization code flow
- Confidential client
- Authorization code flow
- Client credentials:
- client secret
- client certificate
- Token cache serialization
- In-memory cache
- Other (please describe)
Is this a new or an existing app?
The app is in production and I have upgraded to a new version of Microsoft Authentication Library for Go.
What version of Go are you using (go version)?
1.25
What operating system and processor architecture are you using (go env)?
Linux/amd64 (go env not available from user report)
Repro
User waited 2 days for auth token to expire, triggered AcquireTokenSilent, panic was observed:
goroutine 1 [running]:
github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth.(*Client).Credential(_, {_, _}, {{{0x40004fd868, 0x19}, {0x40004fd860, 0x47}, {0xaaaacdc9227d, 0x5}, 0x1, ...}, ...}, ...)
github.com/AzureAD/[email protected]/apps/internal/oauth/oauth.go:104 +0x48
github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base.Client.AcquireTokenSilent({0x400050d000, {0xaaaace730ad0, 0x400049f450}, {0xaaaace72a828, 0x400049f4a0}, {{{0x40004fd868, 0x19}, {0x40004fd860, 0x47}, {0xaaaacdc9227d, ...}, ...}, ...}, ...}, ...)
github.com/AzureAD/[email protected]/apps/internal/base/base.go:370 +0xa24
github.com/AzureAD/microsoft-authentication-library-for-go/apps/public.Client.AcquireTokenSilent({{0x400050d000, {0xaaaace730ad0, 0x400049f450}, {0xaaaace72a828, 0x400049f4a0}, {{{...}, {...}, {...}, 0x1, {...}, ...}, ...}, ...}}, ...)
github.com/AzureAD/[email protected]/apps/public/public.go:357 +0x234
github.com/azure/azure-dev/cli/azd/pkg/auth.(*msalPublicClientAdapter).AcquireTokenSilent(_, {_, _}, {_, _, _}, {_, _, _})
github.com/azure/azure-dev/cli/azd/pkg/auth/public.go:63 +0xd8
github.com/azure/azure-dev/cli/azd/pkg/auth.(*azdCredential).GetToken(0x40005383c0, {0xaaaace729a18, 0x4000511d40}, {{0x0, 0x0}, 0x0, {0x400050fef0, 0x1, 0x1}, {0x0, ...}})
github.com/azure/azure-dev/cli/azd/pkg/auth/azd_credential.go:35 +0x364
github.com/azure/azure-dev/cli/azd/cmd.(*authTokenAction).Run(0x400049eeb0, {0xaaaace729a18, 0x4000511d40})
github.com/azure/azure-dev/cli/azd/cmd/auth_token.go:178 +0x2a4
github.com/azure/azure-dev/cli/azd/cmd/middleware.(*MiddlewareRunner).RunAction.func1({0xaaaace729a18, 0x4000511d40})
github.com/azure/azure-dev/cli/azd/cmd/middleware/middleware.go:129 +0x328
github.com/azure/azure-dev/cli/azd/cmd/middleware.(*TelemetryMiddleware).Run(0x40005341c0, {0xaaaace729a18, 0x4000510900}, 0x400050c900)
github.com/azure/azure-dev/cli/azd/cmd/middleware/telemetry.go:81 +0x5d8
github.com/azure/azure-dev/cli/azd/cmd/middleware.(*MiddlewareRunner).RunAction.func1({0xaaaace729a18, 0x4000510900})
github.com/azure/azure-dev/cli/azd/cmd/middleware/middleware.go:112 +0x1f4
github.com/azure/azure-dev/cli/azd/cmd/middleware.(*UxMiddleware).Run(0x40004d8e40, {0xaaaace729a18, 0x4000510900}, 0x400050c900)
github.com/azure/azure-dev/cli/azd/cmd/middleware/ux.go:35 +0x9c
github.com/azure/azure-dev/cli/azd/cmd/middleware.(*MiddlewareRunner).RunAction.func1({0xaaaace729a18, 0x4000510900})
github.com/azure/azure-dev/cli/azd/cmd/middleware/middleware.go:112 +0x1f4
github.com/azure/azure-dev/cli/azd/cmd/middleware.(*DebugMiddleware).Run(0x40004d8e10, {0xaaaace729a18, 0x4000510900}, 0x400050c900)
github.com/azure/azure-dev/cli/azd/cmd/middleware/debug.go:51 +0x360
github.com/azure/azure-dev/cli/azd/cmd/middleware.(*MiddlewareRunner).RunAction.func1({0xaaaace729a18, 0x4000510900})
github.com/azure/azure-dev/cli/azd/cmd/middleware/middleware.go:112 +0x1f4
github.com/azure/azure-dev/cli/azd/cmd/middleware.(*MiddlewareRunner).RunAction(0x40004f3e40, {0xaaaace729a18, 0x4000510900}, 0x4000381380, {0x40004c0f78, 0x15})
github.com/azure/azure-dev/cli/azd/cmd/middleware/middleware.go:133 +0x12c
github.com/azure/azure-dev/cli/azd/cmd.(*CobraBuilder).configureActionResolver.func1(0x400037f208, {0x40003812c0, 0x0, 0x6})
github.com/azure/azure-dev/cli/azd/cmd/cobra_builder.go:133 +0x2f8
github.com/spf13/cobra.(*Command).execute(0x400037f208, {0x4000381260, 0x6, 0x6})
github.com/spf13/[email protected]/command.go:1015 +0x828
github.com/spf13/cobra.(*Command).ExecuteC(0x400032e608)
github.com/spf13/[email protected]/command.go:1148 +0x350
github.com/spf13/cobra.(*Command).Execute(...)
github.com/spf13/[email protected]/command.go:1071
github.com/spf13/cobra.(*Command).ExecuteContext(...)
github.com/spf13/[email protected]/command.go:1064
main.main()
github.com/azure/azure-dev/cli/azd/main.go:65 +0x20c
Expected behavior
No panics during AcquireTokenSilent
Actual behavior
Panic during AcquireTokenSilent
Possible solution
I did a brief review of the code which is unchanged between 1.4.2. and 1.5 (published 19 hours ago).
My suspicion is as follows:
- Inside AcquireTokenSilent for public client, we have this call to
Token.Credential:
- This call is happening for a public client without being guarded with a confidential client check, i.e.
silent.RequestType == accesstokens.ATConfidential. A nil value is passed for the third agument for*accesstokens.Credentialfrom valuesilent.Credential. - The nil panic then happens on line 104 when evaluating the expression:
if cred.TokenProvider != nil:microsoft-authentication-library-for-go/apps/internal/oauth/oauth.go
Lines 103 to 104 in a3dbb6d
This is potentially related to a recent change in 1.4.2: 3e85bc9#diff-0ed52f08a56e13b23f21846a403fa60417b8b2028d9aa690fd1e1790e10edea6