Azure | Custom Claims Provider | AADSTS1100001 Non-retryable error

Question

I am attempting to setup a custom claims provider, following the microsoft articles (https://learn.microsoft.com/en-us/azure/active-directory/develop/custom-claims-provider-overview).

I have a simple Typescript Function App with the following code:

import { AzureFunction, Context, HttpRequest } from "@azure/functions"

const httpTrigger: AzureFunction = async function (context: Context, req: HttpRequest): Promise<void> {
  context.log(`request method: ${JSON.stringify(req.method)}`);
  context.log(`request headers: ${JSON.stringify(req.headers)}`);
  context.log(`request body: ${JSON.stringify(req.body)}`);

  const correlationId = (req.query.correlationId || req.body?.data.authenticationContext?.correlationId);
  context.log(`correlationId: ${JSON.stringify(correlationId)}`);

  const user = req.body?.data?.authenticationContext?.user;
  context.log(`user: ${JSON.stringify(user)}`);

  context.res = {
    body: {
      data: {
        "@odata.type": "microsoft.graph.onTokenIssuanceStartResponseData",
        actions: [
          {
            "@odata.type": "microsoft.graph.tokenIssuanceStart.provideClaimsForToken",
            claims: {
              correlationId,
              customRoles: [
                "Writer",
                "Editor"
              ]
            }
          }
        ]
      }
    }
  };

};

export default httpTrigger;

Note that I can successfully deploy this code to the function app on my account, and it "successfully" executes everytime that someone logs in to the application.

Despite this "successful" execution, however, I do not get a successful response back from the token request. Instead I'm seeing error responses from the token endpoint like this:

{"error":"invalid_request","error_description":"AADSTS1100001: Non-retryable error has occurred.\r\nTrace ID: 23b605c1-9c02-406c-89ea-5548cf6f8300\r\nCorrelation ID: cbcd178c-4859-40c5-9193-43693382f315\r\nTimestamp: 2023-05-02 09:45:47Z","error_codes":[1100001],"timestamp":"2023-05-02 09:45:47Z","trace_id":"23b605c1-9c02-406c-89ea-5548cf6f8300","correlation_id":"cbcd178c-4859-40c5-9193-43693382f315"}

This error response isn't all that informative about what is going wrong behind the scenes. I haven't found a way to look up any associated logs by the trace_id either. Any advice on how to get this working/get to the underlying error trace would be much appreciated.

Answer 1

This piece of code worked for me. The odata.type and the content-type header can make all the difference. It is all outlined in the Microsoft article referenced in the original question, even though the example given is in C#.

import { AzureFunction, Context, HttpRequest } from "@azure/functions"

const httpTrigger: AzureFunction = async function (context: Context, req: HttpRequest): Promise<void> {
    //context.log('HTTP trigger function processed a request.');

    const correlationId = (req.body && req.body.data.authenticationContext.correlationId)
    const response =
        {
            "data": {
                "@odata.type": "microsoft.graph.onTokenIssuanceStartResponseData",
                "actions": [
                    {
                        "@odata.type": "microsoft.graph.provideClaimsForToken",
                        "claims": {
                            "correlationId": `${correlationId}`,
                            "organization": "myorg",
                            "apiVersion": "1.0.0"
                        }
                    }
                ]
            }
        };

    context.res = {
        // status: 200, /* Defaults to 200 */
        body: response,
        headers: {
            'Content-Type': 'application/json'
        }
    };
};

export default httpTrigger;

Answer 2

It worked for me without any issues by using the below code and connecting to Application Insights; this successfully executed, and I am able see the logs in Application Insights.

The error that has occurred while trying to authenticate with Azure Active Directory.
There will be various reasons such as invalid credentials, incorrect configuration, or network issues.

To fix this error.

• Verify the credentials that you are using to authenticate are valid or not.
• And verify the configurations are correct.
• Check for the API errors.

Typescript code

import { 
    ApplicationInsights 
} 
from  '@microsoft/applicationinsights-web';
const  appInsights = new  ApplicationInsights({
config: 
{
    instrumentationKey:  'key',
},});
appInsights.loadAppInsights();
try {
        const  result = someUndefinedVariable.undefinedFunction();
    } 
catch (error) 
{
    appInsights.trackException({ exception:  error });
}

The exception logs in Application insights as shown below.

Answer 3

@Christian Jendeberg answer is correct, This is how I modified it for a C# solution, I was getting error AADSTS1100001 when follwing the implemetation in this link https://learn.microsoft.com/en-gb/entra/identity-platform/custom-extension-attribute-collection?tabs=start-continue%2Csubmit-continue

The issue is in the headers & content type being returned

    public class Function1
{
    private readonly ILogger<Function1> _logger;

    public Function1(ILogger<Function1> logger)
    {
        _logger = logger;
    }

    [Function("CreateData")]
    public async Task<IActionResult> Run([HttpTrigger(AuthorizationLevel.Function, "get", "post")] HttpRequest req)
    {
        _logger.LogInformation("C# HTTP trigger function processed a request.");

        _logger.LogInformation("REQUEST");

        var actions = new List<ContinueWithDefaultBehavior>{
            new ContinueWithDefaultBehavior { type = "microsoft.graph.attributeCollectionSubmit.continueWithDefaultBehavior"}
        };

        var dataObject = new Data
        {
            type = "microsoft.graph.onAttributeCollectionSubmitResponseData",
            actions = actions
        };

        ResponseObject response = new()
        {
            data = dataObject
        };

        _logger.LogInformation("END");



        return new JsonNetActionResult(response);
    }

    public class JsonNetActionResult : ActionResult
    {
        public Object Data { get; private set; }

        public JsonNetActionResult(Object data)
        {
            this.Data = data;
        }

        public override void ExecuteResult(ActionContext context)
        {
            context.HttpContext.Response.ContentType = "application/json";
            context.HttpContext.Response.WriteAsync(JsonConvert.SerializeObject(Data));
        }          
    }

    public class ResponseObject
    {
        public Data data { get; set; }
    }

    [JsonObject]
    public class Data
    {
        [JsonProperty("@odata.type")]
        public string type { get; set; }
        public List<ContinueWithDefaultBehavior> actions { get; set; }
    }

    [JsonObject]
    public class ContinueWithDefaultBehavior
    {
        [JsonProperty("@odata.type")]
        public string type { get; set; }

        public string message { get; set; }
    }
}