CLI unable to interact with deployed OneFuzz

[Sinderella]

Information

• Onefuzz version: 1.3.1
• OS: Ubuntu 20.04 docker container on macOS

Provide detailed reproduction steps (if any)

1. Deploy onefuzz by using deploy.py, following https://github.com/microsoft/onefuzz/blob/main/docs/getting-started.md
2. Config onefuzz cli with the endpoint, authority, and client id returned by deploy.py
3. Check the version using the following command

$ onefuzz versions check --exact -v

4. Open https://microsoft.com/devicelogin and enter the code to login

Expected result

Authenticated and be able to interact with onefuzz using the CLI.

Actual result

After logging in successfully, I received the following message from the login portal and the CLI doesn't return.

AADSTS500113: No reply address is registered for the application.

[chkeita]

Can you please confirm that no redirectUris are defined for your instance
in the azure portal navigate to Azure Active Directory > App registrations> select your instance name in the list > Authentication

and verify that a redirect uri is defined under the web section.

If not please add the following entry https://<your_instance_name>.azurewebsites.net/.auth/login/aad/callback.
and try using the cli again. It might take a couple of minutes to take effect.

[Sinderella]

Thank you for your response!
There are 2 apps registered after deployed, one has the URL you mentioned and the other (onefuzz-cli) doesn't. I added it and now it went through. However, it gave me the following error message instead in the CLI.

ERROR:cli:traceback: Traceback (most recent call last):
ERROR:cli:traceback:   File "/root/.local/share/virtualenvs/onefuzz-k70B3W7B/lib/python3.8/site-packages/onefuzz/cli.py", line 511, in execute_api
ERROR:cli:traceback:     result = call_func(args.func, args)
ERROR:cli:traceback:   File "/root/.local/share/virtualenvs/onefuzz-k70B3W7B/lib/python3.8/site-packages/onefuzz/cli.py", line 72, in call_func
ERROR:cli:traceback:     return func(**myargs)
ERROR:cli:traceback:   File "/root/.local/share/virtualenvs/onefuzz-k70B3W7B/lib/python3.8/site-packages/onefuzz/api.py", line 187, in check
ERROR:cli:traceback:     versions = self.onefuzz.info.get().versions
ERROR:cli:traceback:   File "/root/.local/share/virtualenvs/onefuzz-k70B3W7B/lib/python3.8/site-packages/onefuzz/api.py", line 228, in get
ERROR:cli:traceback:     return self._req_model("GET", responses.Info)
ERROR:cli:traceback:   File "/root/.local/share/virtualenvs/onefuzz-k70B3W7B/lib/python3.8/site-packages/onefuzz/api.py", line 72, in _req_model
ERROR:cli:traceback:     response = self.onefuzz._backend.request(
ERROR:cli:traceback:   File "/root/.local/share/virtualenvs/onefuzz-k70B3W7B/lib/python3.8/site-packages/onefuzz/backend.py", line 196, in request
ERROR:cli:traceback:     headers = self.headers()
ERROR:cli:traceback:   File "/root/.local/share/virtualenvs/onefuzz-k70B3W7B/lib/python3.8/site-packages/onefuzz/backend.py", line 110, in headers
ERROR:cli:traceback:     access_token = self.get_access_token()
ERROR:cli:traceback:   File "/root/.local/share/virtualenvs/onefuzz-k70B3W7B/lib/python3.8/site-packages/onefuzz/backend.py", line 122, in get_access_token
ERROR:cli:traceback:     return self.device_login(scopes)
ERROR:cli:traceback:   File "/root/.local/share/virtualenvs/onefuzz-k70B3W7B/lib/python3.8/site-packages/onefuzz/backend.py", line 179, in device_login
ERROR:cli:traceback:     check_msal_error(access_token, ["access_token"])
ERROR:cli:traceback:   File "/root/.local/share/virtualenvs/onefuzz-k70B3W7B/lib/python3.8/site-packages/onefuzz/backend.py", line 160, in check_msal_error
ERROR:cli:traceback:     raise Exception(
ERROR:cli:traceback: Exception: error: invalid_client
ERROR:cli:traceback: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
ERROR:cli:traceback: Trace ID: 84fe71c9-1ee6-4129-9b42-3153680c6b00
ERROR:cli:traceback: Correlation ID: da49a384-2873-45bd-a67f-da659e37a853
ERROR:cli:traceback: Timestamp: 2020-10-13 18:45:43Z
ERROR:cli:traceback:
ERROR:cli:command failed: error: invalid_client
AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

[chkeita]

The onefuzz-cli application registration seems to be misconfigured. can you follow these steps to delete it and redeploy.

1. Navigate to your instance registration page (see above) > Expose an API. clear the list of authorized applications
2. Delete the onefuzz-cli application
3. Redeploy

The expected configuration should look like this with a redirect uri specified (The authentication type should be Mobile and desktop applications).

[Sinderella]

There wasn't any authorized application in onefuzz-cli, but there was one in the other. I deleted it and both of the application registrations, then redeploy them. I still have to add that redirect URL as you mentioned previously. Sadly, it's giving me the same error message.
I apologise if the issue is obvious, but I am not familiar with Azure so please bear with me.

[chkeita]

No worries, it is very likely that the deployment script has a bug when creating the registration. I am just trying to narrow it down.
Can you try adding to the onefuzz-cli authentication configuration

1. Navigate the the registration for onefuzz-cli > Authentication
2. click Add platform > select Mobile and desktop applications
3. set https://<your_instance_name>.azurewebsites.net as the custom redirect
4. retry using the CLI

[Sinderella]

It is still giving me the same error messages.

[chkeita]

can you also check on the same page that Treat application as a public client is enabled

[Sinderella]

That was disabled, enabling it doesn't seem to help as well.

[Sinderella]

I changed allowPublicClient to true in onefuzz-cli's Manifest menu and it works! Now, I can interact with onefuzz. However, I face other issues, which I might raise an issue if I cannot fix them myself.

I wonder if I should leave this issue open to track the bug with deploy script.

[chkeita]

This is weird, The Setting for "Treat application as a public client" and "allowPublicClient" in the manifest are the same.
and we set that velue during the deployment here.
I tried a fresh deployment and could not repro this issue. I am wondering if this could be due to permissions problem.
Is this your personal azure subscription ? are you an admin on that subscription?

[Sinderella]

Hmm, this is truly weird. I will try reverting the changes tomorrow to see what it did and post some updates here.

This was my organisation subscription, but I have all the permissions listed here. https://github.com/microsoft/onefuzz/blob/main/src/deployment/deployment-role.json

I will also try it on my personal one to see if it's just my organisation.

[Sinderella]

The setting "Treat application as a public client" indeed does change "allowPublicClient" to "true", I probably forgot to click save when I first tried.

[bmc-msft]

Given your other issue #173, I take this issue has been addressed.

@Sinderella, please reopen this issue if it persists.

[Sinderella]

@bmc-msft, yep, the issue is fixed for me, but the deployment script still requires fixes for those extra steps as far as I understand. Unless I did something wrong and you cannot reproduce it?