Creating Applications with Federated Credentials results in duplicate App Registrations

[Benmartin92]

Describe the bug

I am trying to create an App Registration via GraphServiceClient with a Federated Credential:

func (c *Client) CreateServicePrincipal() (string, error) {
	appRequestBody := graphmodels.NewApplication()
	name := "ben-test-123"
	appRequestBody.SetDisplayName(&name)
	federatedCredential := graphmodels.NewFederatedIdentityCredential()
	issuer := "https://my-issuer.com/oidc"
	federatedCredential.SetIssuer(&issuer)
	audience := "123"
	federatedCredential.SetAudiences([]string{audience})
	sub := "123"
	federatedCredential.SetSubject(&sub)
	fname := "test"
	federatedCredential.SetName(&fname)
	appRequestBody.SetFederatedIdentityCredentials([]graphmodels.FederatedIdentityCredentialable{federatedCredential})
	applications, err := c.graphClient.Applications().Post(context.Background(), appRequestBody, nil)
	if err != nil {
		return "", err
	}
	return *applications.GetAppId(), nil
}

Executing this code results in an error returned by graphClient: Encountered an internal server error. What is more interesting is that even though the client returned an error, the App Registration is created two times with the same name (the Federated Credential is populated fine in both instances).

Simply commenting out the line:

appRequestBody.SetFederatedIdentityCredentials([]graphmodels.FederatedIdentityCredentialable{federatedCredential})

and executing the code again works as expected: a single instance of App Registration (obviously without the Federated Credential) is created and client returns nil error.

Therefore, I strongly suspect that this issue is related to how Federated Credentials are handled in App Registrations.

Expected behavior

The expected behaviour is that only a single instance is created with the Federated Credentials populated. The graphClient should return a nil error, and CreateServicePrincipal() should return the Application (client) ID.

How to reproduce

Just execute the above sample code.

SDK Version

v1.45.0

Latest version known to work for scenario above?

No response

Known Workarounds

I tried to workaround the issue by first creating the application without Federated Credentials and then patching it with Federated Credentials. However, the patching request with Federated Credentials fails with the same error: Encountered an internal server error, and the Federated Credential was not added to the App Registration.

Debug output

Click to expand log

```

</details>


### Configuration

Apple M1 Pro with 14.5 (23F79) OS version, and with Go version 1.21.

### Other information

_No response_

[rkodev]

Hi @Benmartin92 , Thanks for using the Graph Go SDK, could you attempt to create the application using graph explorer and tell me if you are getting the same issue?

[Benmartin92]

Yes, same result:

POST https://graph.microsoft.com/v1.0/applications
{
    "displayName": "ben-test-from-graph",
    "federatedIdentityCredentials": [
        {
            "name": "testing02",
            "issuer": "https://login.microsoftonline.com/3d1e2be9-a10a-4a0c-8380-7ce190f98ed9/v2.0",
            "subject": "a7d388c3-5e3f-4959-ac7d-786b3383006a",
            "audiences": [
                "api://AzureADTokenExchange"
            ]
        }
    ]
}

Response:

{
    "error": {
        "code": "Service_InternalServerError",
        "message": "Encountered an internal server error.",
        "innerError": {
            "date": "2024-07-15T11:19:12",
            "request-id": "0052f707-4236-4bbd-8f94-ec7fb79bc68a",
            "client-request-id": "9333bbd5-1592-63e9-5708-80a230c35d33"
        }
    }
}

I also see the two instances created in Azure Portal with the Federated Credential.

[Benmartin92]

I also opened a support ticket with Azure.

They told me using federatedIdentityCredentials in a POST request is not supported as per the documentation. But they also acknowledged the strange behavior and they saw my request generated several errors on their backend.

Generally, for unsupported properties, I should get Bad Request, see below:

POST https://graph.microsoft.com/v1.0/applications
{
    "displayName": "ben-test-from-graph",
    "foo": {}
}

{
    "error": {
        "code": "Request_BadRequest",
        "message": "Invalid property 'foo'.",
        "innerError": {
            "date": "2024-07-16T13:45:51",
            "request-id": "3c8b6586-612d-45cd-b16e-07bb93c35e16",
            "client-request-id": "25a71a0a-5267-a5bc-9edb-d2db813f4beb"
        }
    }
}

Now, I am not totally convinced if this is an SDK (for using an undocumented JSON property) or an MS Graph API (for allowing the undocumented JSON property, and producing strange behavior that clearly depends on the property) issue.

[rkodev]

Hi @Benmartin92 , as noted this is a service error and not an SDK error, In order to support the community could you share the link to the issue here, then you can also close this issue

[Benmartin92]

@rkodev Not really, as I mentioned federatedIdentityCredentials is not officially supported, so the SDK shouldn't use it in application requests. This is an issue that must be addressed, either in the SDK or in the API.

However, Azure support does not want to resolve the issue on their end, see their reply:

Hello Ben,
Hope you are doing well.

I’ve been discussing further with my team, and they confirmed that from our documentation federatedcredential is not a property of the application object so it’s not supposed to create an app with federatedcredential also on MS Graph SDK.

FederatedCredential is a different object that has relationship to the Application object.
Hence, you must create an application object first and then create the federatedcredential object.

Do not hesitate in reaching out to me if you have any additional questions related to this support topic – otherwise, if you have no follow-up questions, kindly let me know if we can proceed to archiving the case.