[Feature Request] Friendly hint for a typical oidc_authority error

[rayluo]

MSAL client type

Confidential

Problem statement

In our own web app testing, we sometimes forgot to append the /v2.0 suffix to a CIAM CUD oidc_authority, and ended up with a cryptic error message, "AADSTS500207: The account type can't be used for the resource you're trying to access". This may become an FAQ and a frequent source of customer support requests.

Proposed solution

We may add a hint into the error object/message returned by MSAL:

'Did you forget to append "/v2.0" to your oidc_authority? '

so that a full error page in a web app may look like this:

Login Failure

invalid_request
Did you forget to append "/v2.0" to your oidc_authority? AADSTS500207: The account type can't be used for the resource you're trying to access. Trace ID: e4568f2b-f5b3-4e5e-b766-e7689b180000 Correlation ID: 765569d0-7583-45ec-93f1-69d6095164a4 Timestamp: 2024-03-21 03:17:17Z

More implementation details are available in this PR in MSAL Python.

Alternatives

We could document the importance of "remember to append /v2.0 when using a CIAM custom url domain", but such a small piece of information would typically buried deep in the documentation and receives no attention.

[fendorio]

Can confirm that I have just spent almost 3 hours trying to find the root cause of this - not helped by the fact that this is the first time I was using Entra external ID.