Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] [MSAL] Regression in ManagedIdentityCredential: CredentialUnavailableException no longer thrown for invalid json responses #47470

Closed
kevinwedwards opened this issue Dec 9, 2024 · 7 comments · Fixed by #47753
Closed

[BUG] [MSAL] Regression in ManagedIdentityCredential: CredentialUnavailableException no longer thrown for invalid json responses #47470

kevinwedwards opened this issue Dec 9, 2024 · 7 comments · Fixed by #47753
Assignees
@christothes
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@kevinwedwards
Copy link

kevinwedwards commented Dec 9, 2024
edited
Loading

Library name and version

Azure.Identity 1.13.0 (and 1.13.1)

Describe the bug

I believe bug : #37409 may have been reintroduced in 1.13.0 (and still in 1.13.1).

In our situation - our corporate proxy is returning HTML and If it's like the 37409, the managed ID client is attempting to parse the response back, as json IIRC from the previous bug.

Expected behavior

When running locally - i'd expect this to fail through from ManagedID to AzureCliCredential
new ChainedTokenCredential(new ManagedIdentityCredential(), new AzureCliCredential()),

code works fine in 1.12.1, fails in 1.13.x

Actual behavior

Microsoft.Identity.Client.MsalServiceException is being thrown, I believe, because the HTML message returned from our corporate proxy - isn't able to be successfully parsed (as JSON?).

Reproduction Steps

run locally with a proxy or something that will return html vs json.

Environment

No response
@github-actions github-actions bot added Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Dec 9, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 9, 2024

Thank you for your feedback. Tagging and routing to the team member best able to assist.

@kevinwedwards
Copy link
Author

@christothes if you're still on this team, you assisted with the issue in 1.9.

@christothes
Copy link
Member

Hi @kevinwedwards -
Could you please provide the full stack trace of the exception?

@christothes christothes added the needs-author-feedback Workflow: More information is needed from author to address the issue. label Dec 9, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 9, 2024

Hi @kevinwedwards. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

@github-actions github-actions bot removed the needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team label Dec 9, 2024
@kevinwedwards
Copy link
Author 

	Message	"ManagedIdentityCredential authentication failed: [Managed Identity] Authentication unavailable. The request failed due to a gateway error. [[HTML FROM PROXY]]
	Source	"Azure.Identity"	string
	StackTrace	"   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)\r\n   
	at Azure.Identity.ManagedIdentityCredential.<GetTokenImplAsync>d__18.MoveNext()\r\n   
	at System.Threading.Tasks.ValueTask`1.get_Result()\r\n   
	at System.Runtime.CompilerServices.ValueTaskAwaiter`1.GetResult()\r\n   
	at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](ValueTask`1 task)\r\n   
	at Azure.Identity.ManagedIdentityCredential.GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)\r\n   
	at Azure.Identity.ChainedTokenCredential.<GetTokenImplAsync>d__7.MoveNext()"	string

  •   TargetSite	{System.Exception FailWrapAndThrow(System.Exception, System.String, Boolean)}	System.Reflection.MethodBase {System.Reflection.RuntimeMethodInfo}

@github-actions github-actions bot added needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team and removed needs-author-feedback Workflow: More information is needed from author to address the issue. labels Dec 9, 2024
@kevinwedwards
Copy link
Author

builder.Configuration.AddAzureKeyVault(
new Uri(builder.Configuration[Constants.KeyVaultUrlKey]),
new ChainedTokenCredential(new ManagedIdentityCredential(), new AzureCliCredential()),
new AzureKeyVaultConfigurationOptions
{
ReloadInterval = TimeSpan.FromHours(Constants.KeyVaultReloadInterval)
});

StackTrace from the code above:

at Azure.Identity.ChainedTokenCredential.d__7.MoveNext()
at System.Threading.Tasks.ValueTask1.get_Result() at System.Runtime.CompilerServices.ValueTaskAwaiter1.GetResult()
at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](ValueTask1 task) at Azure.Identity.ChainedTokenCredential.GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.<SetResultOnTcsFromCredentialAsync>d__9.MoveNext() at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.<GetAuthHeaderValueAsync>d__6.MoveNext() at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](Task1 task)
at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.TokenRequestState.d__19.MoveNext()
at System.Threading.Tasks.ValueTask1.get_Result() at System.Runtime.CompilerServices.ConfiguredValueTaskAwaitable1.ConfiguredValueTaskAwaiter.GetResult()
at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.d__6.MoveNext()
at System.Threading.Tasks.ValueTask1.get_Result() at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](ValueTask1 task)
at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AuthenticateAndAuthorizeRequest(HttpMessage message, TokenRequestContext context)
at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.d__11.MoveNext()
at System.Runtime.CompilerServices.ValueTaskAwaiter1.GetResult() at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](ValueTask1 task)
at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.AuthorizeRequestOnChallenge(HttpMessage message)
at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.d__14.MoveNext()
at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted(ValueTask task)
at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.Process(HttpMessage message, ReadOnlyMemory1 pipeline) at Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory1 pipeline)
at Azure.Core.Pipeline.RedirectPolicy.d__7.MoveNext()
at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted(ValueTask task)
at Azure.Core.Pipeline.RedirectPolicy.Process(HttpMessage message, ReadOnlyMemory1 pipeline) at Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory1 pipeline)
at Azure.Core.Pipeline.RetryPolicy.d__5.MoveNext()
at Azure.Core.Pipeline.RetryPolicy.d__5.MoveNext()
at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted(ValueTask task)
at Azure.Core.Pipeline.RetryPolicy.Process(HttpMessage message, ReadOnlyMemory1 pipeline) at Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory1 pipeline)
at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.Process(HttpMessage message, ReadOnlyMemory1 pipeline) at Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory1 pipeline)
at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.Process(HttpMessage message, ReadOnlyMemory1 pipeline) at Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory1 pipeline)
at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.Process(HttpMessage message, ReadOnlyMemory1 pipeline) at Azure.Core.Pipeline.HttpPipeline.Send(HttpMessage message, CancellationToken cancellationToken) at Azure.Core.Pipeline.HttpPipeline.SendRequest(Request request, CancellationToken cancellationToken) at Azure.Security.KeyVault.KeyVaultPipeline.SendRequest(Request request, CancellationToken cancellationToken) at Azure.Security.KeyVault.KeyVaultPipeline.GetPage[T](Uri firstPageUri, String nextLink, Func1 itemFactory, String operationName, CancellationToken cancellationToken)
at Azure.Security.KeyVault.Secrets.SecretClient.<>c__DisplayClass15_0.b__0(String nextLink)
at Azure.Core.PageResponseEnumerator.<>c__DisplayClass0_01.<CreateEnumerable>b__0(String continuationToken, Nullable1 pageSizeHint)
at Azure.Core.PageResponseEnumerator.FuncPageable1.<AsPages>d__2.MoveNext() at Azure.Pageable1.d__8.MoveNext()
at Azure.Extensions.AspNetCore.Configuration.Secrets.AzureKeyVaultConfigurationProvider.Load()
at Microsoft.Extensions.Configuration.ConfigurationManager.AddSource(IConfigurationSource source)
at Microsoft.Extensions.Configuration.ConfigurationManager.Microsoft.Extensions.Configuration.IConfigurationBuilder.Add(IConfigurationSource source)
at Microsoft.Extensions.Configuration.AzureKeyVaultConfigurationExtensions.AddAzureKeyVault(IConfigurationBuilder configurationBuilder, SecretClient client, AzureKeyVaultConfigurationOptions options)
at Microsoft.Extensions.Configuration.AzureKeyVaultConfigurationExtensions.AddAzureKeyVault(IConfigurationBuilder configurationBuilder, Uri vaultUri, TokenCredential credential, AzureKeyVaultConfigurationOptions options)

@christothes
Copy link
Member

Hi @kevinwedwards
This is due to an implementation change we made in version 1.13.x where we now delegate to the underlying MSAL dependency for ManagedIdentityCredential flows. I've opened up an issue in their repo so that we can devise an approach to fix this regression.

AzureAD/microsoft-authentication-library-for-dotnet#5016

In the meantime, you can get similar behavior as before using DefaultAzureCredential with the options configured to exclude all credential except ManagedIdentityCredential and AzureCliCredential.

@christothes christothes changed the title [BUG] ManagedIdentity Failure [BUG] Regression in ManagedIdentityCredential: CredentialUnavailableException no longer thrown for invalid json responses Dec 10, 2024
@christothes christothes changed the title [BUG] Regression in ManagedIdentityCredential: CredentialUnavailableException no longer thrown for invalid json responses [BUG] [MSAL] Regression in ManagedIdentityCredential: CredentialUnavailableException no longer thrown for invalid json responses Dec 18, 2024
@christothes christothes mentioned this issue Jan 9, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@christothes christothes

Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
Azure Identity SDK Improvements
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Prepare Identity for release with bugfix christothes/azure-sdk-for-net
2 participants
@christothes @kevinwedwards