Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client has refresh_token, but go-autorest returns error on refresh #435

Closed
Moeser opened this issue Jul 23, 2019 · 4 comments
Closed

Client has refresh_token, but go-autorest returns error on refresh #435

Moeser opened this issue Jul 23, 2019 · 4 comments

Comments

@Moeser
Copy link

Moeser commented Jul 23, 2019

See downstream issue at hashicorp/go-azure-helpers#22

The client is authenticating via cached azure cli credentials, which include the refresh token. On refresh, after an hour or so of runtime, the following error is returned: "Manually created ServicePrincipalToken does not contain secret material to retrieve a new access token". That error appears to be coming from the go-autorest library here:

go-autorest/autorest/adal/token.go

Line 173 in 91963f3

return fmt.Errorf("Manually created ServicePrincipalToken does not contain secret material to retrieve a new access token")

Is this a bug in go-autorest? Maybe that error should only be thrown if the refresh token is also not present?

Here's how the client is setting up the token:
https://github.com/hashicorp/go-azure-helpers/blob/e1c07bf7137ebb4c3ea824efa392ce8b2ecc7a63/authentication/auth_method_azure_cli_token.go#L71
@jhendrixMSFT
Copy link
Member

Are you sure the refresh token is included? When I run the az command in obtainAuthorizationToken() no refresh token is returned.

@Moeser
Copy link
Author

Moeser commented Jul 25, 2019

Interesting, on double checking that az command, I don't see the refreshtoken either. If the refreshtoken were pulled in from another source (such as reading az's accessTokens.json or something) would refreshing be successful?

@jhendrixMSFT
Copy link
Member

As long as the grant type isn't authorization code then yes it should work. See

go-autorest/autorest/adal/token.go

Lines 812 to 823 in 91963f3

if spt.inner.Token.RefreshToken != "" {
v.Set("grant_type", OAuthGrantTypeRefreshToken)
v.Set("refresh_token", spt.inner.Token.RefreshToken)
// web apps must specify client_secret when refreshing tokens
// see https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code#refreshing-the-access-tokens
if spt.getGrantType() == OAuthGrantTypeAuthorizationCode {
err := spt.inner.Secret.SetAuthenticationValues(spt, &v)
if err != nil {
return err
}
}
} else {

@Moeser
Copy link
Author

Moeser commented Jul 25, 2019

Thanks @jhendrixMSFT . Since this isn't looking like a bug in go-autorest, I'll close this issue out.

@Moeser Moeser closed this as completed Jul 25, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jhendrixMSFT @Moeser