[BUG]: AzureCliCredential does not work when proxy is running #356
Comments
|
Sorry to hear that you've had an issue @svrooij however thank you for reporting, lets see what the issue might be. Does the proxy show any output related to the request made to If you want to ensure that a URL is ignored you can prepend a URL with an exclamation mark in the |
|
It displays nothing.... And |
|
I had a hard time reproducing the issue at first. It seems that the Azure CLI does some caching, so once it has successfully got a token, it will provide that token for roughly 50 minutes. Hence the reason why you should first check that it does not work by running the proxy while running the code and then retry without the proxy running. The second time it works with and without the proxy running |
|
Thanks for the extra info. I wonder if you need to also configure the Azure CLI to use the proxy, similar to how we need state the proxy when you send a request via PowerShell. Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/me" -Proxy "http://localhost:8000"You can configure the Azure CLI to use a proxy by settings the below environment variables $env:HTTP_PROXY="http://localhost:8000"
$env:HTTPS_PROXY="http://localhost:8000" |
|
I have no way to control how it accesses the login endpoint, nor do I want to. Eventually it's using AzureCliCredentials This no longer functions when the proxy is running. Maybe because it also sets the proxy for the requests and then fails the certificate check. It should just leave all those requests alone. |
|
Thanks for the update @svrooij 👍 Looks like I've just had a similar issue with Teams Toolkit (see OfficeDev/teams-toolkit#10109) which might be related. When proxy is running ( I'll continue to investigate. |
|
@garrytrinder I suspect that it has something to do with certificate pinning. According to SSLLabs https://www.ssllabs.com/ssltest/analyze.html?d=login.microsoftonline.com&s=20.190.151.70&hideResults=on&ignoreMismatch=on Any decent client (which I expect the actual httpclient those authentication code things are using) WILL terminate the request if they spot a different CA then those defined. Security wise, this is a smart move, as it's an additional step that helps prevent men in the middle attacks. And because the proxy tries to intercept all https requests, anything talking to Would it be possible to not touch some requests by hostname? In that case it should be configurable and the login urls should be excluded by default. |
|
Dev Proxy is built on top of Titanium Web Proxy. That component should, at least as I understand it, be passing through the cert information for any domain that is not explicitly included in the set of hosts for which we're examining traffic. Here in the titanium code our OnBeforeTunnelConnectRequest implementation is being invoked. I'll take a deeper look at this case when I wrap up another set of work to see if I can find out any more. |
|
I just had a look at it, and what I've seen:
I'll dig some more into it. It's certainly intriguing |
🤣 Not only that it's in code that we both cannot control. |
|
If anything else, I'm interested if it's physics and we're stuck or if there's anything we can do about it |
Description
It seems that the AzureCliCredential in the
Azure.Identitynuget package. No longer works when the proxy is running.here is the code to validate.
Expected behaviour
I expected the proxy to only change http requests that are in the list and not http requests to other services, but is seems to somehow intercept all https requests.
Actual behaviour
It refuses to give me a token
Steps to reproduce
az loginif not logged in with the Azure CLI alreadyMicrosoft 365 Developer Proxy Version
0.11.1
Operating system (environment)
Windows
Shell
PowerShell
Additional Info
My best guess is that the Azure CLI is doing some sort of certificate pinning on the
login.microsoftonline.comendpoint but this is pure me guessing what the issue might be.The text was updated successfully, but these errors were encountered: