yonzhan
commented
1 year ago @jiasli for awareness
Open schuppo opened 1 year ago
yonzhan
commented
1 year ago @jiasli for awareness
isaacrlevin
commented
1 year ago @yonzhan @jiasli I get this error trying to follow the steps in this doc
Most notably
az rest --method POST \
--uri "https://graph.microsoft.com/beta/applications/$DEV_APPLICATION_ID/federatedIdentityCredentials" \
--body '{"name":"ADEDev","issuer":"https://token.actions.githubusercontent.com","subject":"repo:< Organization/Repository >:environment:Dev","description":"Dev","audiences":["api://AzureADTokenExchange"]}'When I substitute the params in the uri and body, I get this error message
Bad Request({"error":{"code":"BadRequest","message":"Write requests (excluding DELETE) must contain the Content-Type header declaration.","innerError":{"date":"2023-09-29T22:45:12","request-id":"01cf65c5-ae67-409d-b213-09a5ab8c5c08","client-request-id":"01cf65c5-ae67-409d-b213-09a5ab8c5c08"}}})This did work recently, but I cannot see where the API changed that would cause this to fail.
isaacrlevin
commented
1 year ago I was able to get a version of this request to work in Postman using the same payload. Here is a full debug log of a request that fails. Looking at debug, it looks like the quotes are being stripped from the body, but that might be a logging to console thing
Request
az rest --method POST --headers Content-Type=application/json --uri "https://graph.microsoft.com/beta/applications/4b289814-af59-426b-b002-b7fc183bf0ae/federatedIdentityCredentials" --body '{"audiences":["api://AzureADTokenExchange"],"description":"Dev","id":"7c6f8736-e5e1-4f3a-a7ab-d4823e2a8d6c","issuer":"https://token.actions.githubusercontent.com","name":"ADEFoo","subject":"repo:isaacrlevin/ade-test:environment:Dev"}' --debugDebug Log
cli.knack.cli: Command arguments: ['rest', '--method', 'POST', '--headers', 'Content-Type=application/json', '--uri', 'https://graph.microsoft.com/beta/applications/4b289814-af59-426b-b002-b7fc183bf0ae/federatedIdentityCredentials', '--body', '{audiences:[api://AzureADTokenExchange],description:Dev,id:7c6f8736-e5e1-4f3a-a7ab-d4823e2a8d6c,issuer:https://token.actions.githubusercontent.com,name:ADEFoo,subject:repo:isaacrlevin/ade-test:environment:Dev}', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x01BCA4A8>, <function OutputProducer.on_global_arguments at 0x01DCE6E8>, <function CLIQuery.on_global_arguments at 0x01DE8340>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'rest': ['azure.cli.command_modules.util']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: util 0.012 3 7
cli.azure.cli.core: Total (1) 0.012 3 7
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: Total (0) 0.000 0 0
cli.azure.cli.core: Loaded 3 groups, 7 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : rest
cli.azure.cli.core: Command table: rest
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x03F9C580>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\v-isaaclevin\.azure\commands\2023-10-04.13-53-01.rest.18260.log'.
az_command_data_logger: command args: rest --method {} --headers {} --uri {} --body {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x03FC47C0>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x03FD7730>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x03FD7928>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x01DCE730>, <function CLIQuery.handle_query_parameter at 0x01DE8388>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x03FD78E0>]
cli.azure.cli.core.util: invalid syntax (<unknown>, line 1)
cli.azure.cli.core.util: invalid decimal literal (<unknown>, line 1)
cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\\Users\\v-isaaclevin\\.azure\\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\v-isaaclevin\.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
cli.azure.cli.core.auth.binary_cache: save: C:\Users\v-isaaclevin\.azure\msal_http_cache.bin
cli.azure.cli.core.auth.binary_cache: save: C:\Users\v-isaaclevin\.azure\msal_http_cache.bin
urllib3.connectionpool: Starting new HTTPS connection (1): login.microsoftonline.com:443
urllib3.connectionpool: https://login.microsoftonline.com:443 "GET /bdb4ac81-d976-473c-91d3-09cc2ca259c8/v2.0/.well-known/openid-configuration HTTP/1.1" 200 1753
cli.azure.cli.core.auth.binary_cache: save: C:\Users\v-isaaclevin\.azure\msal_http_cache.bin
cli.azure.cli.core.auth.binary_cache: save: C:\Users\v-isaaclevin\.azure\msal_http_cache.bin
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/bdb4ac81-d976-473c-91d3-09cc2ca259c8/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/bdb4ac81-d976-473c-91d3-09cc2ca259c8/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/bdb4ac81-d976-473c-91d3-09cc2ca259c8/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/bdb4ac81-d976-473c-91d3-09cc2ca259c8/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/bdb4ac81-d976-473c-91d3-09cc2ca259c8/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/bdb4ac81-d976-473c-91d3-09cc2ca259c8/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/bdb4ac81-d976-473c-91d3-09cc2ca259c8/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://graph.microsoft.com//.default',), claims=None, kwargs={}
msal.application: Found 1 RTs matching {'environment': 'login.microsoftonline.com', 'home_account_id': '********.bdb4ac81-d976-473c-91d3-09cc2ca259c8', 'family_id': '1'}
msal.telemetry: Generate or reuse correlation_id: a124cc0a-72d1-4d69-b759-795dc54ff641
msal.application: Cache attempts an RT
urllib3.connectionpool: https://login.microsoftonline.com:443 "POST /bdb4ac81-d976-473c-91d3-09cc2ca259c8/oauth2/v2.0/token HTTP/1.1" 200 5044
msal.token_cache: event={
"client_id": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"data": {
"claims": "{\"access_token\": {\"xms_cc\": {\"values\": [\"CP1\"]}}}",
"refresh_token": "********",
"scope": [
"openid",
"https://graph.microsoft.com//.default",
"profile",
"offline_access"
]
},
"environment": "login.microsoftonline.com",
"grant_type": "refresh_token",
"params": null,
"response": {
"access_token": "********",
"client_info": "eyJ1aWQiOiI4ZGNkN2Y5ZS02ZmY0LTQ5ZjItOWJiOS04YWVhODc1OTI5NGIiLCJ1dGlkIjoiYmRiNGFjODEtZDk3Ni00NzNjLTkxZDMtMDljYzJjYTI1OWM4In0",
"expires_in": 86399,
"ext_expires_in": 86399,
"foci": "1",
"id_token": "********",
"scope": "email openid profile https://graph.microsoft.com//AuditLog.Read.All https://graph.microsoft.com//Directory.AccessAsUser.All https://graph.microsoft.com//Group.ReadWrite.All https://graph.microsoft.com//User.ReadWrite.All https://graph.microsoft.com//.default",
"token_type": "Bearer"
},
"scope": [
"email",
"openid",
"profile",
"https://graph.microsoft.com//AuditLog.Read.All",
"https://graph.microsoft.com//Directory.AccessAsUser.All",
"https://graph.microsoft.com//Group.ReadWrite.All",
"https://graph.microsoft.com//User.ReadWrite.All",
"https://graph.microsoft.com//.default"
],
"skip_account_creation": true,
"token_endpoint": "https://login.microsoftonline.com/bdb4ac81-d976-473c-91d3-09cc2ca259c8/oauth2/v2.0/token"
}
cli.azure.cli.core.util: Request URL: 'https://graph.microsoft.com/beta/applications/4b289814-af59-426b-b002-b7fc183bf0ae/federatedIdentityCredentials'
cli.azure.cli.core.util: Request method: 'POST'
cli.azure.cli.core.util: Request headers:
cli.azure.cli.core.util: 'User-Agent': 'python/3.10.10 (Windows-10-10.0.22621-SP0) AZURECLI/2.53.0 (MSI)'
cli.azure.cli.core.util: 'Accept-Encoding': 'gzip, deflate'
cli.azure.cli.core.util: 'Accept': '*/*'
cli.azure.cli.core.util: 'Connection': 'keep-alive'
cli.azure.cli.core.util: 'Content-Type': 'application/json'
cli.azure.cli.core.util: 'x-ms-client-request-id': 'e0b33b56-224b-4f87-a921-8ed70945c2d5'
cli.azure.cli.core.util: 'CommandName': 'rest'
cli.azure.cli.core.util: 'ParameterSetName': '--method --headers --uri --body --debug'
cli.azure.cli.core.util: 'Authorization': 'Bearer eyJ0eXAiOiJKV...'
cli.azure.cli.core.util: 'Content-Length': '209'
cli.azure.cli.core.util: Request body:
cli.azure.cli.core.util: {audiences:[api://AzureADTokenExchange],description:Dev,id:7c6f8736-e5e1-4f3a-a7ab-d4823e2a8d6c,issuer:https://token.actions.githubusercontent.com,name:ADEFoo,subject:repo:isaacrlevin/ade-test:environment:Dev}
urllib3.connectionpool: Starting new HTTPS connection (1): graph.microsoft.com:443
urllib3.connectionpool: https://graph.microsoft.com:443 "POST /beta/applications/4b289814-af59-426b-b002-b7fc183bf0ae/federatedIdentityCredentials HTTP/1.1" 400 None
cli.azure.cli.core.util: Response status: 400
cli.azure.cli.core.util: Response headers:
cli.azure.cli.core.util: 'Transfer-Encoding': 'chunked'
cli.azure.cli.core.util: 'Content-Type': 'application/json'
cli.azure.cli.core.util: 'Content-Encoding': 'gzip'
cli.azure.cli.core.util: 'Vary': 'Accept-Encoding'
cli.azure.cli.core.util: 'Strict-Transport-Security': 'max-age=31536000'
cli.azure.cli.core.util: 'request-id': '6ece8f34-95b9-43ec-b948-5d6ef78cb0ea'
cli.azure.cli.core.util: 'client-request-id': '6ece8f34-95b9-43ec-b948-5d6ef78cb0ea'
cli.azure.cli.core.util: 'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"West US 2","Slice":"E","Ring":"1","ScaleUnit":"003","RoleInstance":"CO1PEPF00004BEA"}}'
cli.azure.cli.core.util: 'Date': 'Wed, 04 Oct 2023 20:53:01 GMT'
cli.azure.cli.core.util: Response content:
cli.azure.cli.core.util: {"error":{"code":"BadRequest","message":"Unable to read JSON request payload. Please ensure Content-Type header is set and payload is of valid JSON format.","innerError":{"date":"2023-10-04T20:53:02","request-id":"6ece8f34-95b9-43ec-b948-5d6ef78cb0ea","client-request-id":"6ece8f34-95b9-43ec-b948-5d6ef78cb0ea"}}}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 663, in execute
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 697, in _run_job
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 333, in __call__
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/util/custom.py", line 24, in rest_call
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/util.py", line 1010, in send_raw_request
azure.cli.core.azclierror.HTTPError: Bad Request({"error":{"code":"BadRequest","message":"Unable to read JSON request payload. Please ensure Content-Type header is set and payload is of valid JSON format.","innerError":{"date":"2023-10-04T20:53:02","request-id":"6ece8f34-95b9-43ec-b948-5d6ef78cb0ea","client-request-id":"6ece8f34-95b9-43ec-b948-5d6ef78cb0ea"}}})
cli.azure.cli.core.azclierror: Bad Request({"error":{"code":"BadRequest","message":"Unable to read JSON request payload. Please ensure Content-Type header is set and payload is of valid JSON format.","innerError":{"date":"2023-10-04T20:53:02","request-id":"6ece8f34-95b9-43ec-b948-5d6ef78cb0ea","client-request-id":"6ece8f34-95b9-43ec-b948-5d6ef78cb0ea"}}})
az_command_data_logger: Bad Request({"error":{"code":"BadRequest","message":"Unable to read JSON request payload. Please ensure Content-Type header is set and payload is of valid JSON format.","innerError":{"date":"2023-10-04T20:53:02","request-id":"6ece8f34-95b9-43ec-b948-5d6ef78cb0ea","client-request-id":"6ece8f34-95b9-43ec-b948-5d6ef78cb0ea"}}})
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x03F9C6A0>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 2.415 seconds (init: 0.731, invoke: 1.684)
cli.azure.cli.core.decorators: Suppress exception:
Traceback (most recent call last):
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/__main__.py", line 62, in <module>
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/__main__.py", line 55, in <module>
SystemExit: 1
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/decorators.py", line 79, in _wrapped_func
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/telemetry.py", line 123, in generate_payload
File "json\__init__.py", line 238, in dumps
File "json\encoder.py", line 199, in encode
File "json\encoder.py", line 257, in iterencode
File "json\encoder.py", line 179, in default
TypeError: Object of type HTTPError is not JSON serializable
telemetry.main: Split cli events and extra events failure: the JSON object must be str, bytes or bytearray, not NoneType
RoseHJM
commented
11 months ago Hi @yonzhan, @jiasli, Did anyone get a chance to investigate this issue? I'm the owner of the article @isaacrlevin linked & I'd like to make updates if any are necessary. Thank you!
jiasli
commented
10 months ago @schuppo, you need to specify at least one argument other than --id for az ad user update, but the error message indeed needs some refinement.
jiasli
commented
10 months ago @isaacrlevin, @RoseHJM, judging by the debug log:
'--body', '{audiences:[api://AzureADTokenExchange],description:Dev,id:7c6f8736-e5e1-4f3a-a7ab-d4823e2a8d6c,issuer:https://token.actions.githubusercontent.com,name:ADEFoo,subject:repo:isaacrlevin/ade-test:environment:Dev}',The value of --body argument is corrupted because you are hitting PowerShell quoting issue, please see
isaacrlevin
commented
10 months ago @jiasli I am not 100% sure why that is happening, I am following the guidance in that doc. Here is the body part of the request I am making
-body '{"audiences":["api://AzureADTokenExchange"],"description":"Dev","id":"7c6f8736-e5e1-4f3a-a7ab-d4823e2a8d6c","issuer":"https://token.actions.githubusercontent.com","name":"ADEFoo","subject":"repo:isaacrlevin/ade-test:environment:Dev"}'As you can see I am wrapping the whole thing in single quotes which should preserve the double quotes
jiasli
commented
10 months ago @isaacrlevin, in PowerShell, even if the JSON is wrapped in single quotes ', you still need to escape the double quotes as \".
Describe the bug
Executing
az ad user updatefails. Additionally using--debugconfirms that the request headers don't contain the requiredContent-Typeheader:Command Name
az ad user updateErrors:
To Reproduce:
Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.
az ad user update --id {} --debugExpected Behavior
Environment Summary
Additional Context