search

Azure / azure-cli

Azure Command-Line Interface
MIT License
4.03k stars 3k forks source link

Azure Stack support for "az account get-access-token" #24866

Open antkmsft opened 1 year ago

antkmsft commented 1 year ago

I would expect to get ADFS token with the following command line: az account get-access-token --output json --resource "https://vault.azure.net/" --tenant "adfs"

Currently I get:

The command failed with an unexpected error. Here is the traceback:
Unable to get authority configuration for https://login.microsoftonline.com/adfs. Authority would typically be in a format of https://login.microsoftonline.com/your_tenant Also please double check your tenant name or GUID is correct.
Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/authority.py", line 120, in __init__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/authority.py", line 184, in tenant_discovery
ValueError: OIDC Discovery endpoint rejects our request. Error: {"error":"invalid_tenant","error_description":"AADSTS90002: Tenant 'adfs' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant.\r\nTrace ID: 3105d434-64b0-46e5-af51-1c629b2d7501\r\nCorrelation ID: 4a459b09-3019-4a3d-8d97-e6e23d744379\r\nTimestamp: 2022-12-10 18:54:15Z","error_codes":[90002],"timestamp":"2022-12-10 18:54:15Z","trace_id":"3105d434-64b0-46e5-af51-1c629b2d7501","correlation_id":"4a459b09-3019-4a3d-8d97-e6e23d744379","error_uri":"https://login.microsoftonline.com/error?code=90002"}

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 663, in execute
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 697, in _run_job
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 333, in __call__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/custom.py", line 66, in get_access_token
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 382, in get_raw_token
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 592, in _create_credential
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/identity.py", line 225, in get_user_credential
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/msal_authentication.py", line 45, in __init__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 1685, in __init__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 533, in __init__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/authority.py", line 124, in __init__
ValueError: Unable to get authority configuration for https://login.microsoftonline.com/adfs. Authority would typically be in a format of https://login.microsoftonline.com/your_tenant Also please double check your tenant name or GUID is correct.
yonzhan commented 1 year ago

@jiasli for awareness

jiasli commented 1 year ago

We do support Azure Stack.

According to the error message:

Unable to get authority configuration for https://login.microsoftonline.com/adfs. Authority would typically be in a format of https://login.microsoftonline.com/your_tenant Also please double check your tenant name or GUID is correct.

AADSTS90002: Tenant 'adfs' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant.

It looks like your activeDirectory endpoint is set to https://login.microsoftonline.com/adfs, which is not correct as the domain is Azure Cloud. An ADFS endpoint usually looks like https://adfs.redmond.azurestack.corp.microsoft.com/adfs.

Could you share the result of az cloud show?

@rayluo for awareness.