search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.94k stars 2.92k forks source link

Az login with WAM failed in 21vianet Azure #27319

Open sscchh2001 opened 11 months ago

sscchh2001 commented 11 months ago

Describe the bug

Az login with WAM failed in 21vianet Azure. AAD reported: AADSTS50011: The redirect URI 'ms-appx-web://Microsoft.AAD.BrokerPlugin/04b07795-8ddb-461a-bbee-02f9e1bf7b46' specified in the request does not match the redirect URIs configured for the application '04b07795-8ddb-461a-bbee-02f9e1bf7b46'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.\r\nTrace ID: f7931ed6-bd70-46ec-a49a-4c13e37b7101\r\nCorrelation ID: c2c30685-981c-478d-bcdd-bc64f15bfce6\r\nTimestamp: 2023-09-05 08:08:49Z"

Unlike in public cloud, the redirect URI ms-appx-web://Microsoft.AAD.BrokerPlugin/04b07795-8ddb-461a-bbee-02f9e1bf7b46 was not configured to Az CLI's first party application 04b07795-8ddb-461a-bbee-02f9e1bf7b46 in 21v Azure, which caused this issue.

Related command

az config set core.allow_broker=true az account clear az cloud set -n AzureChinaCloud az login

Errors

AADSTS50011: The redirect URI 'ms-appx-web://Microsoft.AAD.BrokerPlugin/04b07795-8ddb-461a-bbee-02f9e1bf7b46' specified in the request does not match the redirect URIs configured for the application '04b07795-8ddb-461a-bbee-02f9e1bf7b46'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.\r\nTrace ID: f7931ed6-bd70-46ec-a49a-4c13e37b7101\r\nCorrelation ID: c2c30685-981c-478d-bcdd-bc64f15bfce6\r\nTimestamp: 2023-09-05 08:08:49Z"

Issue script & Debug output

az login --tenant "" --debug cli.knack.cli: Command arguments: ['login', '--tenant', '', '--debug'] cli.knack.cli: init debug log: Enable color in terminal. Enable VT mode. cli.knack.cli: Event: Cli.PreExecute [] cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x000001F419EA5240>, <function OutputProducer.on_global_arguments at 0x000001F419FF3EB0>, <function CLIQuery.on_global_arguments at 0x000001F41A23D240>] cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] cli.azure.cli.core: Modules found from index for 'login': ['azure.cli.command_modules.profile'] cli.azure.cli.core: Loading command modules: cli.azure.cli.core: Name Load Time Groups Commands cli.azure.cli.core: profile 0.006 2 9 cli.azure.cli.core: Total (1) 0.006 2 9 cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next'] cli.azure.cli.core: Loading extensions: cli.azure.cli.core: Name Load Time Groups Commands Directory cli.azure.cli.core: Total (0) 0.000 0 0 cli.azure.cli.core: Loaded 2 groups, 9 commands. cli.azure.cli.core: Found a match in the command table. cli.azure.cli.core: Raw command : login cli.azure.cli.core: Command table: login cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x000001F41C970430>] cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\.azure\commands\2023-09-05.16-08-43.login.35700.log'. az_command_data_logger: command args: login --tenant {} --debug cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x000001F41C9730A0>] cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad [] cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x000001F41C9BD090>, <function register_cache_arguments..add_cache_arguments at 0x000001F41C9BD1B0>] cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded [] cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [] cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x000001F419FF3F40>, <function CLIQuery.handle_query_parameter at 0x000001F41A23D2D0>, <function register_ids_argument..parse_ids_arguments at 0x000001F41C9BD120>] cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\\.azure\msal_token_cache.bin', encrypt=True cli.azure.cli.core.auth.binary_cache: load: C:\Users\.azure\msal_http_cache.bin urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None) msal.authority: openid_config = {'token_endpoint': 'https://login.chinacloudapi.cn//oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.chinacloudapi.cn//discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.partner.microsoftonline.cn//v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://microsoftgraph.chinacloudapi.cn/oidc/userinfo', 'authorization_endpoint': 'https://login.chinacloudapi.cn//oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.chinacloudapi.cn//oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.chinacloudapi.cn//oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.chinacloudapi.cn//kerberos', 'tenant_region_scope': 'AS', 'cloud_instance_name': 'partner.microsoftonline.cn', 'cloud_graph_host_name': 'graph.chinacloudapi.cn', 'msgraph_host': 'microsoftgraph.chinacloudapi.cn', 'rbac_url': 'https://pas.chinacloudapi.cn'} msal.application: Broker enabled? True msal.application: Falls back to broker._signin_interactively() cli.azure.cli.core.auth.identity: Please select the account you want to log in with. msal.broker: [MSAL:0001] INFO SetCorrelationId:220 Set correlation ID: c2c30685-981c-478d-bcdd-bc64f15bfce6msal.broker: [MSAL:0001] INFO ExecuteInteractiveRequest:804 The original authority is 'https://login.chinacloudapi.cn/954ddad8-66d7-47a8-8f9f-1316152d9587' msal.broker: [MSAL:0001] INFO ExecuteInteractiveRequest:815 The normalized realm is '' msal.broker: [MSAL:0001] INFO ModifyAndValidateAuthParameters:208 Additional query parameter added successfully. Key: '(pii)' Value: '(pii)' msal.broker: [MSAL:0001] INFO ModifyAndValidateAuthParameters:208 Additional query parameter added successfully. Key: '(pii)' Value: '(pii)' msal.broker: [MSAL:0001] INFO ModifyAndValidateAuthParameters:225 Authority Realm: 954ddad8-66d7-47a8-8f9f-1316152d9587 msal.broker: [MSAL:0002] WARNING ReadAccountById:225 Account id is empty - account not found msal.broker: [MSAL:0003] ERROR ErrorInternalImpl:134 Created an error: 7q6ck, StatusInternal::ApiContractViolation, InternalEvent::None, Error Code 3399614473, Context '(pii)' msal.broker: [MSAL:0003] INFO LogTelemetryData:332 Printing Telemetry for Correlation ID: c2c30685-981c-478d-bcdd-bc64f15bfce6 msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: start_time, Value: 2023-09-05T08:08:43.000Z msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: api_name, Value: SignInInteractively msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: was_request_throttled, Value: false msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: authority_type, Value: Unknown msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: msal_version, Value: 1.1.0+local msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: api_status_code, Value: StatusInternal::ApiContractViolation msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: client_id, Value: 04b07795-8ddb-461a-bbee-02f9e1bf7b46 msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: correlation_id, Value: c2c30685-981c-478d-bcdd-bc64f15bfce6 msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: stop_time, Value: 2023-09-05T08:08:49.000Z msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: all_error_tags, Value: 7q6ck msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: msalruntime_version, Value: 0.13.12 msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: original_authority, Value: https://login.chinacloudapi.cn/954ddad8-66d7-47a8-8f9f-1316152d9587 msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: request_eligible_for_broker, Value: true msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: broker_app_used, Value: true msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: additional_query_parameters_count, Value: 2 msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: read_token_last_error, Value: missing required parameter msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: ui_event_count, Value: 1 msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: wam_telemetry, Value: {"x_ms_clitelem":"1,50011,0,3281954.728,","ui_visible":false,"server_error_code":50011,"scope":"profile https://management.core.chinacloudapi.cn//.default offline_access openid","redirect_uri":"ms-appx-web://Microsoft.AAD.BrokerPlugin/04b07795-8ddb-461a-bbee-02f9e1bf7b46","provider_id":"https://login.windows.net","oauth_error_code":"invalid_client","http_status":400,"http_event_count":3,"device_join":"haadj","correlation_id":"{c2c30685-981c-478d-bcdd-bc64f15bfce6}","client_id":"04b07795-8ddb-461a-bbee-02f9e1bf7b46","cache_event_count":0,"broker_version":"10.0.19041.3393","authority":"https://login.partner.microsoftonline.cn/","api_error_code":-895352823,"account_join_on_start":"secondary","account_join_on_end":"secondary","silent_code":3399614473,"silent_bi_sub_code":0,"silent_message":"AADSTS50011: The redirect URI 'ms-appx-web://Microsoft.AAD.BrokerPlugin/04b07795-8ddb-461a-bbee-02f9e1bf7b46' specified in the request does not match the redirect URIs configured for the application '04b07795-8ddb-461a-bbee-02f9e1bf7b46'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.\r\nTrace ID: f7931ed6-bd70-46ec-a49a-4c13e37b7101\r\nCorrelation ID: c2c30685-981c-478d-bcdd-bc64f15bfce6\r\nTimestamp: 2023-09-05 08:08:49Z","silent_mats":{"x_ms_clitelem":"1,50011,0,3281954.728,","ui_visible":false,"server_error_code":50011,"scope":"profile https://management.core.chinacloudapi.cn//.default offline_access openid","redirect_uri":"ms-appx-web://Microsoft.AAD.BrokerPlugin/04b07795-8ddb-461a-bbee-02f9e1bf7b46","provider_id":"https://login.windows.net","oauth_error_code":"invalid_client","http_status":400,"http_event_count":3,"device_join":"haadj","correlation_id":"{c2c30685-981c-478d-bcdd-bc64f15bfce6}","client_id":"04b07795-8ddb-461a-bbee-02f9e1bf7b46","cache_event_count":0,"broker_version":"10.0.19041.3393","authority":"https://login.partner.microsoftonline.cn/","api_error_code":-895352823,"account_join_on_start":"secondary","account_join_on_end":"secondary"},"silent_status":5,"is_cached":0} msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: authorization_type, Value: Interactive msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: api_error_code, Value: 3399614473 msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: api_error_tag, Value: 7q6ck msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: api_error_context, Value: (pii) msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: is_successful, Value: false msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: request_duration, Value: 5991 msal.broker: [MSAL:0003] INFO LogTelemetryData:345 Printing Execution Flow: msal.broker: [MSAL:0003] INFO LogTelemetryData:353 {"t":"646u1","tid":1,"ts":0,"l":2},{"t":"8dqkl","tid":1,"ts":45,"l":2,"a":9,"ie":0},{"t":"54uxe","tid":1,"ts":57,"l":2},{"t":"4wqm9","tid":3,"ts":4419,"l":2},{"t":"8dqkn","tid":3,"ts":5985,"l":2,"a":5,"ie":1},{"t":"8dqko","tid":3,"ts":5985,"l":2,"a":9,"ie":1},{"t":"646u1","tid":3,"ts":5985,"l":2} cli.azure.cli.core.azclierror: Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 663, in execute File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 726, in _run_jobs_serially File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 697, in _run_job File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 333, in call File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/custom.py", line 139, in login File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 154, in login File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/identity.py", line 159, in login_with_auth_code File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/util.py", line 139, in check_result File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/util.py", line 43, in aad_error_handler azure.cli.core.azclierror.AuthenticationError: (pii). Status: Response_Status.Status_ApiContractViolation, Error code: 3399614473, Tag: 557973642

cli.azure.cli.core.azclierror: (pii). Status: Response_Status.Status_ApiContractViolation, Error code: 3399614473, Tag: 557973642 az_command_data_logger: (pii). Status: Response_Status.Status_ApiContractViolation, Error code: 3399614473, Tag: 557973642 Please explicitly log in with: az login cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x000001F41C970670>]

Expected behavior

Sign in should be good after the broker's redirect URI is configured in first party application.

Environment Summary

azure-cli 2.52.0

core 2.52.0 telemetry 1.1.0

Extensions: connectedmachine 0.3.0 interactive 0.5.3

Dependencies: msal 1.24.0b1 azure-mgmt-resource 23.1.0b2

Additional context

No response

azure-client-tools-bot-prd[bot] commented 11 months ago
Hi @sscchh2001 Find similar issue https://github.com/Azure/azure-cli/issues/26565.
Issue title az login with WAM fails for different cloud environment
Create time 2023-05-30
Comment number 2

Please confirm if this resolves your issue.

yonzhan commented 11 months ago

Thank you for opening this issue, we will look into it.

jiasli commented 6 months ago

We have added ms-appx-web://Microsoft.AAD.BrokerPlugin/04b07795-8ddb-461a-bbee-02f9e1bf7b46 redirect URI to Azure CLI's first party app in AzureChinaCloud on 2023-10-24. Could you try again and let us know if it works now?