search

Azure / azure-cli

Azure Command-Line Interface
MIT License
4.03k stars 3.01k forks source link

`az login` stuck on connecting to `login.microsoftonline.com:443` #28548

Open Bouke opened 8 months ago

Bouke commented 8 months ago

Describe the bug

Running az login is stuck after confirmation in the browser. The debug output shows it is waiting to connect to login.microsoftonline.com:443.

My machine is connected to the internet. All browsing works fine. I can connect to login.microsoftonline.com in my Safari browser.

Related command

az login --scope {} --debug

Errors

No error; it is just stuck waiting.

Issue script & Debug output

cli.azure.cli.core.auth.identity: A web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`.
msal.telemetry: Generate or reuse correlation_id: c029d9c5-7926-4ab7-adc6-a0de19d2da3f
msal.oauth2cli.oauth2: Using http://localhost:64330 as redirect_uri
msal.oauth2cli.authcode: Abort by visit http://localhost:64330?error=abort
msal.oauth2cli.authcode: Open a browser on this device to visit: https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=04b07795-8ddb-461a-bbee-02f9e1bf7b46&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A64330&scope=https%3A%2F%2Fmanagement.azure.com%2F%2F.default+offline_access+openid+profile&state=NmifcZvXTDBFSpPj&code_challenge=(...)
msal.oauth2cli.authcode: Got auth response: (...)
msal.oauth2cli.authcode: "GET /?code=(...) HTTP/1.1" 200 -
urllib3.connectionpool: Starting new HTTPS connection (1): login.microsoftonline.com:443
^Ccli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x10f3e8400>]

Expected behavior

az login should just work

Environment Summary

macOS-14.3.1-x86_64-i386-64bit, Darwin 23.3.0
Python 3.11.8
Installer: HOMEBREW

azure-cli 2.58.0

Extensions:
azure-devops 1.0.0
ssh 1.1.1

Dependencies:
msal 1.26.0
azure-mgmt-resource 23.1.0b2

Additional context

yonzhan commented 8 months ago

Thank you for opening this issue, we will look into it.

mattsains commented 8 months ago

I'm having a similar issue, but using az login --use-device-code and before it gives me a URL. Also stuck connecting to login.microsoftonline.com:443

bebound commented 8 months ago

What's the output of python -c "import requests; print(requests.get('https://login.microsoftonline.com/').status_code)"?

Bouke commented 8 months ago

The problem is intermittent as it went away after an hour or so. Highly frustrating to debug.

mattsains commented 8 months ago

It's still happening to me but it does seem to be intermittent. Both Tuesday and Wednesday morning pacific time, it hung. Tuesday and Wednesday afternoon it started working again.

The result of your python code is 200, and I actually have done a curl on this URL during the time the CLI hangs and the result was a 200

mattsains commented 8 months ago

It's not working again this morning (2024-03-14 08:58:00 pacific time):

cli.knack.cli: Command arguments: ['login', '--use-device-code', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7fa00f0f8040>, <function OutputProducer.on_global_arguments at 0x7fa00f0a2160>, <function CLIQuery.on_global_arguments at 0x7fa00f0d7c40>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'login': ['azure.cli.command_modules.profile']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: profile                   0.001         2         8
cli.azure.cli.core: Total (1)                 0.001         2         8
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name                  Load Time    Groups  Commands  Directory
cli.azure.cli.core: Total (0)                 0.000         0         0
cli.azure.cli.core: Loaded 2 groups, 8 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : login
cli.azure.cli.core: Command table: login
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7fa00dfd1bc0>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/msainsbury/.azure/commands/2024-03-14.08-57-50.login.2277400.log'.
az_command_data_logger: command args: login --use-device-code --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x7fa00e069f80>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x7fa00e06a020>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x7fa00e06a160>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7fa00f0a2200>, <function CLIQuery.handle_query_parameter at 0x7fa00f0d7ce0>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x7fa00e06a0c0>]
cli.azure.cli.core.auth.persistence: build_persistence: location='/home/msainsbury/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /home/msainsbury/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/organizations/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/{tenantid}/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/organizations/kerberos', 'tenant_region_scope': None, 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
urllib3.connectionpool: Starting new HTTPS connection (1): login.microsoftonline.com:443
^Ccli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7fa00dfd1e40>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 17.710 seconds (init: 0.098, invoke: 17.611)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3571 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/opt/az/bin/python3 /opt/az/lib/python3.11/site-packages/azure/cli/telemetry/__init__.py /home/msainsbury/.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

the python command:

$ python3 -c "import requests; print(requests.get('https://login.microsoftonline.com/').status_code)"

hangs as well. I tried to curl that URL, and I got a redirect to https://www.office.com/login#, and then further to https://login.microsoftonline.com/common/oauth2/v2.0/authorize, but these seem to be interactive websites and not APIs

bebound commented 8 months ago

Since the Python command also hangs, there is nothing we can do. It appears to be a network issue.

acasanova99 commented 8 months ago

I have the same problem on a linux machine: Ubuntu 23.10 with kernel 6.5.0-26-generic and python Python 3.11.6. Az:

{
  "azure-cli": "2.58.0",
  "azure-cli-core": "2.58.0",
  "azure-cli-telemetry": "1.1.0",
  "extensions": {}
}

Can you provide the versions used for testing?

HeyangQin commented 7 months ago

I ran into the same issue. After a whole day of trial and error, I finally solved it by disabling IPv6 as suggested here: https://stackoverflow.com/questions/57992691/pip-hangs-on-starting-new-https-connection. However, I have no idea why disabling IPv6 would fix it.

mattsains commented 7 months ago

Disabling ipv6 worked for me!

Also, I don't think it's a "networking issue" as suggested by bebound, because if I reproduce the call in curl, it succeeds immediately:

curl -L https://login.microsoftonline.com -H "User-Agent: python-requests/2.25.1" -H "Accept-Encoding: gzip, deflate" -H "Accept: */*" -H "Connection: keep-alive" --output -

(result is binary data)

jsliacan commented 7 months ago

FWIW, I am reliably reproducing this with this example: https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-daemon-app-python-acquire-token

Agree with @mattsains that it could be more interesting than a simple network issue on my side. curl works.

EDIT: I can also confirm that disabling IPv6 (as outlined here - I'm on Fedora 39 ) got things to work.

Dsverre commented 6 months ago

I also had this issue, but only when using a full vpn tunnel. After disabling ipv6 like suggested, it now works using the full vpn tunnel as well.

enyeneraph commented 2 months ago

for me, I had to uninstall the azure cli and use a more recent version version I previously used was: 2.0.81 version I installed: 2.64.0

Although version 2.64.0 might result in this

gjswalling commented 1 month ago

I encountered the same issue today and after following steps to disable ipv6 now I can "az login" again on Ubuntu 22.04.5 LTS $ az version { "azure-cli": "2.49.0", "azure-cli-core": "2.49.0", "azure-cli-telemetry": "1.0.8", "extensions": { "azure-devops": "0.25.0", "ssh": "2.0.5", "storage-preview": "0.9.0" } }

juanlabrin commented 4 weeks ago

Same issue, only disabling ipv6 it work. Ubuntu 22.04 LTS az version: { "azure-cli": "2.65.0", "azure-cli-core": "2.65.0", "azure-cli-telemetry": "1.1.0", "extensions": {} }

Realiserad commented 3 days ago

I also had this issue. az login would open a browser and I was able to log in there, but then az was just sitting there and nothing happened. I disabled IPv6 and now it works again. I checked on Verizon's website and they are in the process of rolling out IPv6 support.