azure-client-tools-bot-prd[bot]
commented
4 months ago | Hi @GavBurke Find similar issue https://github.com/Azure/azure-cli/issues/29155. | ||
|---|---|---|
| Issue title | Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown. | |
| Create time | 2024-06-12 | |
| Comment number | 0 |
Possible solution: The error message "Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown" indicates that there is an issue with the authentication token. The existing issue suggests that bypassing a conditional access policy that is blocking based on geo network locations might resolve the issue. You can try bypassing the policy to see if it resolves the issue. If not, you can try other solutions suggested in the existing issue.
Please confirm if this resolves your issue.
yonzhan
GavBurke
caleb-terry
Describe the bug
Our login code fetches the user ID via
az ad signed-in-user showbut since this new Azure CLI Login Experience, where it now asks what subscription to login to, this no longer works giving the errorException of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.Related command
az ad signed-in-user show
Errors
Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.
Issue script & Debug output
cli.knack.cli: Command arguments: ['ad', 'signed-in-user', 'show', '--debug'] cli.knack.cli: init debug log: Enable color in terminal. cli.knack.cli: Event: Cli.PreExecute [] cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7fbd39a240e0>, <function OutputProducer.on_global_arguments at 0x7fbd399ce2a0>, <function CLIQuery.on_global_arguments at 0x7fbd397e7d80>] cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] cli.azure.cli.core: Modules found from index for 'ad': ['azure.cli.command_modules.role'] cli.azure.cli.core: Loading command modules: cli.azure.cli.core: Name Load Time Groups Commands cli.azure.cli.core: role 0.002 17 61 cli.azure.cli.core: Total (1) 0.002 17 61 cli.azure.cli.core: Loaded 17 groups, 61 commands. cli.azure.cli.core: Found a match in the command table. cli.azure.cli.core: Raw command : ad signed-in-user show cli.azure.cli.core: Command table: ad signed-in-user show cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7fbd388ecea0>] cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/gavinbu/.azure/commands/2024-06-21.12-29-02.ad_signed-in-user_show.13543.log'. az_command_data_logger: command args: ad signed-in-user show --debug cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x7fbd38945f80>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x7fbd389691c0>, <function register_cache_arguments..add_cache_arguments at 0x7fbd38969300>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7fbd399ce340>, <function CLIQuery.handle_query_parameter at 0x7fbd397e7e20>, <function register_ids_argument..parse_ids_arguments at 0x7fbd38969260>]
cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/
cli.azure.cli.core.auth.persistence: build_persistence: location='/home/gavinbu/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /home/gavinbu/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/457a65b9-e5e8-45e1-83fb-85aa42633e5b
msal.authority: openid_config("https://login.microsoftonline.com/457a65b9-e5e8-45e1-83fb-85aa42633e5b/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/457a65b9-e5e8-45e1-83fb-85aa42633e5b/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/457a65b9-e5e8-45e1-83fb-85aa42633e5b/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/457a65b9-e5e8-45e1-83fb-85aa42633e5b/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/457a65b9-e5e8-45e1-83fb-85aa42633e5b/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/457a65b9-e5e8-45e1-83fb-85aa42633e5b/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/457a65b9-e5e8-45e1-83fb-85aa42633e5b/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/457a65b9-e5e8-45e1-83fb-85aa42633e5b/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://graph.microsoft.com//.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: e7b216ec-d8ca-463f-b9c2-bb9801827cd2
cli.azure.cli.core.util: Request URL: 'https://graph.microsoft.com/v1.0/me'
cli.azure.cli.core.util: Request method: 'GET'
cli.azure.cli.core.util: Request headers:
cli.azure.cli.core.util: 'User-Agent': 'python/3.11.8 (Linux-5.15.153.1-microsoft-standard-WSL2-x86_64-with-glibc2.36) AZURECLI/2.61.0 (DEB)'
cli.azure.cli.core.util: 'Accept-Encoding': 'gzip, deflate'
cli.azure.cli.core.util: 'Accept': '/'
cli.azure.cli.core.util: 'Connection': 'keep-alive'
cli.azure.cli.core.util: 'x-ms-client-request-id': 'fdb35a1e-3baa-4074-8812-201c40fcf3e2'
cli.azure.cli.core.util: 'CommandName': 'ad signed-in-user show'
cli.azure.cli.core.util: 'ParameterSetName': '--debug'
cli.azure.cli.core.util: 'Authorization': 'Bearer eyJ0eXAiOiJKV...'
cli.azure.cli.core.util: Request body:
cli.azure.cli.core.util: None
urllib3.connectionpool: Starting new HTTPS connection (1): graph.microsoft.com:443
urllib3.connectionpool: https://graph.microsoft.com:443 "GET /v1.0/me HTTP/1.1" 401 None
cli.azure.cli.core.util: Response status: 401
cli.azure.cli.core.util: Response headers:
cli.azure.cli.core.util: 'Transfer-Encoding': 'chunked'
cli.azure.cli.core.util: 'Content-Type': 'application/json'
cli.azure.cli.core.util: 'Content-Encoding': 'gzip'
cli.azure.cli.core.util: 'Vary': 'Accept-Encoding'
cli.azure.cli.core.util: 'Strict-Transport-Security': 'max-age=31536000'
cli.azure.cli.core.util: 'request-id': 'b03fa5b7-917c-48db-8c96-02a6974761db'
cli.azure.cli.core.util: 'client-request-id': 'b03fa5b7-917c-48db-8c96-02a6974761db'
cli.azure.cli.core.util: 'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"AM2PEPF0002326E"}}'
cli.azure.cli.core.util: 'WWW-Authenticate': 'Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", error_description="Continuous access evaluation resulted in challenge with result: InteractionRequired and code: TokenCreatedWithOutdatedPolicies", error="insufficient_claims", claims="eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNzE4OTcyOTQzIn0sInhtc19ycF9pcGFkZHIiOnsidmFsdWUiOiIzNC43Ny4xMDcuODMifX19", PoP realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", nonce="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjQ4RDBDNENCQzcwQkYyQUYzQzE4NzE1RDkwQ0MxN0EyRjM0NjkyMjQifQ.eyJ0cyI6MTcxODk3Mjk0MH0.a0OyYgSmkcbfIGev7PoxcTK31c1NqOChaOjFQgfrT_gzN1Ycs7Rcn2Qdf7PZrYG4Avzy2ku8ItgRPO3jqXeyc32qa9naG16Lzn59XBlYoPTwQzUgrCshkZRpVg08tGiPjz4TlqenhjSsIz3z5sYYAP1qDM-Tc3J6YoBVrgrVN-cK451YOWLxNV8VjMdhsh_Kg3Jczlf2dRINjTy339T5A9V8dBFZ9iz7pDiWILzGDD4E5p-DGYKiKsoMnC4e5RF8wssbEje4xMz4Okrd5HClZJHJ_dlvO61eZUHRIRhfY54VIZKRzJoJcGmXihD4yaI8FihxbRss5OUZx1d91ouw"'
cli.azure.cli.core.util: 'Date': 'Fri, 21 Jun 2024 12:29:02 GMT'
cli.azure.cli.core.util: Response content:
cli.azure.cli.core.util: {"error":{"code":"InvalidAuthenticationToken","message":"Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.","innerError":{"date":"2024-06-21T12:29:03","request-id":"b03fa5b7-917c-48db-8c96-02a6974761db","client-request-id":"b03fa5b7-917c-48db-8c96-02a6974761db"}}}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 52, in _send
r = send_raw_request(self._cli_ctx, method, url, resource=self._resource, uri_parameters=param,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/util.py", line 1007, in send_raw_request
raise HTTPError(reason, r)
azure.cli.core.azclierror.HTTPError: Unauthorized({"error":{"code":"InvalidAuthenticationToken","message":"Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.","innerError":{"date":"2024-06-21T12:29:03","request-id":"b03fa5b7-917c-48db-8c96-02a6974761db","client-request-id":"b03fa5b7-917c-48db-8c96-02a6974761db"}}})
The above exception was the direct cause of the following exception:
Traceback (most recent call last): File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 701, in _run_job result = cmd_copy(params) ^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 334, in call return self.handler(*args, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/command_operation.py", line 363, in handler show_exception_handler(ex) File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/arm.py", line 432, in show_exception_handler raise ex File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/command_operation.py", line 361, in handler return op(command_args) ^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/custom.py", line 1821, in show_signed_in_user result = client.signed_in_user_get() ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 224, in signed_in_user_get result = self._send("GET", "/me") ^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 55, in _send raise GraphError(ex.response.json()['error']['message'], ex.response) from ex azure.cli.command_modules.role._msgrpah._graph_client.GraphError: Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/opt/az/lib/python3.11/site-packages/knack/cli.py", line 233, in invoke cmd_result = self.invocation.execute(args) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 664, in execute raise ex File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 731, in _run_jobs_serially results.append(self._run_job(expanded_arg, cmd_copy)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 723, in _run_job return cmd_copy.exception_handler(ex) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/commands.py", line 50, in graph_err_handler raise CLIError(ex) knack.util.CLIError: Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.
cli.azure.cli.core.azclierror: Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown. az_command_data_logger: Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown. cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7fbd388ed120>] az_command_data_logger: exit code: 1 cli.main: Command ran in 0.427 seconds (init: 0.107, invoke: 0.320) telemetry.main: Begin splitting cli events and extra events, total events: 1 telemetry.client: Accumulated 0 events. Flush the clients. telemetry.main: Finish splitting cli events and extra events, cli events: 1 telemetry.save: Save telemetry record of length 3927 in cache telemetry.main: Begin creating telemetry upload process. telemetry.process: Creating upload process: "/opt/az/bin/python3 /opt/az/lib/python3.11/site-packages/azure/cli/telemetry/init.py /home/gavinbu/.azure" telemetry.process: Return from creating process telemetry.main: Finish creating telemetry upload process.
Expected behavior
To be returned the logged in users details, as we then grab the ID to grant permissions to
Environment Summary
azure-cli 2.61.0
core 2.61.0 telemetry 1.1.0
Dependencies: msal 1.28.0 azure-mgmt-resource 23.1.1
Python location '/opt/az/bin/python3' Extensions directory '/home/gavinbu/.azure/cliextensions'
Python (Linux) 3.11.8 (main, May 16 2024, 03:50:12) [GCC 12.2.0]
Additional context
No response