Open keystroke opened 2 years ago
Hi @keystroke , as you have seen 2 elements in the token cache and they may let client cannot get the correct access token, I suspect it is an issue in MSAL. However Az.Accounts 2.2.8 is too old and you cannot get MSAL support. My suggestion is you can remove token cache and login again if you cannnot use the latest version of Az.Accounts.
Disconnect-AzAccount
Clear-AzContext
@dingmeng-xue having user clear token cache and re-sign-in every hour is not a good user experience as that defeats the purpose of refresh tokens. What version of MSAL is in latest Azure PS?
@ssel is ASE locked to version 2.2.8 for Azure PowerShell? Can we try to see if it repros using the latest version (even if unsupported in general for ASE the sign-in and get resource group flows should be functional)?
The reason for the old PS version is that the resource providers used by ARM Lite on ASE don't support the latest API versions used by those in the cloud.
For the latest, it's documented that customers should use this to install Az:
Install-Module Az -RequiredVersion 1.10.0
I'm not sure how the "Install-Module Az" version maps to the Az.Accounts version.
Scott
From: Bryant @.> Sent: Monday, June 6, 2022 1:08 PM To: Azure/azure-powershell @.> Cc: Scott Seligman @.>; Mention @.> Subject: Re: [Azure/azure-powershell] Az Accounts failure after token refresh: Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials. (Issue #18382)
@dingmeng-xuehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fdingmeng-xue&data=05%7C01%7Cssel%40microsoft.com%7Ce67f1afb8c8c4135341408da47f839c1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637901428694388375%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2F2A5zeQryLRpsdWRr%2BZZwvfWxvR1pYe85Y8wiWTmM6A%3D&reserved=0 having user clear token cache and re-sign-in every hour is not a good user experience as that defeats the purpose of refresh tokens. What version of MSAL is in latest Azure PS?
@sselhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fssel&data=05%7C01%7Cssel%40microsoft.com%7Ce67f1afb8c8c4135341408da47f839c1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637901428694388375%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=sUVkdZzsKaVG0PFAHF0NHoewkLUsIL6xmRA60ZuZMuM%3D&reserved=0 is ASE locked to version 2.2.8 for Azure PowerShell? Can we try to see if it repros using the latest version (even if unsupported in general for ASE the sign-in and get resource group flows should be functional)?
- Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzure%2Fazure-powershell%2Fissues%2F18382%23issuecomment-1147865930&data=05%7C01%7Cssel%40microsoft.com%7Ce67f1afb8c8c4135341408da47f839c1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637901428694388375%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=otgJtp1DAvINKKiu0ZxdH5loTEf9einAIUsz7B3URnc%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAEACKHUGV5XLAHTD2O2GI2LVNZLBFANCNFSM5XTGDV6A&data=05%7C01%7Cssel%40microsoft.com%7Ce67f1afb8c8c4135341408da47f839c1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637901428694388375%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=usY%2BitxlSRatnFW6R81xJG7JZec1LXdONWU0vsHPMUs%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.***>
@keystroke , It's true that AzureStack cannot use the latest version. Could you stable reproduce this issue? If yes, I believe we can ask MSAL team to look into it and provide suggestion. Otherwise, it is pretty challenging. Current version of Az.Account (2.8.0) is using MSAL 2.19.3
Yes, I believe I can reliably reproduce this.
By the way, once this happens the only way I've found to recover is to open a new PS session. I've tried Clear-AzContext, removing msal.cache, and SharedTokenCacheProvider.ClearCache, but I continue to get "The cache contains multiple tokens satisfying the requirements" within the original PS session.
Thanks, Scott
From: Dingmeng Xue @.> Sent: Wednesday, June 8, 2022 7:23 PM To: Azure/azure-powershell @.> Cc: Scott Seligman @.>; Mention @.> Subject: Re: [Azure/azure-powershell] Az Accounts failure after token refresh: Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials. (Issue #18382)
@keystrokehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkeystroke&data=05%7C01%7Cssel%40microsoft.com%7C9441477a74744568258b08da49bf0b5d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637903382128461556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=m%2FiB%2BMa6HewXprTKFlPaixroAAH5PMlbiqK41sHcnZY%3D&reserved=0 , It's true that AzureStack cannot use the latest version. Could you stable reproduce this issue? If yes, I believe we can ask MSAL team to look into it and provide suggestion. Otherwise, it is pretty challenging. Current version of Az.Account (2.8.0) is using MSAL 2.19.3
- Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzure%2Fazure-powershell%2Fissues%2F18382%23issuecomment-1150599641&data=05%7C01%7Cssel%40microsoft.com%7C9441477a74744568258b08da49bf0b5d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637903382128461556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=eceDRUIRGpyIG%2B%2BBDKshhZ8AcM1vOC6MbeSMRczewR0%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAEACKHWBMDUGX6TPOA7CPK3VOFISDANCNFSM5XTGDV6A&data=05%7C01%7Cssel%40microsoft.com%7C9441477a74744568258b08da49bf0b5d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637903382128461556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=D9eacxy5F4ECsISpGBqFCvN%2BWCxRp67lTc%2FslcFPHsQ%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.***>
Description
Using (2.2.8 Az.Accounts) with Azure Stack Edge environment (this is a private cloud environment) we see an issue where authentication sessions stop working after 1 hour. The token gets refreshed, but it appears that Azure PS has the old access token in the shared token cache under the hood and fails to resolve the new access token.
The repro script we have looks like this:
We see below in debug output at the final step which indicates that there are multiple access tokens that could work and so it fails (full output of entire script in below section):
We grabbed the full content of the token cache from the environment (this is transient test info), here is that state:
We can see in the token cache that there are two access tokens, which are identical except different expiration times and the scopes are in a different order in the key for them.
It seems there is an issue either in how Az PS is interacting with MSAL or how MSAL is handling the token resolution. The user expectation is that this should just work - refreshing the access token using a refresh token and getting updated access token should not force user to sign-in again, it defeats the entire purpose of the refresh token.
Please help us understand if there is an issuing in Az PS or MSAL here.
Thanks!
Issue script & Debug output
Environment data
Module versions
Error output