Azure / azure-sdk-for-go

This repository is for active development of the Azure SDK for Go. For consumers of the SDK we recommend visiting our public developer docs at:
https://docs.microsoft.com/azure/developer/go/
MIT License
1.64k stars 838 forks source link

Go SDK Multi Tenant Authentication issue #23678

Open williamw-m opened 3 hours ago

williamw-m commented 3 hours ago

Bug Report

We used Python SDK for multi tenant authentication. Our tenant is A and we want to access the blob storage in tenant B. We have set up the cross tenant authentication. In our python SDK. Our code is as follows. We can successfully access the blob storage.

credential = ClientSecretCredential(tenant_id=A_tenant_id,
                                    client_id=A_client_id,
                                    client_secret=A_client_secret,
                                    additionally_allowed_tenants=["*"])

blob_service_client = BlobServiceClient(account_url=blob_service_url,
                                          credential=credential)
container_client = blob_service_client.get_container_client(
      container=container_name)
blob_list = container_client.list_blobs()

But when we use Go SDK we had the authentication issue.

cred, err := azidentity.NewClientSecretCredential(A_tenantID, A_clientID, A_clientSecret,
    &azidentity.ClientSecretCredentialOptions{AdditionallyAllowedTenants: additionalTenants})
serviceClient, err := azblob.NewClient(serviceURL, cred, nil)
pager := serviceClient.NewListBlobsFlatPager(containerName, nil)

We had this authentication error.

<?xml version="1.0" encoding="utf-8"?><Error><Code>InvalidAuthenticationInfo</Code><Message>Server failed to authenticate the request. Please refer to the information in the www-authenticate header.
</Message><AuthenticationErrorDetail>Issuer validation failed. Issuer did not match.</AuthenticationErrorDetail></Error>

But if we changed the tenant ID in the NewClientSecretCredential. Then we can access the blob storage in B.

cred, err := azidentity.NewClientSecretCredential(B_tenantID, A_clientID, A_clientSecret,
    &azidentity.ClientSecretCredentialOptions{AdditionallyAllowedTenants: additionalTenants})

I think there is some bug in the Go SDK. Could you check and fix the issues?

github-actions[bot] commented 3 hours ago

Thank you for your feedback. Tagging and routing to the team member best able to assist.