search

Azure / azure-sdk-for-java

This repository is for active development of the Azure SDK for Java. For consumers of the SDK we recommend visiting our public developer docs at https://docs.microsoft.com/java/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-java.
MIT License
2.35k stars 1.99k forks source link

[QUERY] Does azure-identity support Azure Stack now #12227

Closed saragluna closed 4 years ago

saragluna commented 4 years ago

Query/Question Does the azure-identity support Azure Stack now?

Why is this not a Bug or a feature Request? When I build a Key Vault secret client with ClientCertificateCredential and try to access a key vault provisioned on Azure Stack, I got the error message:

sed by: com.microsoft.aad.msal4j.MsalServiceException: AADSTS90002: Tenant '81cfafcd-8b9a-4419-9c85-823b54076b55' not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID. Check with your subscription administrator.
Trace ID: 4fe6a499-c9cb-4d93-b120-4652b7410d00
Correlation ID: 97b144e8-dff5-444d-80be-dfe180469795
Timestamp: 2020-06-16 07:55:20Z
    at com.microsoft.aad.msal4j.MsalServiceExceptionFactory.fromHttpResponse(MsalServiceExceptionFactory.java:43)
    at com.microsoft.aad.msal4j.TokenRequestExecutor.createAuthenticationResultFromOauthHttpResponse(TokenRequestExecutor.java:81)
    at com.microsoft.aad.msal4j.TokenRequestExecutor.executeTokenRequest(TokenRequestExecutor.java:36)
    at com.microsoft.aad.msal4j.ClientApplicationBase.acquireTokenCommon(ClientApplicationBase.java:92)
    at com.microsoft.aad.msal4j.AcquireTokenByAuthorizationGrantSupplier.execute(AcquireTokenByAuthorizationGrantSupplier.java:52)
    at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:59)
    at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:17)
    at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run$$$capture(CompletableFuture.java:1700)

And when I tried version 1.1.0-beta.5, the application hung with no output.

Setup (please complete the following information if applicable):

bganapa commented 4 years ago

Please ping us for Azurestack environment access

g2vinay commented 4 years ago

@saragluna , Thank you for reporting this issue. This might be connected to this issue. https://github.com/Azure/azure-sdk-for-java/issues/11830#issuecomment-640859500

I'll investigate further and will update you.

vishsram commented 4 years ago

@g2vinay Could you please let us know when azure-identity will be supported for Azure Stack (ADFS)?

g2vinay commented 4 years ago

@vishsram We will be looking to add support for Azure Stack in azure-identity in this semester.

joshfree commented 4 years ago

Related #13460

g2vinay commented 4 years ago

@saragluna To authenticate against Azure Stack, you'll need to specify tenantId and authority host of the Azure Stack in the credential correctly.

        ClientCertificateCredential certificateCredential = new ClientCertificateCredentialBuilder()
                .authorityHost("<Az-Stack-Auth-host")
                .tenantId("Az-Stack-Tenant-Id")  // "adfs" if the Az stack is backed by ADFS.
                ...
                .build();

if your Azure Stack is backed by ADFS then the tenantId you need to use is adfs and the authority host can bed asked from the Azure Stack operator / administrator.

saragluna commented 4 years ago

@g2vinay thanks for the update! @bganapa we may need your help on the authority host part.

bganapa commented 4 years ago

@saragluna AuthorityHost will be different for each AzureStack Instance. This can be obtained from accessing the ARM metadata endpoint.

saragluna commented 4 years ago

@bganapa could you elaborate more on the ARM metadata endpoint since I've never heard that before. If we access an AzureStack instance, with you helping provide the info, could this metadata be found on the portal?

saragluna commented 4 years ago

@g2vinay has this support of Azure Stack been released yet?

g2vinay commented 4 years ago

@saragluna , based on our Investigation, all of our credentials except the Interactive Browser Credential in the Identity SDK already support Azure Stack. You just need to provide the correct parameters to the credentials for them to work against Azure Stack. You can use the latest stable release:

<dependency>
  <groupId>com.azure</groupId>
  <artifactId>azure-identity</artifactId>
  <version>1.1.2</version>
</dependency>

So, in your case, ClientCertificateCredential should work, assuming correct parameters are passed in as indicated below:

        ClientCertificateCredential certificateCredential = new ClientCertificateCredentialBuilder()
                .authorityHost("<Az-Stack-Auth-host")
                .tenantId("Az-Stack-Tenant-Id")  // "adfs" if the Az stack is backed by ADFS.
                ...
                .build();

To figure out the authority host for your Azure stack, you can run this command if you have access to the Azure Stack else have your Azure Stack Administrator run this command:

Get-AzEnvironment -Name <NameOfAzureStack>

The beta release going out this week will also support InteractiveBrowserCredential against Azure Stack.

saragluna commented 4 years ago

@g2vinay Thanks for the explanation!

g2vinay commented 4 years ago

Closing this issue, as it has been resolved on the spring team's end.