search

Azure / azure-sdk-for-js

This repository is for active development of the Azure SDK for JavaScript (NodeJS & Browser). For consumers of the SDK we recommend visiting our public developer docs at https://docs.microsoft.com/javascript/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-js.
MIT License
2.1k stars 1.21k forks source link

Cannot use @azure/arm-resources in dogfood #24764

Closed emoranchel closed 1 year ago

emoranchel commented 1 year ago

Describe the bug Hi I am trying to use the @azure/arm-resources nodeJS library to connect to dogfood but I am encountering an error. my code to connect is:

import { UsernamePasswordCredential } from '@azure/identity';
import { ResourceManagementClient } from '@azure/arm-resources';

...

  let credential = new UsernamePasswordCredential(configuration.tenantId, CLIENT_ID, username, password, {
    authorityHost: 'https://login.windows-ppe.net'
  });
  return new ResourceManagementClient(credential, configuration.subscriptionId, {
    endpoint: 'https://api-dogfood.resources.windows-int.net'
  });

But I am getting an error:

RestError: The access token has been obtained for wrong audience or resource 'https://api-dogfood.resources.windows-int.net'. It should exactly match with one of the allowed audiences 'https://management.core.windows.net/','https://management.core.windows.net','https://management.azure.com/','https://management.azure.com'.
      at handleErrorResponse (node_modules\@azure\core-client\dist\index.js:1305:19)
      at deserializeResponseBody (node_modules\@azure\core-client\dist\index.js:1240:45)
      at runMicrotasks (<anonymous>)
      at processTicksAndRejections (node:internal/process/task_queues:96:5)

And the full log:

azure:core-client:warning The baseUri option for SDK Clients has been deprecated, please use endpoint instead.
azure:identity:info UsernamePasswordCredential => MSAL Node V2 info message: [Tue, 07 Feb 2023 18:39:15 GMT] : @azure/msal-node@1.14.6 : Info - getTokenCache called
azure:identity:info UsernamePasswordCredential => More than one account was found authenticated for this Client ID and Tenant ID.
However, no "authenticationRecord" has been provided for this credential,
therefore we're unable to pick between these accounts.
A new login attempt will be requested, to ensure the correct account is picked.
To work with multiple accounts for the same Client ID and Tenant ID, please provide an "authenticationRecord" when initializing a credential to prevent this from happening.
azure:identity:info UsernamePasswordCredential => Silent authentication failed, falling back to interactive method.
azure:identity:info UsernamePasswordCredential => MSAL Node V2 info message: [Tue, 07 Feb 2023 18:39:15 GMT] : [b6b044e9-6de4-47b3-8800-bcc37923a8b0] : @azure/msal-node@1.14.6 : Info - acquireTokenByUsernamePassword called
azure:core-rest-pipeline retryPolicy:info Retry 0: Attempting to send request 898584e8-b5c1-4770-b291-5a88c3dc72b0
azure:core-rest-pipeline:info Request: {
  "url": "https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=REDACTED",
  "headers": {
    "accept-encoding": "gzip,deflate",
    "user-agent": "azsdk-js-identity/3.1.2 core-rest-pipeline/1.10.1 Node/v16.15.0 OS/(x64-Windows_NT-10.0.22621)",
    "x-ms-client-request-id": "898584e8-b5c1-4770-b291-5a88c3dc72b0"
  },
  "method": "GET",
  "timeout": 0,
  "disableKeepAlive": false,
  "withCredentials": false,
  "abortSignal": {},
  "requestId": "898584e8-b5c1-4770-b291-5a88c3dc72b0",
  "allowInsecureConnection": false,
  "enableBrowserStreams": false
}
azure:core-rest-pipeline:info Response status code: 200
azure:core-rest-pipeline:info Headers: {
  "cache-control": "max-age=86400, private",
  "content-type": "application/json; charset=utf-8",
  "strict-transport-security": "max-age=31536000; includeSubDomains",
  "x-content-type-options": "nosniff",
  "access-control-allow-origin": "*",
  "access-control-allow-methods": "GET, OPTIONS",
  "p3p": "CP=\"DSP CUR OTPi IND OTRi ONL FIN\"",
  "x-ms-request-id": "5879d439-fe23-453a-a239-78abbade4d00",
  "x-ms-ests-server": "2.1.14526.6 - EUS ProdSlices",
  "x-xss-protection": "0",
  "set-cookie": "fpc=AvoxB5bwAwpCkFVFPB8bO00; expires=Thu, 09-Mar-2023 18:39:14 GMT; path=/; secure; HttpOnly; SameSite=None",
  "date": "Tue, 07 Feb 2023 18:39:14 GMT",
  "content-length": "976"
}
azure:core-rest-pipeline retryPolicy:info Retry 0: Received a response from request 898584e8-b5c1-4770-b291-5a88c3dc72b0
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing 2 retry strategies.
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy throttlingRetryStrategy.
azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy exponentialRetryStrategy.
azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
azure:core-rest-pipeline retryPolicy:info None of the retry strategies could work with the received response. Returning it.
azure:identity:info UsernamePasswordCredential => MSAL Node V2 warning: [Tue, 07 Feb 2023 18:39:15 GMT] : @azure/msal-node@1.14.6 : Warning - The developer's authority was not found within the CloudInstanceDiscoveryMetadata returned from the network request.
azure:core-rest-pipeline retryPolicy:info Retry 0: Attempting to send request 0985e1c6-66e7-4aff-99b0-63481de21622
azure:core-rest-pipeline:info Request: {
  "url": "https://login.windows-ppe.net/cbc9f809-970a-4ee3-8442-10e853d5af72/v2.0/.well-known/openid-configuration",
  "headers": {
    "accept-encoding": "gzip,deflate",
    "user-agent": "azsdk-js-identity/3.1.2 core-rest-pipeline/1.10.1 Node/v16.15.0 OS/(x64-Windows_NT-10.0.22621)",
    "x-ms-client-request-id": "0985e1c6-66e7-4aff-99b0-63481de21622"
  },
  "method": "GET",
  "timeout": 0,
  "disableKeepAlive": false,
  "withCredentials": false,
  "abortSignal": {},
  "requestId": "0985e1c6-66e7-4aff-99b0-63481de21622",
  "allowInsecureConnection": false,
  "enableBrowserStreams": false
}
azure:core-rest-pipeline:info Response status code: 200
azure:core-rest-pipeline:info Headers: {
  "cache-control": "max-age=86400, private",
  "content-type": "application/json; charset=utf-8",
  "strict-transport-security": "max-age=31536000; includeSubDomains",
  "x-content-type-options": "nosniff",
  "access-control-allow-origin": "*",
  "access-control-allow-methods": "GET, OPTIONS",
  "p3p": "CP=\"DSP CUR OTPi IND OTRi ONL FIN\"",
  "x-ms-request-id": "5db14661-4574-4838-ad74-95737b830000",
  "x-ms-ests-server": "2.1.14748.0 - CHY PPE",
  "x-ms-httpver": "1.1",
  "x-xss-protection": "0",
  "set-cookie": "fpc=ApQ0tNa-5OVLnDOjpG-8Lk4; expires=Thu, 09-Mar-2023 18:39:15 GMT; path=/; secure; HttpOnly; SameSite=None",
  "date": "Tue, 07 Feb 2023 18:39:14 GMT",
  "content-length": "1737"
}
azure:core-rest-pipeline retryPolicy:info Retry 0: Received a response from request 0985e1c6-66e7-4aff-99b0-63481de21622
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing 2 retry strategies.
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy throttlingRetryStrategy.
azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy exponentialRetryStrategy.
azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
azure:core-rest-pipeline retryPolicy:info None of the retry strategies could work with the received response. Returning it.
azure:identity:info UsernamePasswordCredential => MSAL Node V2 info message: [Tue, 07 Feb 2023 18:39:15 GMT] : [b6b044e9-6de4-47b3-8800-bcc37923a8b0] : @azure/msal-common@9.1.1 : Info - in acquireToken call in username-password client
azure:core-rest-pipeline retryPolicy:info Retry 0: Attempting to send request 5e75231b-a8fc-421e-a624-92cddba638fc
azure:core-rest-pipeline:info Request: {
  "url": "https://login.windows-ppe.net/cbc9f809-970a-4ee3-8442-10e853d5af72/oauth2/v2.0/token",
  "headers": {
    "content-type": "application/x-www-form-urlencoded;charset=utf-8",
    "x-anchormailbox": "REDACTED",
    "accept-encoding": "gzip,deflate",
    "user-agent": "azsdk-js-identity/3.1.2 core-rest-pipeline/1.10.1 Node/v16.15.0 OS/(x64-Windows_NT-10.0.22621)",
    "x-ms-client-request-id": "5e75231b-a8fc-421e-a624-92cddba638fc"
  },
  "method": "POST",
  "timeout": 0,
  "disableKeepAlive": false,
  "withCredentials": false,
  "abortSignal": {},
  "requestId": "5e75231b-a8fc-421e-a624-92cddba638fc",
  "allowInsecureConnection": false,
  "enableBrowserStreams": false
}
azure:core-rest-pipeline:info Response status code: 200
azure:core-rest-pipeline:info Headers: {
  "cache-control": "no-store, no-cache",
  "pragma": "no-cache",
  "content-type": "application/json; charset=utf-8",
  "expires": "-1",
  "strict-transport-security": "max-age=31536000; includeSubDomains",
  "x-content-type-options": "nosniff",
  "p3p": "CP=\"DSP CUR OTPi IND OTRi ONL FIN\"",
  "x-ms-request-id": "4bc75c54-4527-4bbf-86bb-e3bf1bba0000",
  "x-ms-ests-server": "2.1.14748.0 - CHY PPE",
  "x-ms-clitelem": "1,0,0,,",
  "x-ms-httpver": "1.1",
  "x-xss-protection": "0",
  "set-cookie": "fpc=AvPPELC5lMFImdiNWwV6QeX29gDKAQAAANKRdNsOAAAA; expires=Thu, 09-Mar-2023 18:39:15 GMT; path=/; secure; HttpOnly; SameSite=None",
  "date": "Tue, 07 Feb 2023 18:39:15 GMT",
  "content-length": "4334"
}
azure:core-rest-pipeline retryPolicy:info Retry 0: Received a response from request 5e75231b-a8fc-421e-a624-92cddba638fc
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing 2 retry strategies.
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy throttlingRetryStrategy.
azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy exponentialRetryStrategy.
azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
azure:core-rest-pipeline retryPolicy:info None of the retry strategies could work with the received response. Returning it.
azure:identity:info UsernamePasswordCredential => getToken() => SUCCESS. Scopes: https://api-dogfood.resources.windows-int.net/.default.
azure:core-rest-pipeline retryPolicy:info Retry 0: Attempting to send request c2cebdd4-4d8e-433e-877a-4723491b5f01
azure:core-rest-pipeline:info Request: {
  "url": "https://api-dogfood.resources.windows-int.net/subscriptions/3172c3ba-8f32-43e1-bf66-c6231cbfb5ca/resourcegroups/resourceGroupName?api-version=2021-04-01",
  "headers": {
    "accept": "application/json",
    "accept-encoding": "gzip,deflate",
    "user-agent": "azsdk-js-arm-resources/5.1.0 core-rest-pipeline/1.10.1 Node/v16.15.0 OS/(x64-Windows_NT-10.0.22621)",
    "x-ms-client-request-id": "c2cebdd4-4d8e-433e-877a-4723491b5f01",
    "authorization": "REDACTED"
  },
  "method": "GET",
  "timeout": 0,
  "disableKeepAlive": false,
  "streamResponseStatusCodes": {},
  "withCredentials": false,
  "requestId": "c2cebdd4-4d8e-433e-877a-4723491b5f01",
  "allowInsecureConnection": false,
  "enableBrowserStreams": false
}
azure:core-rest-pipeline:info Response status code: 401
azure:core-rest-pipeline:info Headers: {
  "cache-control": "no-cache",
  "pragma": "no-cache",
  "content-length": "381",
  "content-type": "application/json; charset=utf-8",
  "expires": "-1",
  "www-authenticate": "Bearer authorization_uri=\"https://login.windows-ppe.net/cbc9f809-970a-4ee3-8442-10e853d5af72\", error=\"invalid_token\", error_description=\"The access token is from wrong audience or resource.\"",
  "x-ms-failure-cause": "gateway",
  "x-ms-request-id": "f1a7dc30-a565-469c-9c7b-df7875a07d41",
  "x-ms-correlation-request-id": "f1a7dc30-a565-469c-9c7b-df7875a07d41",
  "x-ms-routing-request-id": "CENTRALUS:20230207T183916Z:f1a7dc30-a565-469c-9c7b-df7875a07d41",
  "strict-transport-security": "max-age=31536000; includeSubDomains",
  "x-content-type-options": "nosniff",
  "x-cache": "CONFIG_NOCACHE",
  "x-msedge-ref": "Ref A: 88C0B388C5FB48E7A8FCD39D2DB5EF93 Ref B: WSTEDGE0505 Ref C: 2023-02-07T18:39:16Z",
  "date": "Tue, 07 Feb 2023 18:39:15 GMT"
}
azure:core-rest-pipeline retryPolicy:info Retry 0: Received a response from request c2cebdd4-4d8e-433e-877a-4723491b5f01
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing 2 retry strategies.
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy throttlingRetryStrategy.
azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy exponentialRetryStrategy.
azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
azure:core-rest-pipeline retryPolicy:info None of the retry strategies could work with the received response. Returning it.
azure:core-rest-pipeline:info The WWW-Authenticate header was missing the necessary "claims" to perform the Continuous Access Evaluation authentication flow.

To Reproduce Steps to reproduce the behavior:

try to use:

import { UsernamePasswordCredential } from '@azure/identity';
import { ResourceManagementClient } from '@azure/arm-resources';

...

  let credential = new UsernamePasswordCredential(configuration.tenantId, CLIENT_ID, username, password, {
    authorityHost: 'https://login.windows-ppe.net'
  });
  return new ResourceManagementClient(credential, configuration.subscriptionId, {
    endpoint: 'https://api-dogfood.resources.windows-int.net'
  });

To connect and get resources.

Expected behavior A clear and concise description of what you expected to happen.

Screenshots If applicable, add screenshots to help explain your problem.

Additional context Add any other context about the problem here.

qiaozha commented 1 year ago

synced offline, for dogfood enviroment, the credentialScope is not ${endpoint}/.default which is our current logic for default credentialScopes when endpoint is set. you can try to set credentialScope as "https://management.azure.com/.default" when create the client in dogfood environment to make it work.

    const resourcesClient = new ResourceManagementClient(credential, subscriptionId, {
        endpoint: 'https://api-dogfood.resources.windows-int.net',
        credentialScopes: ["https://management.azure.com/.default"]
    });
ghost commented 1 year ago

Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

MaryGao commented 1 year ago

The error happened again with latest identity. This is the log:

 RestError: The access token has been obtained for wrong audience or resource 'https://api-dogfood.resources.windows-int.net'. It should exactly match with one of the allowed audiences '[https://management.core.windows.net/','https://management.core.windows.net','https://management.azure.com/','https://management.azure.com'.](https://management.core.windows.net/%27,%27https://management.core.windows.net%27,%27https://management.azure.com/%27,%27https://management.azure.com%27.)
  at handleErrorResponse (D:\development\AD-IAM-Services-ADIUX\src\ADRBACExtension\Extension.E2ETests\node_modules\@azure\core-client\dist\index.js:1305:19)
  at deserializeResponseBody (D:\development\AD-IAM-Services-ADIUX\src\ADRBACExtension\Extension.E2ETests\node_modules\@azure\core-client\dist\index.js:1240:45)
  at runMicrotasks (<anonymous>)
  at processTicksAndRejections (node:internal/process/task_queues:96:5)
MaryGao commented 1 year ago

The error happened again with latest identity. This is the log:

 RestError: The access token has been obtained for wrong audience or resource 'https://api-dogfood.resources.windows-int.net'. It should exactly match with one of the allowed audiences '[https://management.core.windows.net/','https://management.core.windows.net','https://management.azure.com/','https://management.azure.com'.](https://management.core.windows.net/%27,%27https://management.core.windows.net%27,%27https://management.azure.com/%27,%27https://management.azure.com%27.)
  at handleErrorResponse (D:\development\AD-IAM-Services-ADIUX\src\ADRBACExtension\Extension.E2ETests\node_modules\@azure\core-client\dist\index.js:1305:19)
  at deserializeResponseBody (D:\development\AD-IAM-Services-ADIUX\src\ADRBACExtension\Extension.E2ETests\node_modules\@azure\core-client\dist\index.js:1240:45)
  at runMicrotasks (<anonymous>)
  at processTicksAndRejections (node:internal/process/task_queues:96:5)

Offline confirmed this was resolved by manually adding the credentialScopes as "https://management.azure.com/.default"

MaryGao commented 1 year ago

Close as it resolved.