This repository is for active development of the Azure SDK for .NET. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/dotnet/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-net.
MIT License
5.35k
stars
4.71k
forks
source link
[BUG] BlobContainerClient under DataLakeFileSystemClient does not honor the audience set to DataLakeFileSystemClient #44717
When accessing storage account with DataLakeFileSystemClient, we want to set per storage account audience when using AAD auth but would hit error when accessing the storage.
Error thrown when making requests to storage with AAD token.
It seems to be an issue in DataLakeFileSystemClient. DataLakeFileSystemClient internally creates a BlobContainerClient. The audience is passed to DataLakeFileSystemClient, but DataLakeFileSystemClient does not pass it to BlobContainerClient, so default audience (https://storage.azure.com/) is still used in BlobContainerClient.
As code snippt below from DataLakeFileSystemClient.cs shows, when creating BlobClientOptions for BlobContainerClient, it does not set audience no matter if DataLakeClientOptions (clientConfiguration.ClientOptions in the function) sets the value.
Reproduction Steps
var tokenCredential = new DefaultAzureCredential();
var uri = "https://test.dfs.core.windows.net/";
DataLakeClientOptions dataLakeClientOptions = new DataLakeClientOptions();
dataLakeClientOptions.Audience = new DataLakeAudience(uri);
var dfsClient = new DataLakeFileSystemClient(new Uri($"{uri}trace"), tokenCredential, dataLakeClientOptions);
if (dfsClient.Exists())
{
Console.WriteLine("succeeded");
}
Error will throw at dfsClient.Exists()
Content:
<?xml version="1.0" encoding="utf-8"?><Error><Code>InvalidAuthenticationInfo</Code><Message>Server failed to authenticate the request. Please refer to the information in the www-authenticate header.
RequestId:44ca2de9-901e-006f-6f2d-b659e6000000
Time:2024-06-04T03:13:41.0103153Z</Message><AuthenticationErrorDetail>Audience validation failed. Audience did not match.</AuthenticationErrorDetail></Error>
Headers:
Server: Microsoft-HTTPAPI/2.0
x-ms-request-id: 44ca2de9-901e-006f-6f2d-b659e6000000
x-ms-error-code: InvalidAuthenticationInfo
WWW-Authenticate: Bearer authorization_uri=
https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
resource_id=
https://storage.azure.com/
Date: Tue, 04 Jun 2024 03:13:40 GMT
Content-Length: 406
Content-Type: application/xml
,Source=Azure.Storage.Blobs,StackTrace=
at Azure.Storage.Blobs.ContainerRestClient.GetProperties(Nullable`1 timeout, String leaseId, CancellationToken cancellationToken)
at Azure.Storage.Blobs.
BlobContainerClient
.GetPropertiesInternal(BlobRequestConditions conditions, Boolean async, CancellationToken cancellationToken)
at Azure.Storage.Blobs.
BlobContainerClient
.ExistsInternal(Boolean async, CancellationToken cancellationToken)
at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](Task`1 task)
at Azure.Storage.Blobs.BlobContainerClient.Exists(CancellationToken cancellationToken)
at Azure.Storage.Files.DataLake.
DataLakeFileSystemClient
.Exists(CancellationToken cancellationToken)
at
Library name and version
Azure.Storage.Files.DataLake 12.17.1
Describe the bug
When accessing storage account with DataLakeFileSystemClient, we want to set per storage account audience when using AAD auth but would hit error when accessing the storage.
Expected behavior
DataLakeFileSystemClient accepts input storage account level audience
Actual behavior
Error thrown when making requests to storage with AAD token.
It seems to be an issue in DataLakeFileSystemClient. DataLakeFileSystemClient internally creates a BlobContainerClient. The audience is passed to DataLakeFileSystemClient, but DataLakeFileSystemClient does not pass it to BlobContainerClient, so default audience (https://storage.azure.com/) is still used in BlobContainerClient.
As code snippt below from DataLakeFileSystemClient.cs shows, when creating BlobClientOptions for BlobContainerClient, it does not set audience no matter if DataLakeClientOptions (clientConfiguration.ClientOptions in the function) sets the value.
Reproduction Steps
Error will throw at
dfsClient.Exists()
Environment
dotnet 8.0.300 visual studio Version 17.10.0