search

Azure / azure-sdk-for-net

This repository is for active development of the Azure SDK for .NET. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/dotnet/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-net.
MIT License
5.35k stars 4.71k forks source link

[BUG] BlobContainerClient under DataLakeFileSystemClient does not honor the audience set to DataLakeFileSystemClient #44717

Open Zoe-ms opened 3 months ago

Zoe-ms commented 3 months ago

Library name and version

Azure.Storage.Files.DataLake 12.17.1

Describe the bug

When accessing storage account with DataLakeFileSystemClient, we want to set per storage account audience when using AAD auth but would hit error when accessing the storage.

Expected behavior

DataLakeFileSystemClient accepts input storage account level audience

Actual behavior

Error thrown when making requests to storage with AAD token.

It seems to be an issue in DataLakeFileSystemClient. DataLakeFileSystemClient internally creates a BlobContainerClient. The audience is passed to DataLakeFileSystemClient, but DataLakeFileSystemClient does not pass it to BlobContainerClient, so default audience (https://storage.azure.com/) is still used in BlobContainerClient.

As code snippt below from DataLakeFileSystemClient.cs shows, when creating BlobClientOptions for BlobContainerClient, it does not set audience no matter if DataLakeClientOptions (clientConfiguration.ClientOptions in the function) sets the value.

image

Reproduction Steps

var tokenCredential = new DefaultAzureCredential();

var uri = "https://test.dfs.core.windows.net/";

DataLakeClientOptions dataLakeClientOptions = new DataLakeClientOptions();
dataLakeClientOptions.Audience = new DataLakeAudience(uri);

var dfsClient = new DataLakeFileSystemClient(new Uri($"{uri}trace"), tokenCredential, dataLakeClientOptions);
if (dfsClient.Exists())
{
    Console.WriteLine("succeeded");
}

Error will throw at dfsClient.Exists()

Content:
<?xml version="1.0" encoding="utf-8"?><Error><Code>InvalidAuthenticationInfo</Code><Message>Server failed to authenticate the request. Please refer to the information in the www-authenticate header.
RequestId:44ca2de9-901e-006f-6f2d-b659e6000000
Time:2024-06-04T03:13:41.0103153Z</Message><AuthenticationErrorDetail>Audience validation failed. Audience did not match.</AuthenticationErrorDetail></Error>

Headers:
Server: Microsoft-HTTPAPI/2.0
x-ms-request-id: 44ca2de9-901e-006f-6f2d-b659e6000000
x-ms-error-code: InvalidAuthenticationInfo
WWW-Authenticate: Bearer authorization_uri=
https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
resource_id=
https://storage.azure.com/
Date: Tue, 04 Jun 2024 03:13:40 GMT
Content-Length: 406
Content-Type: application/xml
,Source=Azure.Storage.Blobs,StackTrace=
   at Azure.Storage.Blobs.ContainerRestClient.GetProperties(Nullable`1 timeout, String leaseId, CancellationToken cancellationToken)
   at Azure.Storage.Blobs.
BlobContainerClient
.GetPropertiesInternal(BlobRequestConditions conditions, Boolean async, CancellationToken cancellationToken)
   at Azure.Storage.Blobs.
BlobContainerClient
.ExistsInternal(Boolean async, CancellationToken cancellationToken)
   at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](Task`1 task)
   at Azure.Storage.Blobs.BlobContainerClient.Exists(CancellationToken cancellationToken)
   at Azure.Storage.Files.DataLake.
DataLakeFileSystemClient
.Exists(CancellationToken cancellationToken)
   at

Environment

dotnet 8.0.300 visual studio Version 17.10.0

github-actions[bot] commented 3 months ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @sumantmehtams.