search

Azure / azure-sdk-for-net

This repository is for active development of the Azure SDK for .NET. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/dotnet/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-net.
MIT License
5.36k stars 4.76k forks source link

Regarding misleading AuthenticationFailedException - The current credential is not configured to acquire tokens for tenant.... #44814

Closed sachinjagdale closed 2 months ago

sachinjagdale commented 3 months ago

Library name and version

Azure.Identity 1.7.+

Describe the bug

Scenario App => Storage Account/Blob service using AzureIdentity/ClientSecretCredential flow. Our app registered in Azure AD as single tenant only

Details We are using this library (ClientSecretCredential) to setup token credentials for calling blob service Below is configuration

Library

Azure.Identity 1.7.0

Language/Framework - .NET 8, C#

Configuration appsettings.json

"AzureAd":
{
 "Tenant": "<Tenant_Domain>"
"TenantId": <Tenant_Guid>
  .
  .

}

We use below code to setup blob service client.

Code snippet

var credential = new ClientSecretCredential(**config.Tenant**, config.ClientId, config.ClientSecret, tokenCredentialOptions);
BlobServiceClient mainClient = new BlobServiceClient(storageUri, credential);

This will setup credentials so as to call storage service from our app service.

This is the setup, and we are using valid Tenant while initializing credentials and our app is also not multitenant or does not require any other tenant

Expected behavior

AcquireToken calls to storage service should be successful . I

Calls working fine for version before 1.7.0

Started giving failures/intermittent issues after 1.7+

Actual behavior

Now we are getting Authentication exception while acquiring tokens, its intermittent

The current credential is not configured to acquire tokens for tenant "".

I understand check added in AZure.Idenityt (1.7+) for multitenant apps but due to this our existing apps flow started breaking, and we need major code changes to fix this

  1. Library should treat Tenant domain/TenantId both as valid while acquiring tenant because both are valid to use for acquiring tenant
  2. The exception is misleading as well, because caller itself used during setup of credentials. App is not multitenant either

Reproduction Steps

Provided as above

Environment

.NET 8 Azure Function App (Isolated)

jsquire commented 3 months ago

Hi @sachinjagdale. Thanks for reaching out and we regret that you're experiencing difficulties. Please provide the full error message and stack trace of the exception that you're seeing. Please also collect SDK logs for analysis.

github-actions[bot] commented 3 months ago

Hi @sachinjagdale. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

sachinjagdale commented 3 months ago

@jsquire

As requested

Exception message

Error: *The current credential is not configured to acquire tokens for tenant . To enable acquiring tokens for this tenant add it to the AdditionallyAllowedTenants on the credential options, or add "" to AdditionallyAllowedTenants to allow acquiring tokens for any tenant. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/multitenant/troubleshoot (GeneralError). For troubleshooting information, see https://aka.ms/azsdk/net/servicebus/exceptions/troubleshoot.**

Stack Trace (SDK)

Azure.Identity.AuthenticationFailedException: at Azure.Identity.TenantIdResolver.Resolve (Azure.Identity, Version=1.10.4.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at Azure.Identity.ClientSecretCredential+d19.MoveNext (Azure.Identity, Version=1.10.4.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow (Azure.Identity, Version=1.10.4.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at Azure.Identity.ClientSecretCredential+d19.MoveNext (Azure.Identity, Version=1.10.4.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy+AccessTokenCache+d9.MoveNext (Azure.Core, Version=1.38.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy+AccessTokenCache+d6.MoveNext (Azure.Core, Version=1.38.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy+AccessTokenCache+d6.MoveNext (Azure.Core, Version=1.38.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy+d12.MoveNext (Azure.Core, Version=1.38.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Storage.StorageBearerTokenChallengeAuthorizationPolicy+d7.MoveNext (Azure.Storage.Blobs, Version=12.19.1.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy+d11.MoveNext (Azure.Core, Version=1.38.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy+d5.MoveNext (Azure.Core, Version=1.38.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Core.Pipeline.RedirectPolicy+d7.MoveNext (Azure.Core, Version=1.38.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Core.Pipeline.RetryPolicy+d5.MoveNext (Azure.Core, Version=1.38.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Core.Pipeline.RetryPolicy+d5.MoveNext (Azure.Core, Version=1.38.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Storage.Blobs.ContainerRestClient+d11.MoveNext (Azure.Storage.Blobs, Version=12.19.1.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Storage.Blobs.BlobContainerClient+d64.MoveNext (Azure.Storage.Blobs, Version=12.19.1.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Storage.Blobs.BlobContainerClient+d61.MoveNext (Azure.Storage.Blobs, Version=12.19.1.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Storage.Blobs.BlobContainerClient+d60.MoveNext (Azure.Storage.Blobs, Version=12.19.1.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at GetBlockBlobReferenceAsync>d__29.MoveNext

christothes commented 3 months ago

hi @sachinjagdale from your code snippet above:

var credential = new ClientSecretCredential(**config.Tenant**, config.ClientId, config.ClientSecret, tokenCredentialOptions);

It looks like you should be using config.TenantId

Can you try this and see if the problem continues?

github-actions[bot] commented 3 months ago

Hi @sachinjagdale. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

sachinjagdale commented 2 months ago

hi @sachinjagdale from your code snippet above:

var credential = new ClientSecretCredential(**config.Tenant**, config.ClientId, config.ClientSecret, tokenCredentialOptions);

It looks like you should be using config.TenantId

Can you try this and see if the problem continues?

TenantId can resolve this. but we need to change this in multiple applications. Tenant and TenatID belongs to same AAD so both should work and even /token APIs allow both as valid identifiers for tenant.

christothes commented 2 months ago

Our API requires TenantId to match the one related to the resource. I believe this worked prior to version 1.7 because we did not validate that the tenantId matched. This is described in the changelog here

github-actions[bot] commented 2 months ago

Hi @sachinjagdale. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.

sachinjagdale commented 2 months ago

Thank you.

If TenantId is only valid and not domain then this should be properly doumented, it did not look to me minor release change either. because it leads to mislead exceptions about additional tenants.

christothes commented 2 months ago

Hi @sachinjagdale - This is documented in the API documentation.

I'll go ahead and close this issue out.