search

Azure / azure-sdk-for-net

This repository is for active development of the Azure SDK for .NET. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/dotnet/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-net.
MIT License
5.37k stars 4.78k forks source link

[BUG] v1.13 Fails to Validate ManagedIdentityResult #46714

Open marissa-df opened 2 days ago

marissa-df commented 2 days ago

Library name and version

Azure.Identity 1.13

Describe the bug

Trying to resolve a KeyVault reference on startup inside of a linux based docker container fails with the following:

---> Microsoft.Extensions.Configuration.AzureAppConfiguration.KeyVaultReferenceException: ManagedIdentityCredential authentication failed: The input string '2024-10-18T19:51:37.0000000+00:00' was not in a correct format. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot ErrorCode:'' ' Label:'Development' Etag:'KglaaAgZxV23Y-9AK8mdvqv1MDsaQ4pCjszEG83ZJjc' SecretIdentifier:'https://publicservicesdev.vault.azure.net/secrets/Audience' ---> Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: The input string '2024-10-18T19:51:37.0000000+00:00' was not in a correct format. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot ---> System.FormatException: The input string '2024-10-18T19:51:37.0000000+00:00' was not in a correct format. at System.Number.ThrowFormatException[TChar](ReadOnlySpan1 value) at System.Int64.Parse(String s, IFormatProvider provider) at Microsoft.Identity.Client.Utils.DateTimeHelpers.GetDurationFromNowInSeconds(String unixTimestampInFuture) at Microsoft.Identity.Client.OAuth2.MsalTokenResponse.ValidateManagedIdentityResult(ManagedIdentityResponse response) at Microsoft.Identity.Client.OAuth2.MsalTokenResponse.CreateFromManagedIdentityResponse(ManagedIdentityResponse managedIdentityResponse) at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.SendTokenRequestForManagedIdentityAsync(ILoggerAdapter logger, CancellationToken cancellationToken) at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger) at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.ExecuteAsync(CancellationToken cancellationToken) at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext() --- End of stack trace from previous location --- at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func1 codeBlock) at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken) at Microsoft.Identity.Client.ApiConfig.Executors.ManagedIdentityExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenForManagedIdentityParameters managedIdentityParameters, CancellationToken cancellationToken) at Azure.Identity.MsalManagedIdentityClient.AcquireTokenForManagedIdentityAsyncCore(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.MsalManagedIdentityClient.AcquireTokenForManagedIdentityAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) --- End of inner exception stack trace --- at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable) at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentityCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken) at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable) at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.DefaultAzureCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.SetResultOnTcsFromCredentialAsync(TokenRequestContext context, TaskCompletionSource1 targetTcs, Boolean async, CancellationToken cancellationToken) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetAuthHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.TokenRequestState.GetCurrentHeaderValue(Boolean async, Boolean checkForCompletion, CancellationToken cancellationToken) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetAuthHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AuthenticateAndAuthorizeRequestAsync(HttpMessage message, TokenRequestContext context) at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.AuthorizeRequestOnChallengeAsyncInternal(HttpMessage message, Boolean async) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async) at Azure.Core.Pipeline.RedirectPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async) at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async) at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async) at Azure.Core.Pipeline.HttpPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken) at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken) at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync[TResult](RequestMethod method, Func1 resultFactory, CancellationToken cancellationToken, String[] path) at Azure.Security.KeyVault.Secrets.SecretClient.GetSecretAsync(String name, String version, CancellationToken cancellationToken) at Microsoft.Extensions.Configuration.AzureAppConfiguration.AzureKeyVault.AzureKeyVaultSecretProvider.GetSecretValue(KeyVaultSecretIdentifier secretIdentifier, String key, String label, Logger logger, CancellationToken cancellationToken) at Microsoft.Extensions.Configuration.AzureAppConfiguration.AzureKeyVault.AzureKeyVaultKeyValueAdapter.ProcessKeyValue(ConfigurationSetting setting, Uri endpoint, Logger logger, CancellationToken cancellationToken) --- End of inner exception stack trace --- at Microsoft.Extensions.Configuration.AzureAppConfiguration.AzureKeyVault.AzureKeyVaultKeyValueAdapter.ProcessKeyValue(ConfigurationSetting setting, Uri endpoint, Logger logger, CancellationToken cancellationToken) at Microsoft.Extensions.Configuration.AzureAppConfiguration.AzureAppConfigurationProvider.ProcessAdapters(ConfigurationSetting setting, CancellationToken cancellationToken) at Microsoft.Extensions.Configuration.AzureAppConfiguration.AzureAppConfigurationProvider.PrepareData(Dictionary2 data, CancellationToken cancellationToken) at Microsoft.Extensions.Configuration.AzureAppConfiguration.AzureAppConfigurationProvider.InitializeAsync(IEnumerable1 clients, CancellationToken cancellationToken) at Microsoft.Extensions.Configuration.AzureAppConfiguration.AzureAppConfigurationProvider.TryInitializeAsync(IEnumerable1 clients, List1 startupExceptions, CancellationToken cancellationToken) at Microsoft.Extensions.Configuration.AzureAppConfiguration.AzureAppConfigurationProvider.LoadAsync(Boolean ignoreFailures, CancellationToken cancellationToken) at Microsoft.Extensions.Configuration.AzureAppConfiguration.AzureAppConfigurationProvider.Load() at Microsoft.Extensions.Configuration.ConfigurationManager.AddSource(IConfigurationSource source) at Microsoft.Extensions.Configuration.ConfigurationManager.Microsoft.Extensions.Configuration.IConfigurationBuilder.Add(IConfigurationSource source) at Microsoft.Extensions.Configuration.AzureAppConfigurationExtensions.AddAzureAppConfiguration(IConfigurationBuilder configurationBuilder, Action`1 action, Boolean optional) at Program.Main(String[] args) in C:\Git\DirecFunds.Web.Portal\src\DirecFunds.Web.Portal\Program.cs:line 65 --- End of inner exception stack trace ---

This works when run on a windows based image or locally to my development machine.

Expected behavior

The token should resolve without intervention. This is the behavior exhibited in 1.12.

Actual behavior

Get exceptional behavior when trying to resolve an access token.

Reproduction Steps

Update the nuget package on a working solution running in a mcr.microsoft.com/dotnet/aspnet:8.0 based docker container to v1.13.

Environment

Hosting: Docker based on image mcr.microsoft.com/dotnet/aspnet:8.0 IDE: Rider 2024.2.6 and VS 2022 Enterprise

github-actions[bot] commented 2 days ago

Thank you for your feedback. Tagging and routing to the team member best able to assist.

christothes commented 2 days ago

Hi @marissa-df - This error seems to be coming from our underlying dependency in Microsoft.Identity.Client (MSAL). As part of the 1.13.0 release we delegated our managed identity credential implementation to that library. Would you mind creating a copy of this issue over here for them to take a look?