search

microsoft / artifacts-credprovider

The Azure Artifacts Credential Provider enables dotnet, NuGet.exe, and MSBuild to interactively acquire credentials for Azure Artifacts feeds.
MIT License
747 stars 709 forks source link

NullReferenceException in v1.0.9 #455

Closed reillysiemens closed 5 months ago

reillysiemens commented 9 months ago

Recently we tried to upgrade our usage of the Artifacts Credprovider to v1.0.9, but had to roll it back to an earlier version because we repeatedly, but not always, ran up against stack traces similar to this one with a NullReferenceException. It appears as though it might be related to MSAL's requirement for parent window handles when using the broker.

It looks like this ought to be taken care of as of v1.0.9 or later, but still fails for reasons we don't understand.

https://github.com/microsoft/artifacts-credprovider/blob/dc5f4a2da94af69f444b5fd709e889dce23ac026/src/Authentication/AzureArtifacts.cs#L76C89-L107

If there's another explanation for the fatal error here we'd like to know. We're eager to update to the latest version of this tool.

Stack Trace

Note that even though the logs here show that the application falls back to device code this is still fatal because stdout is being captured by another process here and that isn't actually visible to the user as a result.

[Verbose] [CredentialProvider]Running in stand-alone mode
[Verbose] [CredentialProvider]Command-line v1.0.9+1c7de8e6b84724a3f145ae469036d5e57cbcbc61: "$PATH_TO_CREDPROVIDER\credentialprovider.microsoft.exe" -Uri $FEED_URI -Verbosity Verbose
[Verbose] [CredentialProvider]Handling auth request, Uri: $FEED_URI, IsRetry: False, IsNonInteractive: False, CanShowDialog: True
[Verbose] [CredentialProvider]URI: $FEED_URI
[Verbose] [CredentialProvider]VstsBuildTaskServiceEndpointCredentialProvider - This credential provider must be run under the Team Build tasks for NuGet with external endpoint credentials. Appropriate environment variable needs to be set.
[Verbose] [CredentialProvider]Skipping NuGetCredentialProvider.CredentialProviders.VstsBuildTaskServiceEndpoint.VstsBuildTaskServiceEndpointCredentialProvider, cannot provide credentials for $FEED_URI
[Verbose] [CredentialProvider]VstsBuildTaskCredentialProvider - This credential provider must be run under the Team Build tasks for NuGet. Appropriate environment variables must be set.
[Verbose] [CredentialProvider]Skipping NuGetCredentialProvider.CredentialProviders.VstsBuildTask.VstsBuildTaskCredentialProvider, cannot provide credentials for $FEED_URI
[Verbose] [CredentialProvider]VstsCredentialProvider - Matched well-known Azure DevOps Service hostname: $SERVICE_HOSTNAME
[Verbose] [CredentialProvider]Using NuGetCredentialProvider.CredentialProviders.Vsts.VstsCredentialProvider to try to get credentials for $FEED_URI
[Verbose] [CredentialProvider]IsRetry: False
[Verbose] [CredentialProvider]Could not find cached SessionToken for $FEED_URI
[Verbose] [CredentialProvider]GET $FEED_URI
[Verbose] [CredentialProvider]Found AAD Authority from 401 headers: https://login.windows.net/$TENANT
[Verbose] [CredentialProvider]VstsCredentialProvider - Using AAD authority: https://login.windows.net/$TENANT
[Verbose] [CredentialProvider]VstsCredentialProvider - Attempting to acquire bearer token using provider 'MSAL Silent'
[Verbose] [CredentialProvider]VstsCredentialProvider - Bearer token provider 'MSAL Silent' failed with exception:\nSystem.NullReferenceException: Object reference not set to an instance of an object.
   at NuGetCredentialProvider.CredentialProviders.Vsts.VstsCredentialProvider.<HandleRequestAsync>d__8.MoveNext() in D:\a\_work\1\s\CredentialProvider.Microsoft\CredentialProviders\Vsts\VstsCredentialProvider.cs:line 138
[Verbose] [CredentialProvider]VstsCredentialProvider - Attempting to acquire bearer token using provider 'MSAL Windows Integrated Authentication'
[Verbose] [CredentialProvider]VstsCredentialProvider - Bearer token provider 'MSAL Windows Integrated Authentication' failed with exception:\nSystem.NullReferenceException: Object reference not set to an instance of an object.
   at NuGetCredentialProvider.CredentialProviders.Vsts.VstsCredentialProvider.<HandleRequestAsync>d__8.MoveNext() in D:\a\_work\1\s\CredentialProvider.Microsoft\CredentialProviders\Vsts\VstsCredentialProvider.cs:line 138
[Verbose] [CredentialProvider]VstsCredentialProvider - Attempting to acquire bearer token using provider 'MSAL Interactive'
[Verbose] [CredentialProvider]VstsCredentialProvider - Bearer token provider 'MSAL Interactive' failed with exception:\nMSAL.Desktop.4.54.1.0.MsalClientException:
        ErrorCode: window_handle_required
Microsoft.Identity.Client.MsalClientException: A window handle must be configured. See https://aka.ms/msal-net-wam#parent-window-handles
   at Microsoft.Identity.Client.Platforms.Features.RuntimeBroker.RuntimeBroker.<AcquireTokenInteractiveAsync>d__12.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Identity.Client.Internal.Broker.BrokerInteractiveRequestComponent.<FetchTokensAsync>d__9.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.<FetchTokensFromBrokerAsync>d__10.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.<GetTokenResponseAsync>d__11.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.<ExecuteAsync>d__9.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<RunAsync>d__12.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Identity.Client.ApiConfig.Executors.PublicClientExecutor.<ExecuteAsync>d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Artifacts.Authentication.MsalInteractiveTokenProvider.<GetTokenAsync>d__8.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at NuGetCredentialProvider.CredentialProviders.Vsts.VstsCredentialProvider.<HandleRequestAsync>d__8.MoveNext() in D:\a\_work\1\s\CredentialProvider.Microsoft\CredentialProviders\Vsts\VstsCredentialProvider.cs:line 138
[Verbose] [CredentialProvider]VstsCredentialProvider - Attempting to acquire bearer token using provider 'MSAL Device Code'
[Minimal] [CredentialProvider]DeviceFlow: $FEED_URI
[Minimal] [CredentialProvider]ATTENTION: User interaction required.

    **********************************************************************

    To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code $CODE to authenticate.

    **********************************************************************

[Warning] [CredentialProvider]A task was canceled.
[Verbose] [CredentialProvider]VstsCredentialProvider - Bearer token provider 'MSAL Device Code' failed with exception:\nSystem.NullReferenceException: Object reference not set to an instance of an object.
   at NuGetCredentialProvider.CredentialProviders.Vsts.VstsCredentialProvider.<HandleRequestAsync>d__8.MoveNext() in D:\a\_work\1\s\CredentialProvider.Microsoft\CredentialProviders\Vsts\VstsCredentialProvider.cs:line 138
[Verbose] [CredentialProvider]VstsCredentialProvider - Could not obtain credentials for $FEED_URI
[Verbose] [CredentialProvider]Unable to acquire credentials.]
phil-hodgson commented 9 months ago

Could you please provide some additional information about the context in which you're launching the credential provider? From the logs, it looks like it's being launched from a console/process that doesn't have a parent window. Is this consistent with your scenario?

github-actions[bot] commented 6 months ago

This issue has had no activity in 90 days. Please comment if it is not actually stale.

embetten commented 5 months ago

The null ref issue should be fixed with #468 and will be deployed with our next 1.1.0 release.

While this fixes the null reference exception, it will not fix the fall through to device code flow. To figure out why it falls to device code flow, we need more information about the environment or context this was run and verbose logging. The token providers only return null on a caught exceptions typically thrown by the MSAL client.

Since this issue was specifically calling out the null ref and is stale, I am going to close it. Please open a new one to address any remaining problems.