search

microsoft / artifacts-credprovider

The Azure Artifacts Credential Provider enables dotnet, NuGet.exe, and MSBuild to interactively acquire credentials for Azure Artifacts feeds.
MIT License
765 stars 706 forks source link

Winrt exception was thrown during GetTokenSilently '(pii)'. #512

Closed KirillOsenkov closed 1 week ago

KirillOsenkov commented 1 week ago

We have a sporadic failure in Azure Pipelines CI:

##[error]C:\Program Files\dotnet\sdk\8.0.401\NuGet.targets(174,5): Error : The plugin credential provider could not acquire credentials. Authentication may require manual action. Consider re-running the command with --interactive for `dotnet`, /p:NuGetInteractive="true" for MSBuild or removing the -NonInteractive switch for `NuGet`
Unauthorized https://*.pkgs.visualstudio.com/_packaging/*/nuget/v3/flat2/unity/index.json 325ms
Retrying 'FindPackagesByIdAsync' for source 'https://*.pkgs.visualstudio.com/_packaging/*/nuget/v3/flat2/unity/index.json'.
Response status code does not indicate success: 401 (Unauthorized).

##[error]C:\Program Files\dotnet\sdk\8.0.401\NuGet.targets(174,5): Error :     [CredentialProvider]Unknown Status: Unexpected
Error: 0xffffffff80070520
Context: Winrt exception was thrown during GetTokenSilently '(pii)'.
Tag: 0x2339e502 (error code -2147023584) (internal error code 590996738)

I've seen that error also in https://github.com/microsoft/artifacts-credprovider/issues/462, but not sure if that one is the same issue.

Is there a way to know what that Winrt exception is all about?

KirillOsenkov commented 1 week ago

@embetten have you seen this before?

KirillOsenkov commented 1 week ago

@rayluo any ideas?

KirillOsenkov commented 1 week ago

similar issue at https://github.com/Azure/azure-cli/issues/25787 but not sure if same

embetten commented 1 week ago

I have not seen this before but @KirillOsenkov I would not expect this cred provider to even go down the silent/ WAM broker MSAL token acquisition path in an ado pipeline. We have checks to ensure it does not..

The ado pipeline credential provider scenario should really just be handing back tokens set in environment variables. (We have env variables for the build session token and variables for external endpoints ).

Are these env variables set correctly, and can you provide further logs from dotnet (-v detailed) in order to understand why/how this error shows up?

embetten commented 1 week ago

but it does look like a known WAM broker limitation #3792

embetten commented 1 week ago

Closing. We were able to unblock by adding the NuGetAuthenticateV1 Task before any dotnet/NuGet operations in the ado pipeline.

The underlying error message is a known WAM broker limitation and was only occurring because the cred provider was trying to silent auth in a build scenario due to a misconfiguration.