az login fails: ValueError: Unable to get authority configuration for https://login.microsoftonline.com/9a2e....

[AnilPeriyedath]

This is autogenerated. Please review and update as needed.

Describe the bug

Command Name
az login

Errors:

The command failed with an unexpected error. Here is the traceback:
Unable to get authority configuration for https://login.microsoftonline.com/9a2e6147-7e4b-4c5a-b997-dfedfb47a1a3. Authority would typically be in a format of https://login.microsoftonline.com/your_tenant_name
Traceback (most recent call last):
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/msal/authority.py", line 83, in __init__
    openid_config = tenant_discovery(
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/msal/authority.py", line 151, in tenant_discovery
    raise ValueError("OIDC Discovery endpoint rejects our request")
ValueError: OIDC Discovery endpoint rejects our request

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/knack/cli.py", line 231, in invoke
    cmd_result = self.invocation.execute(args)
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 657, in execute
    raise ex
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 720, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 691, in _run_job
    result = cmd_copy(params)
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 328, in __call__
    return self.handler(*args, **kwargs)
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
    return op(**command_args)
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/azure/cli/command_modules/profile/custom.py", line 145, in login
    subscriptions = profile.login(
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/azure/cli/core/_profile.py", line 160, in login
    identity.login_with_service_principal(username, password, scopes=scopes)
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/azure/cli/core/auth/identity.py", line 146, in login_with_service_principal
    cred = ServicePrincipalCredential(sp_auth, **self._msal_app_kwargs)
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/azure/cli/core/auth/msal_authentication.py", line 120, in __init__
    super().__init__(service_principal_auth.client_id, client_credential=client_credential, **kwargs)
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/msal/application.py", line 381, in __init__
    self.authority = Authority(
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/msal/authority.py", line 87, in __init__
    raise ValueError(
ValueError: Unable to get authority configuration for https://login.microsoftonline.com/9a2e6147-7e4b-4c5a-b997-dfedfb47a1a3. Authority would typically be in a format of https://login.microsoftonline.com/your_tenant_name

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

• Put any pre-requisite steps here...
• az login --service-principal -u {} -p {} --tenant {}

Expected Behavior

Environment Summary

macOS-12.0.1-x86_64-i386-64bit, Darwin 21.1.0
Python 3.10.0
Installer: HOMEBREW

azure-cli 2.30.0

Additional Context

[yonzhan]

@jiasli for awareness

[rayluo]

File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/msal/authority.py", line 151, in tenant_discovery
raise ValueError("OIDC Discovery endpoint rejects our request")
ValueError: OIDC Discovery endpoint rejects our request

This error is raised from here:

    if 400 <= resp.status_code < 500:
        # Nonexist tenant would hit this path
        # e.g. https://login.microsoftonline.com/nonexist_tenant/v2.0/.well-known/openid-configuration
        raise ValueError("OIDC Discovery endpoint rejects our request")

Indeed, the url derived from the reporter's tenant GUID is https://login.microsoftonline.com/9a2e6147-7e4b-4c5a-b997-dfedfb47a1a3/v2.0/.well-known/openid-configuration, visit it in browser will give us an error.

Looks like @AnilPeriyedath pasted an incorrect GUID. Can you check that, Anil?

P.S.: MSAL Python would need to WILL improve the error message in this case, to help self-troubleshooting. :-/

[rayluo]

I have merged in the error message improvement in upstream. It will be shipped with next release of MSAL.

This issue here can be closed due to inactivity.

[simondevries]

I ran into this issue recently. It turns out I had fiddler open which was messing with the network request. Closing Fiddler fixed the issue

[rjsalicco]

If there is nothing in ~/.azure and you use the interactive login which is directed to the MS Azure login screen, how is this a user error when the wrong tenant id is being configured? Just for clarity.

[jiasli]

@rjsalicco,

how is this a user error when the wrong tenant id is being configured?

Tenant ID is specified by the user via the --tenant argument in az login, such as:

> az login --tenant 54826b22-38d6-4fb2-bad9-b7b93a3e0000
Unable to get authority configuration for https://login.microsoftonline.com/54826b22-38d6-4fb2-bad9-b7b93a3e0000. Authority would typically be in a format of https://login.microsoftonline.com/your_tenant Also please double check your tenant name or GUID is correct.

That's why it is a user error.

If you don't specify --tenant, az login with use a special tenant called organizations:

azure-cli/src/azure-cli-core/azure/cli/core/auth/identity.py

Line 362 in 7e8a4d9

authority_url = '{}/{}'.format(authority_endpoint, tenant or "organizations")

It will never raise this error.

[rjsalicco]

@jiasli, as you note:

If you don't specify --tenant, az login with use a special tenant called organizations:

and that behavior, as expected above, was failing

no worries, thank you.

[jiasli]

that behavior, as expected above, was failing

Could you share the full error message you see for us to investigate?

[angustatchell]

@jiasli to confirm, this isn't a user error as mentioned by @rjsalicco, is it?

The CLI docs list az login without --tenant flag as valid authentication flow for signing in interactively. This works for me in other Azure accounts, but I am having the problem described above in an account where a tenant seems to have been deleted. The AZ CLI seems to be getting passed the deleted tenant's ID by https://login.microsoftonline.com/organizations.

Is this coming from MSAL? Do you know where I can find further information on the source of this issue?

[rayluo]

Jiasli already described it here.

an account where a tenant seems to have been deleted

We might not have tested this corner case. Do you have log to share, @angustatchell ?

[angustatchell]

@rayluo thanks for getting back. I have opened a ticket with Azure support too because I can still see this deleted tenant ID showing up as a linked AD directory in my AZ Portal. (I don't know if this might indicate the problem is upstream of the AZ CLI / MSAL).

This is autogenerated. Please review and update as needed.

Describe the bug

Command Name
az login

Errors:

➜  ~ az login
A web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`.
The command failed with an unexpected error. Here is the traceback:
Unable to get authority configuration for https://login.microsoftonline.com/ffa662cd-0f09-4d3c-918a-563d7aca814a. Authority would typically be in a format of https://login.microsoftonline.com/your_tenant Also please double check your tenant name or GUID is correct.
Traceback (most recent call last):
  File "/usr/local/Cellar/azure-cli/2.47.0/libexec/lib/python3.10/site-packages/msal/authority.py", line 120, in __init__
    openid_config = tenant_discovery(
  File "/usr/local/Cellar/azure-cli/2.47.0/libexec/lib/python3.10/site-packages/msal/authority.py", line 184, in tenant_discovery
    raise ValueError(
ValueError: OIDC Discovery endpoint rejects our request. Error: {"error":"invalid_tenant","error_description":"AADSTS90002: Tenant 'ffa662cd-0f09-4d3c-918a-563d7aca814a' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant.\r\nTrace ID: f162d119-8d23-4e86-839b-861121f5e000\r\nCorrelation ID: 63573c98-131b-4394-8174-b3afa648176d\r\nTimestamp: 2023-04-11 18:02:37Z","error_codes":[90002],"timestamp":"2023-04-11 18:02:37Z","trace_id":"f162d119-8d23-4e86-839b-861121f5e000","correlation_id":"63573c98-131b-4394-8174-b3afa648176d","error_uri":"https://login.microsoftonline.com/error?code=90002"}

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/Cellar/azure-cli/2.47.0/libexec/lib/python3.10/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
  File "/usr/local/Cellar/azure-cli/2.47.0/libexec/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 663, in execute
    raise ex
  File "/usr/local/Cellar/azure-cli/2.47.0/libexec/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
  File "/usr/local/Cellar/azure-cli/2.47.0/libexec/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 697, in _run_job
    result = cmd_copy(params)
  File "/usr/local/Cellar/azure-cli/2.47.0/libexec/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 333, in __call__
    return self.handler(*args, **kwargs)
  File "/usr/local/Cellar/azure-cli/2.47.0/libexec/lib/python3.10/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
    return op(**command_args)
  File "/usr/local/Cellar/azure-cli/2.47.0/libexec/lib/python3.10/site-packages/azure/cli/command_modules/profile/custom.py", line 139, in login
    subscriptions = profile.login(
  File "/usr/local/Cellar/azure-cli/2.47.0/libexec/lib/python3.10/site-packages/azure/cli/core/_profile.py", line 176, in login
    subscriptions = subscription_finder.find_using_common_tenant(username, credential)
  File "/usr/local/Cellar/azure-cli/2.47.0/libexec/lib/python3.10/site-packages/azure/cli/core/_profile.py", line 756, in find_using_common_tenant
    specific_tenant_credential = identity.get_user_credential(username)
  File "/usr/local/Cellar/azure-cli/2.47.0/libexec/lib/python3.10/site-packages/azure/cli/core/auth/identity.py", line 225, in get_user_credential
    return UserCredential(self.client_id, username, **self._msal_app_kwargs)
  File "/usr/local/Cellar/azure-cli/2.47.0/libexec/lib/python3.10/site-packages/azure/cli/core/auth/msal_authentication.py", line 45, in __init__
    super().__init__(client_id, **kwargs)
  File "/usr/local/Cellar/azure-cli/2.47.0/libexec/lib/python3.10/site-packages/msal/application.py", line 1685, in __init__
    super(PublicClientApplication, self).__init__(
  File "/usr/local/Cellar/azure-cli/2.47.0/libexec/lib/python3.10/site-packages/msal/application.py", line 533, in __init__
    self.authority = Authority(
  File "/usr/local/Cellar/azure-cli/2.47.0/libexec/lib/python3.10/site-packages/msal/authority.py", line 124, in __init__
    raise ValueError(
ValueError: Unable to get authority configuration for https://login.microsoftonline.com/ffa662cd-0f09-4d3c-918a-563d7aca814a. Authority would typically be in a format of https://login.microsoftonline.com/your_tenant Also please double check your tenant name or GUID is correct.

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

• Put any pre-requisite steps here...
• az login

Expected Behavior

Environment Summary

macOS-10.15.7-x86_64-i386-64bit, Darwin 19.6.0
Python 3.10.11
Installer: HOMEBREW

azure-cli 2.47.0

Extensions:
account 0.2.5

Dependencies:
msal 1.20.0
azure-mgmt-resource 22.0.0

Additional Context

[jiasli]

@angustatchell, could you run az login --debug and check if the delete tenant is returned by Tenants - List API?

GET https://management.azure.com/tenants?api-version=2020-01-01

If it returns a deleted tenant, this should be checked by ARM service (Azure support) since this looks like caching issue.

[angustatchell]

Hi @jiasli I see in debug output that the call to the Tenants List API returns a list of objects for my current tenants AND the deleted tenant as well. The request url from my CLI is: 'https://management.azure.com/tenants?api-version=2019-11-01'

The existing tenant objects have keys for:
"id", "tenantId", "countryCode", "displayName", "domains", and "tenantCategory".

However, the deleted tenant returned only has keys for:
"id", "tenantId", and "tenantCategory".

All the tenants have their "tenantCategory" set to "Home".

Would that indicate the problem is indeed from the ARM service?
Also, is there anything else from the debug output worth sharing?

[jiasli]

Would that indicate the problem is indeed from the ARM service?

Yes. You may share the HTTP trace with Azure support to help them check why deleted tenant is still returned.