Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

az ad app credential reset fails when provided a description for the credential: When present, application key identifier cannot be empty and can be at most 32 bytes. #20561

Closed
roy-work opened this issue Nov 30, 2021 · 4 comments
Closed

az ad app credential reset fails when provided a description for the credential: When present, application key identifier cannot be empty and can be at most 32 bytes. #20561

roy-work opened this issue Nov 30, 2021 · 4 comments
Assignees
@jiasli
Labels
customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request Graph az ad Microsoft Graph
Milestone
Backlog

Comments

@roy-work
Copy link

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Describe the bug
The following command fails, and should succeed:

» az ad app credential reset --id "$APP_ID" --append --credential-description 'a description here' --end-date '2299-12-31'
When present, application key identifier cannot be empty and can be at most 32 bytes.
Parameter name: applicationKeyIdentifierValue

To Reproduce
Run the above command against an application registration.

Expected behavior
It succeeds, creating a new credential.

Environment summary
brew

Additional context

It seems like this is also https://github.com/Azure/azure-docs-powershell-azuread/issues/296 ; that bug was closed without any meaningful resolution. It seems like az is mixing up the description with something else. The error emitted here is grade A bonkers: "can be at most 32 bytes" when the input text is less than 32 bytes? It seems like it is getting mixed up with an encryption key, or something, and isn't actually transmitting the provided value as a description.

The value itself is also fine: it is possible to go to the Portal & create a new credential with the description a description here without problems. Hence, this seems to be an azure-cli problem.
@ghost ghost added needs-triage This is a new issue that needs to be triaged to the appropriate team. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that customer-reported Issues that are reported by GitHub users external to the Azure organization. labels Nov 30, 2021
@yonzhan yonzhan added the Graph az ad label Nov 30, 2021
@ghost ghost removed the needs-triage This is a new issue that needs to be triaged to the appropriate team. label Nov 30, 2021
@yonzhan yonzhan removed the question The issue doesn't require a change to the product in order to be resolved. Most issues start as that label Nov 30, 2021
@yonzhan yonzhan added this to the Backlog milestone Nov 30, 2021
@yonzhan
Copy link
Collaborator

yonzhan commented Nov 30, 2021

@jiasli for awareness

@jiasli
Copy link
Member

jiasli commented Dec 2, 2021

I can reproduce. Here is the --debug output:

> az ad app credential reset --id 3524c502-0c73-45be-be20-eb8aec4e11bf --credential-description 'a description here' --debug

msrest.http_logger: Request URL: 'https://graph.windows.net/54826b22-38d6-4fb2-bad9-b7b93a3e9c5a/applications/63946374-6c70-4383-82f1-e30bafcb0dae?api-version=1.6'
msrest.http_logger: Request method: 'PATCH'
...
msrest.http_logger: Request body:
msrest.http_logger: {"passwordCredentials": [{"startDate": "2021-12-02T02:49:08.214061Z", "endDate": "2022-12-02T02:49:08.214061Z", "keyId": "60c8401c-d45c-4d8f-96fa-e925023fdafb", "value": "V0-GAQ6abG~DtAEu.B-D4Qp4JKN7noOFzj", "customKeyIdentifier": "//5hACAAZABlAHMAYwByAGkAcAB0AGkAbwBuACAAaABlAHIAZQA="}]}
...
msrest.http_logger: Response status: 400
...
msrest.http_logger: Response content:
msrest.http_logger: {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"When present, application key identifier cannot be empty and can be at most 32 bytes.\r\nParameter name: applicationKeyIdentifierValue"},"requestId":"d11e09ac-042c-4a23-a36c-4b18f027671a","date":"2021-12-02T02:49:11"}}

--credential-description is UTF-16 encoded sent to AD Graph as customKeyIdentifier:

azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py

Lines 1773 to 1776 in 3c34079

def _encode_custom_key_description(key_description):
# utf16 is used by AAD portal. Do not change it to other random encoding
# unless you know what you are doing.
return key_description.encode('utf-16')

However, if we make a description here shorter, like key1, it will work:

> az ad app credential reset --id 3524c502-0c73-45be-be20-eb8aec4e11bf --credential-description 'key1' --debug

msrest.http_logger: Request URL: 'https://graph.windows.net/54826b22-38d6-4fb2-bad9-b7b93a3e9c5a/applications/63946374-6c70-4383-82f1-e30bafcb0dae?api-version=1.6'
msrest.http_logger: Request method: 'PATCH'
...
msrest.http_logger: Request body:
msrest.http_logger: {"passwordCredentials": [{"startDate": "2021-12-02T02:50:40.754299Z", "endDate": "2022-12-02T02:50:40.754299Z", "keyId": "f2a90fea-cf5b-46d7-9ec4-a0c50b4d26fc", "value": "JsE8F3f2HTwAaj6U.yDSo-.CJFkaFb.Yiv", "customKeyIdentifier": "//5rAGUAeQAxAA=="}]}
...
msrest.http_logger: Response status: 204

During Microsoft Graph migration (#12946), as discussed with AAD team, we are considering deprecating --credential-description. customKeyIdentifier will

Instead, custom description string will be set as --display-name (displayName on the wire).

@jiasli
Copy link
Member

jiasli commented Dec 2, 2021

A more detailed comparison:

AD Graph

customKeyIdentifier displayName
passwordCredential user-defined N/A
keyCredential thumbprint N/A

MS Graph

customKeyIdentifier displayName
passwordCredential no use user-defined
keyCredential thumbprint user-defined

@jiasli jiasli mentioned this issue Feb 21, 2022
Closed
@jiasli jiasli changed the title az ad app credential reset fails when provided a description for the credential az ad app credential reset fails when provided a description for the credential: When present, application key identifier cannot be empty and can be at most 32 bytes. Feb 21, 2022
This was referenced Mar 7, 2022
Open
Merged
@jiasli
Copy link
Member

jiasli commented May 16, 2022

This issue has been resolved by #22432.

Documentation is updated accordingly: https://docs.microsoft.com/en-us/cli/azure/microsoft-graph-migration

@jiasli jiasli closed this as completed May 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request Graph az ad Microsoft Graph
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@jiasli @roy-work @yonzhan