az login hangs forever, redirects to localhost and hits ERR_CONNECTION_REFUSED in browser

[luisnaranjo733]

This is autogenerated. Please review and update as needed.

Describe the bug

az login hangs forever

1. Run az login
2. Browser window opens where I select which account I want to sign in to
3. The redirect goes to the browser in a new tab which looks like http://localhost:34541/?code=REDACTED&client_info=REDACTED&state=REDACTED&session_state=REDACTED

Command Name
az login

Errors:
Sign in hangs forever and never finishes

To Reproduce:

Attempt to sign in

Expected Behavior

Sign in succeeds

Environment Summary

Linux-5.15.90.1-microsoft-standard-WSL2-x86_64-with-glibc2.31, Ubuntu 20.04.6 LTS
Python 3.10.10
Installer: DEB

azure-cli 2.47.0

Additional Context

[yonzhan]

Thank you for opening this issue, we will look into it.

[luisnaranjo733]

Thanks!

I forgot to mention that I also cannot sign in with --use-device-code
Auth succeeds in the browser but the az CLI never finds out about it

$ az login --use-device-code
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code REDACTED to authenticate.
$ az account show
Please run 'az login' to setup account.

[andrewegel]

I don't have a problem with az login, but the command az disk update command "hangs" for me:

az disk update --ids /long/path/to/disk/resource/i/know/is/accurate --set tags.keep_volume_until==...

Even more perplexing to me is when I add -vvvv or --debug the command fails/exits telling me that there is no az disk update command:

'update' is misspelled or not recognized by the system.

Examples from AI knowledge base:
https://aka.ms/cli_ref
Read more about the command in reference docs

Even though az disk update --help shows proper switches.

% az version
{
  "azure-cli": "2.47.0",
  "azure-cli-core": "2.47.0",
  "azure-cli-telemetry": "1.0.8",
  "extensions": {}
}

Method of install: Brew (Well actually it was pip, but then I went the brew route after the pip installation started hanging)

I've had two other colleges try the same command and they report the same behavior.

[bebound]

@luisnaranjo733 Can you show me the output of az login --debug and az login --use-device-code --debug when it hang.
Do you see You have logged into Microsoft Azure! from http://localhost:34541/?code=REDACTED&client_info=REDACTED&state=REDACTED&session_state=REDACTED?

@andrewegel I can't repro. Since it is not related to this issue, could you please create a new issue so we can better track it?

[luisnaranjo733]

Shared the logs privately :) Please let me know if you need anything else to assist with troubleshooting.
I can sign in with --use-device-code now but still can't sign in with the normal flow

[chloeyin]

@bebound Hey, I met the same issue today, but it rediect me to another port(everytime I login looks like it will redirect to a different port)

http://localhost:44953/

This is the output from az login --debug

cli.knack.cli: Command arguments: ['login', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f87ed1712d0>, <function OutputProducer.on_global_arguments at 0x7f87ed067eb0>, <function CLIQuery.on_global_arguments at 0x7f87ed0b5120>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'login': ['azure.cli.command_modules.profile']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: profile                   0.001         2         9
cli.azure.cli.core: Total (1)                 0.001         2         9
cli.azure.cli.core: Loaded 2 groups, 9 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : login
cli.azure.cli.core: Command table: login
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f87ec0b69e0>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'placeholderxxxx'.
az_command_data_logger: command args: login --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x7f87ec0d3520>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x7f87ec11d480>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x7f87ec11d5a0>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7f87ed067f40>, <function CLIQuery.handle_query_parameter at 0x7f87ed0b51b0>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x7f87ec11d510>]
cli.azure.cli.core.auth.persistence: build_persistence: location='placeholderxxxx', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: placeholderxxxx
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/organizations/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/{tenantid}/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/organizations/kerberos', 'tenant_region_scope': None, 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azure.cli.core.auth.identity: A web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`.
msal.telemetry: Generate or reuse correlation_id: cb254415-86ee-4abd-84db-2db40116bf1f
msal.oauth2cli.oauth2: Using http://localhost:43791 as redirect_uri
msal.oauth2cli.authcode: Abort by visit http://localhost:43791?error=abort
msal.oauth2cli.authcode: Open a browser on this device to visit: https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?placeholderxxxx
tcgetpgrp failed: Not a tty

az --version
azure-cli                         2.47.0

core                              2.47.0
telemetry                          1.0.8

Dependencies:
msal                              1.20.0
azure-mgmt-resource               22.0.0

I tried #10426 (comment) but it didn't work for me.

[bebound]

More users are encountering this issue.

Since our program remains unchanged, I believe the issue may be related to WSL or the browser.

[dsteeley]

This is likely microsoft/WSL#9947, installing the latest wsl via github releases may solve the issue.
wsl --update --pre-release from Powershell should get the latest version where 1.2.1 contains a fix.

[jiasli]

I also found a similar issue: microsoft/WSL#9805

[chloeyin]

Thanks! I use powershell to login and it works, it looks like a wsl problem. I will update my wsl and try again later.

[chloeyin]

Yes, after updating wsl to latest, it works now.

[luisnaranjo733]

Same - just updated to 1.2.5
https://github.com/microsoft/WSL/releases/tag/1.2.5

and can confirm this bug is fixed
it must have been that wsl2 bug

Should I close this issue?

[adnan-ashfaq]

I am having the same issue. Redirects me to localhost after account selection.

WSL version: 1.2.5.0
Kernel version: 5.15.90.1
WSLg version: 1.0.51
MSRDC version: 1.2.3770
Direct3D version: 1.608.2-61064218
DXCore version: 10.0.25131.1002-220531-1700.rs-onecore-base2-hyp
Windows version: 10.0.19045.2846

Azure Cli WSL

azure-cli                         2.48.1
core                              2.48.1
telemetry                          1.0.8
Dependencies:
msal                              1.20.0
azure-mgmt-resource               22.0.0

[MarcoFabbri-orienteed]

Same as @adnan-ashfaq here, can you reopen this issue? Thanks

[MarcoFabbri-orienteed]

Sorry, just found this and it worked for me
https://stackoverflow.com/questions/69402231/authenticating-my-azure-account-opens-a-localhost-webpage-with-invalid-security

[adnan-ashfaq]

In my case, it was mismatch of MFA flow. I was working with Azure B2C AD related IaC, while my azure account in the portal was signed into different directory. Azure B2C AD has it's own MFA., so if you are logged into different directory in portal, and you are running az login for B2C, it would result in the above error. Make sure you're in Azure B2C AD in portal as well if you're running/testing B2C related work.