Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] ManagedIdentityCredential failure is not presented as a failure of one of the alternative credentials - it is presented as _the_ failure #32061

Closed
richardissimo opened this issue Oct 27, 2022 · 2 comments · Fixed by #32272
Closed

[BUG] ManagedIdentityCredential failure is not presented as a failure of one of the alternative credentials - it is presented as _the_ failure #32061

richardissimo opened this issue Oct 27, 2022 · 2 comments · Fixed by #32272
Assignees
@christothes
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@richardissimo
Copy link

Library name and version

Azure.Identity 1.7.0

Describe the bug

I'm just starting out with Azure Service Bus, and following the example of how to write a Sender to a Topic, using the Passwordless alternative approach (i.e. DefaultAzureCredential). I'm getting a AuthenticationFailedException ManagedIdentityCredential with an internal exception of "System.Text.Json.JsonReaderException: '<' is an invalid start of a value."...

I think the 403 GlobalBlock in the error below is something to do with a McAfee proxy, but I'm not sure.

The bug is that this issue is being allowed to hog the limelight, rather than being shown as one of the alternatives which didn't work.

Similar reported bugs #27477 #30467

Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: Managed Identity response was not in the expected format. See the inner exception for details.
Status: 403 (GlobalBlock)

Content:


Headers:
Cache-Control: no-cache
X-Frame-Options: REDACTED
Proxy-Connection: REDACTED
Content-Type: text/html
Content-Length: 1192

See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot
 ---> Azure.RequestFailedException: Managed Identity response was not in the expected format. See the inner exception for details.
Status: 403 (GlobalBlock)

Content:


Headers:
Cache-Control: no-cache
X-Frame-Options: REDACTED
Proxy-Connection: REDACTED
Content-Type: text/html
Content-Length: 1192

 ---> System.Text.Json.JsonReaderException: '<' is an invalid start of a value. LineNumber: 0 | BytePositionInLine: 0.
   at System.Text.Json.ThrowHelper.ThrowJsonReaderException(Utf8JsonReader& json, ExceptionResource resource, Byte nextByte, ReadOnlySpan`1 bytes)
   at System.Text.Json.Utf8JsonReader.ConsumeValue(Byte marker)
   at System.Text.Json.Utf8JsonReader.ReadFirstToken(Byte first)
   at System.Text.Json.Utf8JsonReader.ReadSingleSegment()
   at System.Text.Json.Utf8JsonReader.Read()
   at System.Text.Json.JsonDocument.Parse(ReadOnlySpan`1 utf8JsonSpan, JsonReaderOptions readerOptions, MetadataDb& database, StackRowStack& stack)
   at System.Text.Json.JsonDocument.Parse(ReadOnlyMemory`1 utf8Json, JsonReaderOptions readerOptions, Byte[] extraRentedArrayPoolBytes, PooledByteBufferWriter extraPooledByteBufferWriter)
   at System.Text.Json.JsonDocument.ParseAsyncCore(Stream utf8Json, JsonDocumentOptions options, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentitySource.HandleResponseAsync(Boolean async, TokenRequestContext context, Response response, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at Azure.Identity.ManagedIdentitySource.HandleResponseAsync(Boolean async, TokenRequestContext context, Response response, CancellationToken cancellationToken)
   at Azure.Identity.ImdsManagedIdentitySource.HandleResponseAsync(Boolean async, TokenRequestContext context, Response response, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentitySource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ImdsManagedIdentitySource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage)
   at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage)
   at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Messaging.ServiceBus.Amqp.CbsTokenProvider.AcquireJwtTokenAsync()
   at Azure.Messaging.ServiceBus.Amqp.CbsTokenProvider.GetTokenAsync(Uri namespaceAddress, String appliesTo, String[] requiredClaims)
   at Microsoft.Azure.Amqp.TaskHelpers.EndAsyncResult(IAsyncResult asyncResult)
   at Microsoft.Azure.Amqp.IteratorAsyncResult`1.StepCallback(IAsyncResult result)
--- End of stack trace from previous location ---
   at Microsoft.Azure.Amqp.AsyncResult.End[TAsyncResult](IAsyncResult result)
   at Microsoft.Azure.Amqp.AmqpCbsLink.<>c.<SendTokenAsync>b__4_1(IAsyncResult r)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location ---
   at Azure.Messaging.ServiceBus.Amqp.AmqpConnectionScope.RequestAuthorizationUsingCbsAsync(AmqpConnection connection, CbsTokenProvider tokenProvider, Uri endpoint, String[] audience, String[] requiredClaims, TimeSpan timeout, String identifier)
   at Azure.Messaging.ServiceBus.Amqp.AmqpConnectionScope.CreateSendingLinkAsync(String entityPath, String identifier, AmqpConnection connection, TimeSpan timeout, CancellationToken cancellationToken)
   at Azure.Messaging.ServiceBus.Amqp.AmqpConnectionScope.CreateSendingLinkAsync(String entityPath, String identifier, AmqpConnection connection, TimeSpan timeout, CancellationToken cancellationToken)
   at Azure.Messaging.ServiceBus.Amqp.AmqpConnectionScope.OpenSenderLinkAsync(String entityPath, String identifier, TimeSpan timeout, CancellationToken cancellationToken)
   at Azure.Messaging.ServiceBus.Amqp.AmqpSender.CreateLinkAndEnsureSenderStateAsync(TimeSpan timeout, CancellationToken cancellationToken)
   at Microsoft.Azure.Amqp.FaultTolerantAmqpObject`1.OnCreateAsync(TimeSpan timeout, CancellationToken cancellationToken)
   at Microsoft.Azure.Amqp.Singleton`1.GetOrCreateAsync(TimeSpan timeout, CancellationToken cancellationToken)
   at Microsoft.Azure.Amqp.Singleton`1.GetOrCreateAsync(TimeSpan timeout, CancellationToken cancellationToken)
   at Azure.Messaging.ServiceBus.Amqp.AmqpSender.CreateMessageBatchInternalAsync(CreateMessageBatchOptions options, TimeSpan timeout)
   at Azure.Messaging.ServiceBus.Amqp.AmqpSender.<>c.<<CreateMessageBatchAsync>b__19_0>d.MoveNext()
--- End of stack trace from previous location ---
   at Azure.Messaging.ServiceBus.ServiceBusRetryPolicy.RunOperation[T1,TResult](Func`4 operation, T1 t1, TransportConnectionScope scope, CancellationToken cancellationToken, Boolean logRetriesAsVerbose)
   at Azure.Messaging.ServiceBus.ServiceBusRetryPolicy.RunOperation[T1,TResult](Func`4 operation, T1 t1, TransportConnectionScope scope, CancellationToken cancellationToken, Boolean logRetriesAsVerbose)
   at Azure.Messaging.ServiceBus.Amqp.AmqpSender.CreateMessageBatchAsync(CreateMessageBatchOptions options, CancellationToken cancellationToken)
   at Azure.Messaging.ServiceBus.ServiceBusSender.CreateMessageBatchAsync(CreateMessageBatchOptions options, CancellationToken cancellationToken)
   at Program.<Main>$(String[] args) in C:\Redacted\TopicSender\Program.cs:line 39
   at Program.<Main>$(String[] args) in C:\Redacted\TopicSender\Program.cs:line 58

Expected behavior

When I take the advice on (similar error) #27477 to set "ExcludeManagedIdentityCredential = true", then I get an error message which is actually helpful, listing out each of the alternative credentials and why that particular alternative isn't happy. I would have thought that a failure like this should be reported in the same way... i.e. here's the reason why all of the different approaches failed, including this issue from the ManagedIdentity approach; whereas, as you can see a beginner (like me) would have no clue from the details given below that this was just one of several alternatives that it was trying, and that I could even consider switching this off.

As soon as I switched it off, I could see from the helpful error that the actual issue was that my Visual Studio credentials needed to be re-entered, not that there was an issue with ManagedIdentity, which I had no interest in.

Actual behavior

The error is reported as if it is the failure. Rather than that it is one of several alternatives, and this is why this alternative failed.

Reproduction Steps

Follow the getting started article and code, and run the Sender program from Visual Studio when the ManagedIdentity returns 403 (for reasons I can't explain); and when you are expecting it to use your Visual Studio credentials, but you don't know that your credentials need to be re-entered. You'll get the error solely talking about ManagedIdentity, rather than an error saying we tried these various different ways, and here's how each of them failed. Which makes it look like this is a problem that you must sort out, whereas you could simply switch off this alternative.

Environment

Visual Studio 2022, .net 6 console app, Windows 10.
@ghost ghost added needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Oct 27, 2022
@azure-sdk azure-sdk added Azure.Identity Client This issue points to a problem in the data-plane of the library. needs-team-triage Workflow: This issue needs the team to triage. labels Oct 27, 2022
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Oct 27, 2022
@jsquire jsquire added needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team and removed needs-team-triage Workflow: This issue needs the team to triage. labels Oct 27, 2022
@jsquire
Copy link
Member

jsquire commented Oct 27, 2022

/cc: @schaabs

@jsquire
Copy link
Member

jsquire commented Oct 27, 2022

Thank you for your feedback. Tagging and routing to the team member best able to assist.

@christothes christothes mentioned this issue Nov 3, 2022
Merged
@github-actions github-actions bot locked and limited conversation to collaborators Mar 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@christothes christothes

Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Handle Managed Identity json parse errors as CredentialUnAvailableException Azure/azure-sdk-for-net
4 participants
@jsquire @christothes @richardissimo @azure-sdk