Describe the bug
Failed to get AAD token on a test container running on Azure.
This is the log:
https://sqlhelsinki.visualstudio.com/3d5f9117-a442-4242-9d62-51a9e4b80e97/_apis/build/builds/136855/logs/12
2020-11-06T04:34:44.2425257Z 2020-11-06 04:34:44.0241 UTC | INFO | Create AAD token cache file.
2020-11-06T04:34:44.2457017Z 2020-11-06 04:34:44,245 DEBUG Starting new HTTPS connection (1): login.microsoftonline.com:443
2020-11-06T04:34:44.2457757Z DEBUG: urllib3.connectionpool : Starting new HTTPS connection (1): login.microsoftonline.com:443
2020-11-06T04:34:44.3561915Z 2020-11-06 04:34:44,355 DEBUG https://login.microsoftonline.com:443 "GET /%7B72f988bf-86f1-41af-91ab-2d7cd011db47%7D/v2.0/.well-known/openid-configuration HTTP/1.1" 400 653
2020-11-06T04:34:44.3563265Z DEBUG: urllib3.connectionpool : https://login.microsoftonline.com:443 "GET /%7B72f988bf-86f1-41af-91ab-2d7cd011db47%7D/v2.0/.well-known/openid-configuration HTTP/1.1" 400 653
2020-11-06T04:34:44.3579827Z 2020-11-06 04:34:44.0357 UTC | INFO | Service principal "e0d6978a-9812-4db7-a9b1-44f14fbaec97" failed to authenticate with Azure. Please try again
2020-11-06T04:34:44.3580605Z
The call used in our code:
cache = msal.SerializableTokenCache()
cache_file = _get_cache_file()
if os.path.exists(cache_file):
cache.deserialize(open(cache_file, "r").read())
atexit.register(
lambda: open(cache_file, "w").write(cache.serialize())
if cache.has_state_changed
else None
)
app = msal.ConfidentialClientApplication(
spn.client_id,
spn.client_secret,
azure_constants.AAD_LOGIN_URL + spn.tenant_id,
token_cache=cache,
)
We don't know what could cause the issue.
Copy one of the 400 bad request from the log:
https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0/.well-known/openid-configuration
Got the following.
{"token_endpoint":"https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/authorize","device_authorization_endpoint":"https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/devicecode","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"tenant_region_scope":"WW","cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net"}
We are going to release our product soon. We are in the public preview. We can't break AKS for the release.
Describe the bug
Failed to get AAD token on a test container running on Azure.
This is the log:
https://sqlhelsinki.visualstudio.com/3d5f9117-a442-4242-9d62-51a9e4b80e97/_apis/build/builds/136855/logs/12
2020-11-06T04:34:44.2425257Z 2020-11-06 04:34:44.0241 UTC | INFO | Create AAD token cache file.
2020-11-06T04:34:44.2457017Z 2020-11-06 04:34:44,245 DEBUG Starting new HTTPS connection (1): login.microsoftonline.com:443
2020-11-06T04:34:44.2457757Z DEBUG: urllib3.connectionpool : Starting new HTTPS connection (1): login.microsoftonline.com:443
2020-11-06T04:34:44.3561915Z 2020-11-06 04:34:44,355 DEBUG https://login.microsoftonline.com:443 "GET /%7B72f988bf-86f1-41af-91ab-2d7cd011db47%7D/v2.0/.well-known/openid-configuration HTTP/1.1" 400 653
2020-11-06T04:34:44.3563265Z DEBUG: urllib3.connectionpool : https://login.microsoftonline.com:443 "GET /%7B72f988bf-86f1-41af-91ab-2d7cd011db47%7D/v2.0/.well-known/openid-configuration HTTP/1.1" 400 653
2020-11-06T04:34:44.3579827Z 2020-11-06 04:34:44.0357 UTC | INFO | Service principal "e0d6978a-9812-4db7-a9b1-44f14fbaec97" failed to authenticate with Azure. Please try again
2020-11-06T04:34:44.3580605Z
The call used in our code:
cache = msal.SerializableTokenCache()
cache_file = _get_cache_file()
if os.path.exists(cache_file):
cache.deserialize(open(cache_file, "r").read())
atexit.register(
lambda: open(cache_file, "w").write(cache.serialize())
if cache.has_state_changed
else None
)
We don't know what could cause the issue.
Copy one of the 400 bad request from the log:
https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0/.well-known/openid-configuration
Got the following.
{"token_endpoint":"https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/authorize","device_authorization_endpoint":"https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/devicecode","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"tenant_region_scope":"WW","cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net"}
We are going to release our product soon. We are in the public preview. We can't break AKS for the release.