Add support to use "TryAutoDetect" to enable auto detect #526
Comments
yingxumsft
changed the title
yingxumsft
changed the title
yingxumsft
changed the title
So, you were using the Azure Identity library (which is part of the Azure SDK for Python). The Azure Identity is built on top of MSAL Python, but their calling patterns are different.
|
|
Ray is right. You can use RegionalAuthority.AUTO_DISCOVER_REGION |
|
hi @xiangyan99 , thanks for the info. I tried to set that with following code: On my local machine, the auto discover will return None region as expected, but the problem is MSAL think the configured region is 'True', thus it will use the 'True.r.login.microsoftonline.com' as the regional host in this code: The reason I think is because Identiy library is passing 'True' as string to for azure_region in MSAL application, while MSAL application expect azure_region is boolean True to opt in auto discovery. For string 'True', MSAL application think it is same as any other configured region like 'westus2'.
|
|
Looks like it is by design that ATTEMPT_REGION_DISCOVERY = True # "TryAutoDetect"? @rayluo ? |
There is some history behind that line. MSALs accept either a string region name, or a special flag to represent auto-detect. MSAL .Net chose to use a magic string "TryAutoDetect" for the latter. MSAL Python tried that during prototyping, but eventually switched to a non-string value approach (so that all strings are considered a valid region name). But if we are talking about the design, then, by design, none of implementation details above really matters in MSAL Python, because MSAL Python only documents its auto-detect API as "use a special keyword |
|
Conclusion: The issue reported here is actually for MSAL's downstream library, the Azure Identity package, and the fix is provided there. MSAL itself does not have to change the magic value, as long as the caller will stick with MSAL's documented constant's name |
Describe the bug
Looks like we can only use True (boolean) to enable auto detect regional endpoint, rather than using "TryAutoDetect":
ATTEMPT_REGION_DISCOVERY = True # "TryAutoDetect"
However, Azure.Identity library is using environment variable AZURE_REGIONAL_AUTHORITY_NAME ("TryAutoDetect"), which can not be set to true.
https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/identity/azure-identity/azure/identity/_internal/msal_credentials.py
Thus we cannot use auto detect with Azure.Identity library.
To Reproduce
Steps to reproduce the behavior - run following code in local machine, which trying to auto detect but it will fail as local machine is not AzureVM.
region = os.getenv("AZURE_REGIONAL_AUTHORITY_NAME")
if region is None or len(region) == 0:
print("set region to auto detect")
os.environ["AZURE_REGIONAL_AUTHORITY_NAME"] = "TryAutoDetect"
certificate_path = "your_local_cert.pfx"
certificate_credential = CertificateCredential(tenant_id='your tenant id',
client_id='your client id',
certificate_path=certificate_path,
password="your password",
send_certificate_chain=True)
token = certificate_credential.get_token('https://vault.azure.net/.default')
print(token)
Expected behavior
token should be acquired successfully.
What you see instead
CertificateCredential.get_token failed: Authentication failed: <urllib3.connection.HTTPSConnection object at 0x000001CAF0AE0D88>: Failed to establish a new connection: [Errno 11001] getaddrinfo failed
The MSAL Python version you are using
1.20.0
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: