Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Container Live Stream Authentication Issue #33129

Closed
Kenneth-Abrams opened this issue Jun 11, 2019 — with docs.microsoft.com · 11 comments

Comments

Copy link
Contributor

commented Jun 11, 2019 — with docs.microsoft.com

Up until late last week the container live stream functionality has been working great on my 3 AKS clusters. I believe in the last week something has changed and is impacting the AAD authentication in the AKS Insights Blade for Containers leveraging container live stream. Whenever it tries to authenticate me, it just continuously spins, downloads an auth.html file, and never comes back.

I have updated my AAD client application based on the new documentation updates to have the following reply url for my client object: https://afd.hosting.portal.azure.net/monitoring/Content/iframe/infrainsights.app/web/base-libs/auth/auth.html
Additionally allowed the implicitly grant Access tokens and ID tokens.

Any assistance would be greatly appreciated.


Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

@femsulu

This comment has been minimized.

Copy link
Member

commented Jun 11, 2019

Thanks for your comment. We are actively investigating and will get back to you shortly. Thanks for your patience.

@femsulu femsulu self-assigned this Jun 11, 2019

@MGoedtel

This comment has been minimized.

Copy link
Contributor

commented Jun 12, 2019

@Kenneth-Abrams - The changes published yesterday for setting up AAD were to align with changes implemented by Azure AD to remove insecure use of wildcards in URIs. Because your issue is not related to an actual doc issue, I suggest you open a support case to have it properly reviewed and triaged by one of our engineers. #please-close

@PRMerger7 PRMerger7 closed this Jun 12, 2019

@mohatb

This comment has been minimized.

Copy link

commented Jun 13, 2019

I have the same issue and it can be reproduced in any environment.

The URL specified in the article is incorrect, as per the article suggestion

Request Id: f2054eb4-441d-4370-8938-86438d0a2b00
Correlation Id: 843a6d68-24c5-4f13-b967-c13aeda04624
Timestamp: 2019-06-13T08:43:53Z
Message: AADSTS700054: response_type 'id_token' is not enabled for the application.
Advanced diagnostics: Enable
If you plan on getting support for an issue, turn this on and try to reproduce the error. This will collect additional information that will help troubleshoot the issue.

After adding implicitly grant Access tokens and ID tokens and the URI specified in the article:

another error shows up:

Request Id: 6a20e43e-cf9d-4f49-a1cc-dfb662fc2f00
Correlation Id: a4d902a7-fc4b-48aa-9f4e-f97e3396bbe6
Timestamp: 2019-06-13T08:45:05Z
Message: AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: '4de0c081-449b-4bc3-b4ad-ee0ac9169d3e'.
Advanced diagnostics: Enable
If you plan on getting support for an issue, turn this on and try to reproduce the error. This will collect additional information that will help troubleshoot the issue.

then it takes you to the URI and downloads auth.html

image

@MGoedtel

This comment has been minimized.

Copy link
Contributor

commented Jun 13, 2019

@Kenneth-Abrams & @mohatb - Let me escalate this with the engineer who I worked with on this to get to the bottom of this problem. @femsulu - Please reopen this issue. Thanks.

@Kenneth-Abrams

This comment has been minimized.

Copy link
Contributor Author

commented Jun 13, 2019

@MGoedtel thanks I appreciate it. This should be much easier than support run around because is it an AKS issue, and Azure Monitor issue, and Azure AAD issue 😄. Either way I love what you guys do.

@vishiy

This comment has been minimized.

Copy link
Contributor

commented Jun 13, 2019

@MGoedtel

This comment has been minimized.

Copy link
Contributor

commented Jun 13, 2019

@Kenneth-Abrams & @mohatb - Engineering has tracked down the underlying problem with a service dependency and and they are working to deploy a fix. I don't have an ETA but will update this issue once I have something concrete/confirmed. Thanks.

@vishiy

This comment has been minimized.

Copy link
Contributor

commented Jun 17, 2019

Should be fixed. Please ensure browser cache is cleared before trying out. Thanks.

@neumanndaniel

This comment has been minimized.

Copy link
Contributor

commented Aug 11, 2019

@vishiy Is it really fixed? I tried it out today and I got the error message that the reply url by the app does not match the reply url provided in the request.

Finally, with some debugging and changing the url to https://monitoring.hosting.portal.azure.net/monitoring/Content/iframe/infrainsights.app/web/base-libs/auth/auth.html I got it working again.

Does the url has changed?

@PRMerger8 PRMerger8 added the Pri2 label Aug 11, 2019

@gvanderberg

This comment has been minimized.

Copy link

commented Aug 12, 2019

@vishiy Is it really fixed? I tried it out today and I got the error message that the reply url by the app does not match the reply url provided in the request.

Finally, with some debugging and changing the url to https://monitoring.hosting.portal.azure.net/monitoring/Content/iframe/infrainsights.app/web/base-libs/auth/auth.html I got it working again.

Does the url has changed?

Same thing happened to me over the weekend, live streaming of the aks logs started failing auth with invalid reply url. Thanks @neumanndaniel, I was about to start debugging myself when I came across your response, updating / adding https://monitoring.hosting.portal.azure.net/monitoring/Content/iframe/infrainsights.app/web/base-libs/auth/auth.html resolved my issue as well.

@bragi92

This comment has been minimized.

Copy link
Contributor

commented Aug 15, 2019

Thanks @neumanndaniel. Yes the URL was updated we've updated the docs to include both the monitoring. and afd. URL's in the AAD app.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
You can’t perform that action at this time.