Unable to enable regional STS using for Client Credential flow.

[niallb96]

• Package Name:
• @azure/identity
• Package Version:
• ~3.1.3
• Operating system:
• nodejs
  • version: 16.17.1
• browser
  • name/version:
• typescript
  • version: 3.9.9
• Is the bug related to documentation in
  • README.md
  • source code documentation
  • SDK API docs on https://docs.microsoft.com

Describe the bug
I've been looking into enabling regional sts for the client credential flow using the @azure/identity node package but I can't see how to do it using the documentation. Looking through the code a lot of functionality that looks like it would enable regional sts seems to be commented out. I couldn't find any relevant configuration in either the constructor for the credential or the getToken() method.

I've also attempted to do this by setting the AZURE_REGIONAL_AUTHORITY_NAME environment variable but this has not worked for a majority of the requests (though has worked for about 20%).

This is an S360 requirement for which our services are currently out of SLA.

To Reproduce
N/A

Expected behavior
A 100% regional sts adoption rate for all requests flagged by S360 and a resolution of the S360 item.

Screenshots

Additional context

[xirzec]

Hi @niallb96, which credential type are you using?

@KarishmaGhiya I'm not sure the history here, all I found was us removing this support two years ago: #18026 -- is this still a supported scenario?

[KarishmaGhiya]

Hello @niallb96 , we do not support the env name AZURE_REGIONAL_AUTHORITY_NAME anymore. Can you please let me know more about your scenario and the credential you are trying to use.

[github-actions]

Hi @niallb96. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

[niallb96]

Hi @KarishmaGhiya, sorry for the delay responding I was oof. Would you mind clarifying exactly what additional information you require? This has been flagged for two of our applications on S360, so I want to enable it for all requests necessary to resolve the S360 item. They are both Node.js, from my understanding for node this feature is only available for the client credential flow so I need all requests using that flow to use regional STS. There are a number of requests and scenarios that are using the credential flow. I didn't realise that AZURE_REGIONAL_AUTHORITY_NAME was not supported anymore, I was going off this documentation: https://review.learn.microsoft.com/en-us/identity/microsoft-identity-platform/msal-net-regional-adoption?branch=main#enable-msal--microsoft-identity-web-to-use-regional-ests-endpoint. Since this env name isn't supported, mind telling me an alternative approach to resolve this S360 item? Thanks!

[KarishmaGhiya]

Hi @niallb96 My Bad. We still do support and accept the env name you have tried, we had removed the setting from the public API surface. Can you tell me in what scenarios (and what credentials) has it not worked for you, I'd like to repro it on my end and check.

[github-actions]

Hi @niallb96. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

[niallb96]

Hi Karishma, sorry for the delay responding. Part of my problem investigating this is that I am struggling to figure out exactly what is unique about the requests that are failing. A lot of the failing requests have the Resource Display Name: Microsoft Graph. We have tokens of types ClientCertificateCredential and ClientSecretCredential and we define tenant ids, client ids and certificate paths when constructing them. sendCertificateChain is set to true for ClientCertificateCredential and the authorityHost is set based on the cloud. I have tables for failing tenant ids, client ips and resource ids but have been struggling to use these to find any useful information on what is happening with these requests to make them fail. Please let me know what specific configuration details you need or if you're available if you would be willing to hop on a call to investigate this together. Thanks, Niall

[KarishmaGhiya]

@niallb96 Do you have any useful information from the logs? You can enable verbose logging on your end to get more information on the failing requests. I'd be happy to hop on a call with you, to investigate this.

[github-actions]

Hi @niallb96. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

[github-actions]

Hi @niallb96, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!