Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SharedTokenCacheCredential authentication fails in Azure.Identity on ubuntu #17052

Closed
thoemmi opened this issue Nov 18, 2020 · 10 comments · Fixed by #16615
Closed

SharedTokenCacheCredential authentication fails in Azure.Identity on ubuntu #17052

thoemmi opened this issue Nov 18, 2020 · 10 comments · Fixed by #16615
Assignees
@schaabs
Labels
Azure.Identity bug This issue requires a change to an existing behavior in the product in order to be resolved. Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team
Milestone
[2021] March

Comments

@thoemmi
Copy link

thoemmi commented Nov 18, 2020

We have written an internal command line tool that allows us to read secrets from Azure Keyvault. This tool consumes Azure.Identity, Azure.Security.KeyVault.*, and Azure.ResourceManager.Resources

We run this tool both on our dev machines and in the Azure DevOps release pipeline. However, today we have updated Azure.Identity from 1.2.2 to 1.3.0. While the tool still runs without any issue on my Windows machine, it fails on the build agent in the release pipeline (ubuntu-18.04):

ERROR: Azure.Identity.AuthenticationFailedException: SharedTokenCacheCredential authentication failed: Persistence check failed. Data was written but it could not be read. Possible cause: on Linux, LibSecret is installed but D-Bus isn't running because it cannot be started over SSH.
    Microsoft.Identity.Client.Extensions.Msal.MsalCachePersistenceException: Persistence check failed. Data was written but it could not be read. Possible cause: on Linux, LibSecret is installed but D-Bus isn't running because it cannot be started over SSH.
      at Microsoft.Identity.Client.Extensions.Msal.MsalCacheStorage.VerifyPersistence() 
      at Microsoft.Identity.Client.Extensions.Msal.MsalCacheHelper.VerifyPersistence() 
      at Azure.Identity.MsalClientBase`1.GetClientAsync(Boolean async, CancellationToken cancellationToken) 
      at Azure.Identity.MsalClientBase`1.GetClientAsync(Boolean async, CancellationToken cancellationToken) 
      at Azure.Identity.MsalPublicClient.GetAccountsAsync(Boolean async, CancellationToken cancellationToken) 
      at Azure.Identity.SharedTokenCacheCredential.GetAccountAsync(Boolean async, CancellationToken cancellationToken) 
      at Azure.Identity.SharedTokenCacheCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) 
  at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex) 
  at Azure.Identity.SharedTokenCacheCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) 
  at Azure.Identity.SharedTokenCacheCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) 
  at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken) 
  at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) 
  at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex) 
  at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) 
  at Azure.Identity.DefaultAzureCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) 
  at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueFromCredentialAsync(HttpMessage message, Boolean async, CancellationToken cancellationToken) 
  at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueAsync(HttpMessage message, Boolean async) 
  at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async) 
  at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async) 
  at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async) 
  at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline) 
  at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline) 
  at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline) 
  at Azure.ResourceManager.Resources.ResourceGroupsRestOperations.GetAsync(String resourceGroupName, CancellationToken cancellationToken) 
  at Azure.ResourceManager.Resources.ResourceGroupsOperations.GetAsync(String resourceGroupName, CancellationToken cancellationToken)

I don't know if this is caused by Azure.Identity itself or by the MSAL token cache extension you're using.
@ghost ghost added needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Nov 18, 2020
@jsquire jsquire added Azure.Identity Client This issue points to a problem in the data-plane of the library. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team labels Nov 18, 2020
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Nov 18, 2020
@jsquire
Copy link
Member

jsquire commented Nov 18, 2020

Thank you for your feedback. Tagging and routing to the team member best able to assist.

@schaabs
Copy link
Member

schaabs commented Nov 18, 2020

@thoemmi Thank you for filing this issue, I'm sorry you're running into this problem. I'll investigate the root cause of this regression and hopefully release a patch for it soon. In the meantime you should be able to work around this by excluding the SharedTokenCacheCredential from the DefaultAzureCredential.

var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { ExcludeSharedTokenCacheCredential = true });

This should work around the issue your experiencing in your CI and should not impact your authentication in your developement environment as the VisualStudioCredential will provide authentication in lieu of the SharedTokenCacheCredential. As a matter of fact we're also planning on disabling the SharedTokenCacheCredential by default in our next release. More info on this can be found in this issue Azure/azure-sdk#1970, and PR #16615. Please let me know if you have further questions or have trouble getting the work around working.

@schaabs schaabs added bug This issue requires a change to an existing behavior in the product in order to be resolved. and removed needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Nov 18, 2020
@ghost ghost added the needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team label Nov 18, 2020
@schaabs schaabs added this to the [2020] December milestone Nov 18, 2020
@thoemmi
Copy link
Author

thoemmi commented Nov 18, 2020

@schaabs, thanks for your quick answer. The work around you proposed indeed does the trick, and our release pipeline is green again 👍

I guess I shall not close this issue as you've added it to the December milestone.

@schaabs
Copy link
Member

schaabs commented Nov 18, 2020

@thoemmi I'm glad to hear that you're unblocked. Yes, please leave the issue open as we intend to fix this regression, and we'll close it once the fix is merged.

@JonRoosevelt
Copy link

JonRoosevelt commented Dec 1, 2020
edited
Loading

Hello @schaabs
I'm having a similar issue and followed your work around.
Now it has raised another Exception, regarding Authentication, as follows:

Exception has occurred: CLR/Azure.Identity.AuthenticationFailedException

An unhandled exception of type 'Azure.Identity.AuthenticationFailedException' occurred in System.Private.CoreLib.dll: 'Azure CLI authentication failed due to an unknown error. ERROR: Get Token request returned http error: 400 and server response: 
{"error":"invalid_grant","error_description":"AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2020-11-12T13:35:59.6312234Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2020-11-23T12:56:24.0000000Z'.\r\nTrace ID: XXXXXXXX (hidden) \r\nCorrelation ID: XXXXXX (hidden)\r\nTimestamp: 2020-12-01 15:28:26Z","error_codes":[50173],"timestamp":"2020-12-01 15:28:26Z","trace_id":**XXXXXX (hidden)**,"correlation_id":XXXX(hidden),"error_uri":"https://login.microsoftonline.com/error?code=50173"}

I kinda understand that it's related to refres token and even tried to, instead of creating a new DefaultAzureCredential, instantiating an existing one using clientId and clientSecret, but I'm not sure that's how it should be addressed.

@christothes christothes mentioned this issue Feb 2, 2021
Merged
@jsquire jsquire modified the milestones: [2021] February, [2021] March Feb 8, 2021
@jongio
Copy link
Member

jongio commented Mar 11, 2021

@schaabs - This popped up for me today as well. By removing SharedTokenCacheCredential from DAC, are we saying it isn't support on Linux?

Exception has occurred: CLR/Azure.Identity.AuthenticationFailedException
An exception of type 'Azure.Identity.AuthenticationFailedException' occurred in System.Private.CoreLib.dll but was not handled in user code: 'SharedTokenCacheCredential authentication failed: Persistence check failed. Inspect inner exception for details'
 Inner exceptions found, see $exception in variables window for more details.
 Innermost exception 	 System.DllNotFoundException : Unable to load shared library 'libsecret-1.so.0' or one of its dependencies. In order to help diagnose loading problems, consider setting the LD_DEBUG environment variable: liblibsecret-1.so.0: cannot open shared object file: No such file or directory
   at Microsoft.Identity.Client.Extensions.Msal.Libsecret.secret_schema_new(String name, Int32 flags, String attribute1, Int32 attribute1Type, String attribute2, Int32 attribute2Type, IntPtr end)
   at Microsoft.Identity.Client.Extensions.Msal.LinuxKeyringAccessor.GetLibsecretSchema()
   at Microsoft.Identity.Client.Extensions.Msal.LinuxKeyringAccessor.Write(Byte[] data)
   at Microsoft.Identity.Client.Extensions.Msal.MsalCacheStorage.VerifyPersistence()

@R2J2
Copy link

R2J2 commented Mar 30, 2021

Where do I need to add the workaround? Is it written to the application code or the dockerfile?

@jongio
Copy link
Member

jongio commented Mar 30, 2021

@R2J2 - See this comment. #17052 (comment)

You remove it in your code.

@lisandro444 lisandro444 mentioned this issue Apr 26, 2021
Closed
@xinyi-joffre xinyi-joffre mentioned this issue Jul 17, 2021
Closed
@vxfield vxfield mentioned this issue Jul 19, 2021
Closed
@calebkiage calebkiage mentioned this issue Mar 23, 2022
Closed
Open
@dgerding
Copy link

dgerding commented Apr 8, 2022

This is happening to me currently (April '22) using release latest versions of all nugets.

OPening a new issue, but also pursuing with Azure support and will update if that yields any results.

@dgerding dgerding mentioned this issue Apr 8, 2022
Closed
@dgerding
Copy link

dgerding commented Apr 8, 2022

#28120 Help :)

@Kit-Law-42 Kit-Law-42 mentioned this issue Mar 20, 2023
Closed
@github-actions github-actions bot locked and limited conversation to collaborators Mar 28, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@schaabs schaabs

Labels
Azure.Identity bug This issue requires a change to an existing behavior in the product in order to be resolved. Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team
Projects
None yet
Milestone
[2021] March
7 participants
@thoemmi @dgerding @jsquire @jongio @R2J2 @JonRoosevelt @schaabs