Azure CLI Tokens + Azure Stack Terraform Provider in ADFS/Disconnected mode

[jbpaux]

Hello,
I'm struggling in authenticate in an ADFS Disconnected Azure Stack with Azure Stack Terraform Provider using Azure CLI Tokens.

Versions:

• az cli : 2.0.67
• terraform : 0.12.2
• terraform azurestack provider : 0.7.0 and master branch tested

Steps performed:

• az logout/az login ⇒ successful (in browser)
• az account get-access-token ⇒ successful
• az group list ⇒ successful
• terraform plan ⇒ fail

2019-06-20T11:38:45.076+0200 [DEBUG] plugin.terraform-provider-azurestack: 2019/06/20 11:38:45 Testing if Service Principal / Client Certificate is applicable for Authentication..
2019-06-20T11:38:45.076+0200 [DEBUG] plugin.terraform-provider-azurestack: 2019/06/20 11:38:45 Testing if Service Principal / Client Secret is applicable for Authentication..
2019-06-20T11:38:45.076+0200 [DEBUG] plugin.terraform-provider-azurestack: 2019/06/20 11:38:45 Testing if Managed Service Identity is applicable for Authentication..
2019-06-20T11:38:45.076+0200 [DEBUG] plugin.terraform-provider-azurestack: 2019/06/20 11:38:45 Testing if Obtaining a token from the Azure CLI is applicable for Authentication..
2019-06-20T11:38:45.076+0200 [DEBUG] plugin.terraform-provider-azurestack: 2019/06/20 11:38:45 Using Obtaining a token from the Azure CLI for Authentication
2019-06-20T11:38:45.077+0200 [DEBUG] plugin.terraform-provider-azurestack: 2019/06/20 11:38:45 [DEBUG] Resource "https://management.adfs.azstack.local/4851e0c9-ca1e-405e-9589-976d89f72324" isn't for the correct Tenant
2019/06/20 11:38:45 [ERROR] : eval: *terraform.EvalConfigProvider, err: Error building ARM Client: Error populating Client ID from the Azure CLI: No Authorization Tokens were found - please re-authenticate using az login.
2019/06/20 11:38:45 [ERROR] : eval: *terraform.EvalSequence, err: Error building ARM Client: Error populating Client ID from the Azure CLI: No Authorization Tokens were found - please re-authenticate using az login.
2019/06/20 11:38:45 [ERROR] : eval: *terraform.EvalOpFilter, err: Error building ARM Client: Error populating Client ID from the Azure CLI: No Authorization Tokens were found - please re-authenticate using az login.
2019/06/20 11:38:45 [ERROR] : eval: *terraform.EvalSequence, err: Error building ARM Client: Error populating Client ID from the Azure CLI: No Authorization Tokens were found - please re-authenticate using az login.

Tenant id is correct. I don't know why it add https://management.adfs.azstack.local/ in front of it but why not.

[jbpaux]

Ok I think I figured it out.
In the token, the Autority ends with / like in my case https://adfs.region.fqdn/tenantid/ while in the code it's looking as only the tenant id as suffix:

go-azure-helpers/authentication/azure_cli_access_token.go

Line 29 in 5e51ac0

if !strings.HasSuffix(accessToken.Authority, tenantId) {

[jbpaux]

@tombuildsstuff if you can have a look ;)

[jbpaux]

It may be related to this also. Azure cli remove the tenantid in the stored token :( Azure/azure-cli#9779

[Matt45D]

Any update on this issue? I running into this exact issue with my connected ADFS Azure Stack environment.