Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Go: things got broken with release of azcore v1.6.1 #56

Closed
ppanyukov opened this issue Jun 15, 2023 · 2 comments · Fixed by #57
Closed

Go: things got broken with release of azcore v1.6.1 #56

ppanyukov opened this issue Jun 15, 2023 · 2 comments · Fixed by #57

Comments

@ppanyukov
Copy link

Since the release of github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.1 authentication is broken.

This is due to this PR: Retry policy will always clone the *http.Request #20843, and in particuar due to this line:

clone := req.Clone(req.Raw().Context())

This breaks the assumption at

azidext/go/azidext/azure_identity_credential_adapter.go

Line 44 in ecb3be2

_, err = ca.pl.Do(req)
that the request will be mutated by BearerTokenPolicy.

Since the pipeline is set up so that BearerTokenPolicy runs after the request is cloned, the Authorization token is not longer available after the pipeline runs.

Looking at the code in runtime.NewPipeline, it doesn't seem possible to disable this cloning behaviour at all after that PR.

The only way I see this can be fixed is to move BearerTokenPolicy from PerRetry to PerCall:

// FROM
return &policyAdapter{
	pl: runtime.NewPipeline("azidext", "v0.4.0", runtime.PipelineOptions{
		PerRetry: []policy.Policy{tkPolicy, nullPolicy{}},
	}, nil),
}

// TO
return &policyAdapter{
	pl: runtime.NewPipeline("azidext", "v0.4.0", runtime.PipelineOptions{
		PerCall: []policy.Policy{tkPolicy, nullPolicy{}},
		PerRetry: []policy.Policy{nullPolicy{}},
	}, nil),
}

This ensures the auth BearerTokenPolicy runs on the original non-cloned request and mutates it by adding Authorization header.

I tried it and it does the trick. Although I'm not sure if it will cause some other issues to do with token refresh etc. I think the BearerTokenPolicy does all kind of refresh in the background so everything should continue as normal.

In any case, this is completely broken since azcore v1.6.1 so unless someone finds another way, I don't see how this can be fixed.
@jhendrixMSFT jhendrixMSFT mentioned this issue Jun 15, 2023
Merged
@jhendrixMSFT
Copy link
Collaborator

Fixed in v0.5.0, thanks for the bug report.

@flavianmissi
Copy link

It took me a bit of effort to get here, so to make it easier on people hitting this error, this was showed up in our logs:

StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code="AuthenticationFailed" Message="Authentication failed. The 'Authorization' header is missing.

Thank you for this library and for fixing the bug!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix for recent change in azcore retry policy jhendrixMSFT/azidext
3 participants
@ppanyukov @flavianmissi @jhendrixMSFT