Skip to content

Docs: DefaultAzureCredential using Service principal with certificate #26806

New issue
New issue
Open
Open
Docs: DefaultAzureCredential using Service principal with certificate#26806

Description

@kkazala

kkazala
openedon Aug 14, 2023

  • Package Name: @azure/identity
  • Package Version: 3.2.4
  • Operating system: Windows
  • nodejs
    • version: 18.16.1
  • browser
    • name/version:
  • typescript
    • version:4.9.5
  • Is the bug related to documentation in

Describe the bug
The msalClientCertificate.parseCertificate incorrectly validates the PEM private key file.

The certificatePattern requires /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g but the private key file has -----BEGIN PRIVATE KEY----- [...] -----END PRIVATE KEY-----

The comment correctly states that

 /**
   * The PEM encoded private key (string should contain -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY-----
   */

To Reproduce
Steps to reproduce the behavior:

  1. create pem certificate
openssl req -x509 -newkey rsa:2048 -keyout keytmp.pem -out cert.pem -days 365 -passout pass:PASSWORD -subj '/CN=SUBJECT'
openssl rsa -in keytmp.pem -out key.pem -passin pass:PASSWORD
  1. Open the key.pem. The file has -----BEGIN PRIVATE KEY----- [...] -----END PRIVATE KEY----- content
  2. Ensure the following environment variables are defined: AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_CERTIFICATE_PATH, AZURE_CLIENT_CERTIFICATE_PASSWORD : path to key.pem
  3. Run
    import { DefaultAzureCredential } from "@azure/identity";
    import { setLogLevel } from "@azure/logger";
    setLogLevel("info");
    // We're using DefaultAzureCredential but the credential can be any valid `Credential Type`
    const credential = new DefaultAzureCredential({
        loggingOptions: { allowLoggingAccountIdentifiers: true },
    });
    console.log(credential);
    credential.getToken("https://graph.microsoft.com/.default")
        .then(token => console.log(`graphToken: ${token}`))
        .catch(err => {
            console.error("graphToken error:")
            console.error(err)
        });
    credential.getToken("https://graph.microsoft.com/.default")
        .then(token => console.log(`spToken: ${token}`))
        .catch(err => {
            console.error("spToken error:")
            console.error(err)
        });

See errors:

AuthenticationError: EnvironmentCredential authentication failed. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot. Status code: 400
More details:
The file at the specified path does not contain a PEM-encoded certificate.

Expected behavior
Authentication using Service principal with certificate should work correctly.

Additional context
I'm not sure if fixing the regex will fix the problem, but it certainly looks like this might be it =)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

Labels

Azure.IdentityClientThis issue points to a problem in the data-plane of the library.Docscustomer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-team-attentionWorkflow: This issue needs attention from Azure service team or SDK teamquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Projects

Azure Identity SDK Improvements

  • Status

    Not Started

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions