Skip to content

Updated the request header sent to the OIDC endpoint so it doesn't result in a redirect response when an invalid system access token is provided. #46135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Sep 24, 2024
Merged

Updated the request header sent to the OIDC endpoint so it doesn't result in a redirect response when an invalid system access token is provided. #46135

merged 5 commits into from
Sep 24, 2024

Conversation

ahsonkhan
Copy link
Contributor

Fixes #46130

@ahsonkhan
Updated the request header sent to the OIDC endpoint in so it doesn't
fc75418 
result in a redirect response when an invalid system access token is
provided.
@ahsonkhan ahsonkhan self-assigned this Sep 23, 2024
@ahsonkhan ahsonkhan requested review from schaabs, christothes and a team as code owners September 23, 2024 23:07
@ahsonkhan

This comment was marked as duplicate.

Sign in to view
@azure-pipelines Azure Pipelines

This comment was marked as duplicate.

Sign in to view
@ahsonkhan

This comment was marked as duplicate.

Sign in to view
@azure-pipelines Azure Pipelines

This comment was marked as duplicate.

Sign in to view
@ahsonkhan ahsonkhan mentioned this pull request Sep 23, 2024
Closed
@ahsonkhan

This comment was marked as duplicate.

Sign in to view
@azure-pipelines Azure Pipelines

This comment was marked as duplicate.

Sign in to view
@azure-sdk
Copy link
Collaborator

API change check

API changes are not detected in this pull request.

christothes
christothes approved these changes Sep 24, 2024
View reviewed changes
@ahsonkhan

This comment was marked as duplicate.

Sign in to view
@azure-pipelines Azure Pipelines

This comment was marked as duplicate.

Sign in to view
@ahsonkhan
Copy link
Contributor Author

/azp run net - identity - tests

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@ahsonkhan
Copy link
Contributor Author

ahsonkhan commented Sep 24, 2024
edited
Loading

@christothes I keep seeing a seemingly unrelated test fail on Ubuntu:
Failed KubectlExecuteIdentityAKSTests
It fails on retry.

Is this a known issue? It fails on identity test runs outside this PR, which makes me believe it isn't related to it.
Any recommendations on how to unblock this PR? I have gotten enough confidence of correctness from the passing tests (and new test addition) in the net - identity - tests legs, so I could reset and run just the CI pipelines/unit tests. Does that work?

Please let me know if you'd like me to file a tracking issue for it (or optionally disable the test).

2024-09-24T20:33:20.0037474Z   Failed KubectlExecuteIdentityAKSTests [754 ms]
2024-09-24T20:33:20.0038481Z   Error Message:
2024-09-24T20:33:20.0041045Z    System.InvalidOperationException: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2024-09-24T20:33:19.6123783Z, assertion valid from 2024-09-24T20:16:20.0000000Z, expiry time of assertion 2024-09-24T20:26:20.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: 4edaea99-30f4-4c2f-83f5-a7b4e83f3000 Correlation ID: 951d6530-5f14-4a20-a9a5-aba45e411644 Timestamp: 2024-09-24 20:33:19Z
2024-09-24T20:33:20.0044185Z Interactive authentication is needed. Please run:
2024-09-24T20:33:20.0046014Z az login
2024-09-24T20:33:20.0048084Z    at Azure.Identity.ProcessRunner.Run() in /_/sdk/identity/Azure.Identity/src/ProcessRunner.cs:line 66
2024-09-24T20:33:20.0050003Z    at Azure.Identity.Tests.ManagedIdentityAKSIntegrationTests.RunCommand(String fileName, String args) in /mnt/vss/_work/1/s/sdk/identity/Azure.Identity/tests/ManagedIdentityAKSIntegrationTests.cs:line 76
2024-09-24T20:33:20.0052414Z   Stack Trace:
2024-09-24T20:33:20.0054820Z      at Azure.Identity.Tests.ManagedIdentityAKSIntegrationTests.RunCommand(String fileName, String args) in /mnt/vss/_work/1/s/sdk/identity/Azure.Identity/tests/ManagedIdentityAKSIntegrationTests.cs:line 83
2024-09-24T20:33:20.0058030Z    at Azure.Identity.Tests.ManagedIdentityAKSIntegrationTests.SetupKubernetesEnvironment() in /mnt/vss/_work/1/s/sdk/identity/Azure.Identity/tests/ManagedIdentityAKSIntegrationTests.cs:line 41
2024-09-24T20:33:20.0061136Z    at Azure.Identity.Tests.ManagedIdentityAKSIntegrationTests.KubectlExecuteIdentityAKSTests() in /mnt/vss/_work/1/s/sdk/identity/Azure.Identity/tests/ManagedIdentityAKSIntegrationTests.cs:line 60
2024-09-24T20:33:20.0063491Z 
2024-09-24T20:33:20.0067912Z 1)    at Azure.Identity.Tests.ManagedIdentityAKSIntegrationTests.RunCommand(String fileName, String args) in /mnt/vss/_work/1/s/sdk/identity/Azure.Identity/tests/ManagedIdentityAKSIntegrationTests.cs:line 76
2024-09-24T20:33:20.0070993Z    at Azure.Identity.Tests.ManagedIdentityAKSIntegrationTests.SetupKubernetesEnvironment() in /mnt/vss/_work/1/s/sdk/identity/Azure.Identity/tests/ManagedIdentityAKSIntegrationTests.cs:line 41
2024-09-24T20:33:20.0074273Z    at Azure.Identity.Tests.ManagedIdentityAKSIntegrationTests.KubectlExecuteIdentityAKSTests() in /mnt/vss/_work/1/s/sdk/identity/Azure.Identity/tests/ManagedIdentityAKSIntegrationTests.cs:line 60
2024-09-24T20:33:20.0075791Z 
2024-09-24T20:33:20.0076432Z 
2024-09-24T20:33:20.0078061Z   Standard Output Messages:
2024-09-24T20:33:20.0079856Z  Running command: which az
2024-09-24T20:33:20.0081463Z  output:
2024-09-24T20:33:20.0082969Z  /usr/bin/az
2024-09-24T20:33:20.0084595Z  Running command: which kubectl
2024-09-24T20:33:20.0086169Z  output:
2024-09-24T20:33:20.0087866Z  /usr/bin/kubectl
2024-09-24T20:33:20.0094844Z  Running command: /usr/bin/az login --federated-token *** --service-principal -u *** --tenant ***
2024-09-24T20:33:20.0099150Z  System.InvalidOperationException: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2024-09-24T20:33:19.6123783Z, assertion valid from 2024-09-24T20:16:20.0000000Z, expiry time of assertion 2024-09-24T20:26:20.0000000Z. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Trace ID: 4edaea99-30f4-4c2f-83f5-a7b4e83f3000 Correlation ID: 951d6530-5f14-4a20-a9a5-aba45e411644 Timestamp: 2024-09-24 20:33:19Z
2024-09-24T20:33:20.0102560Z  Interactive authentication is needed. Please run:
2024-09-24T20:33:20.0104500Z  az login
2024-09-24T20:33:20.0106630Z     at Azure.Identity.ProcessRunner.Run() in /_/sdk/identity/Azure.Identity/src/ProcessRunner.cs:line 66
2024-09-24T20:33:20.0110149Z     at Azure.Identity.Tests.ManagedIdentityAKSIntegrationTests.RunCommand(String fileName, String args) in /mnt/vss/_work/1/s/sdk/identity/Azure.Identity/tests/ManagedIdentityAKSIntegrationTests.cs:line 76
2024-09-24T20:33:20.0127239Z 
2024-09-24T20:33:20.0127903Z

From analytics, this particular test has failed intermittently over the last few weeks:
image

@ahsonkhan ahsonkhan enabled auto-merge (squash) September 24, 2024 22:59
@christothes
Copy link
Member

@christothes I keep seeing a seemingly unrelated test fail on Ubuntu: Failed KubectlExecuteIdentityAKSTests It fails on retry.

Is this a known issue? It fails on identity test runs outside this PR, which makes me believe it isn't related to it. Any recommendations on how to unblock this PR? I have gotten enough confidence of correctness from the passing tests (and new test addition) in the net - identity - tests legs, so I could reset and run just the CI pipelines/unit tests. Does that work?

Please let me know if you'd like me to file a tracking issue for it (or optionally disable the test).

Yes, let's file a tracking issue. I think this is just a timing related issue since we are using the OIDC token that was set at the begining of the pipeline and sometimes we just happen to execute those tests after the 10 minute lifetime expiration. I have some ideas for how to resolve it that we can discuss in the issue.

We can Ignore the test in the meantime, if it is blocking now consistently, and cite the issue in the reason.

@ahsonkhan ahsonkhan merged commit b00bfce into Azure:main Sep 24, 2024
17 checks passed
@ahsonkhan ahsonkhan mentioned this pull request Sep 24, 2024
Open
@ahsonkhan ahsonkhan deleted the APCDontRedirectCSharp branch September 24, 2024 23:11
@ahsonkhan
Copy link
Contributor Author

Yes, let's file a tracking issue.

Done #46209

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@christothes christothes christothes approved these changes

@schaabs schaabs Awaiting requested review from schaabs

@maorleger maorleger Awaiting requested review from maorleger maorleger is a code owner automatically assigned from Azure/azure-sdk-write-identity

@billwert billwert Awaiting requested review from billwert billwert is a code owner automatically assigned from Azure/azure-sdk-write-identity

@KarishmaGhiya KarishmaGhiya Awaiting requested review from KarishmaGhiya KarishmaGhiya is a code owner automatically assigned from Azure/azure-sdk-write-identity

@chlowell chlowell Awaiting requested review from chlowell chlowell is a code owner automatically assigned from Azure/azure-sdk-write-identity

@mpodwysocki mpodwysocki Awaiting requested review from mpodwysocki mpodwysocki is a code owner automatically assigned from Azure/azure-sdk-write-identity

+1 more reviewer

@Thompson1985 Thompson1985 Thompson1985 approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees

@ahsonkhan ahsonkhan

Labels
Azure.Identity
Projects
Azure Identity SDK Improvements
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update the request header sent to the OIDC endpoint so it doesn't result in a redirect response when an invalid system access token is provided.
4 participants
@ahsonkhan @azure-sdk @christothes @Thompson1985