Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MSI with federated identity credentials fails with AADSTS500011: The resource principal named api://AzureADTokenExchange./default was not found #2793

Open
arjunbalgovind opened this issue Apr 24, 2024 · 0 comments
Open

MSI with federated identity credentials fails with AADSTS500011: The resource principal named api://AzureADTokenExchange./default was not found #2793

arjunbalgovind opened this issue Apr 24, 2024 · 0 comments
Labels
needs attention untriaged

Comments

@arjunbalgovind
Copy link

arjunbalgovind commented Apr 24, 2024
edited
Loading

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

2.18.0

Web app

Sign-in users and call web APIs

Web API

Protected web APIs call downstream web APIs

Token cache serialization

In-memory caches

Description

I was testing out some code with MSI FIC and observed that both client credentials flows as well as obo using federated identity credentials fail on version 2.18.0 but 2.17.5 seems to be working fine.

Reproduction steps

  1. Upgrade to 2.18.0
  2. Run the snippet mentioned below on a VM with a user assigned managed identity that has federated credentials on an AAD app on the same tenant.
  3. Downgrade to 2.17.5 and validate that the issue does not repro.

Error message

Azure.Identity.CredentialUnavailableException
HResult=0x80131500
Message=DefaultAzureCredential failed to retrieve a token from the included credentials. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/defaultazurecredential/troubleshoot

Content:
{"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named api://AzureADTokenExchange./default was not found in the tenant named REDACTED. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID:REDACTED"}

Source=Azure.Identity
StackTrace:
at Azure.Identity.DefaultAzureCredential.d__14.MoveNext()
at System.Threading.Tasks.ValueTask1.get_Result() at System.Runtime.CompilerServices.ConfiguredValueTaskAwaitable1.ConfiguredValueTaskAwaiter.GetResult()
at Azure.Identity.DefaultAzureCredential.d__12.MoveNext()
at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
at Azure.Identity.DefaultAzureCredential.d__12.MoveNext()
at System.Threading.Tasks.ValueTask1.get_Result() at System.Runtime.CompilerServices.ConfiguredValueTaskAwaitable1.ConfiguredValueTaskAwaiter.GetResult()
at Azure.Identity.DefaultAzureCredential.d__11.MoveNext()
at System.Threading.Tasks.ValueTask1.get_Result() at System.Runtime.CompilerServices.ConfiguredValueTaskAwaitable1.ConfiguredValueTaskAwaiter.GetResult()
at Microsoft.Identity.Web.ManagedIdentityClientAssertion.d__4.MoveNext()
at Microsoft.Identity.Web.ClientAssertionProviderBase.d__2.MoveNext()
at Microsoft.Identity.Client.Internal.ClientCredential.SignedAssertionDelegateClientCredential.d__10.MoveNext()
at Microsoft.Identity.Client.OAuth2.TokenClient.d__7.MoveNext()
at Microsoft.Identity.Client.OAuth2.TokenClient.d__5.MoveNext()
at Microsoft.Identity.Client.Internal.Requests.RequestBase.d__26.MoveNext()
at Microsoft.Identity.Client.Internal.Requests.OnBehalfOfRequest.d__5.MoveNext()
at Microsoft.Identity.Client.Internal.Requests.OnBehalfOfRequest.d__4.MoveNext()
at Microsoft.Identity.Client.Internal.Requests.OnBehalfOfRequest.d__3.MoveNext()
at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<b__1>d.MoveNext()
at Microsoft.Identity.Client.Utils.StopwatchService.d__4.MoveNext()
at Microsoft.Identity.Client.Internal.Requests.RequestBase.d__11.MoveNext()
at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.d__4.MoveNext()
at Program.<

$>d__0.MoveNext() in

Id Web logs

No response

Relevant code snippets

// See https://aka.ms/new-console-template for more information
using Microsoft.Identity.Client;
using Microsoft.Identity.Web;

// I can repro the issue even if I use .WithTenantId instead of .WithAuthority.
IConfidentialClientApplication myApp = ConfidentialClientApplicationBuilder.Create(appClientId)
  .WithAuthority(new Uri($"https://login.microsoftonline.com/{tenantId}"), false)
  .WithClientAssertion(new ManagedIdentityClientAssertion(msiClientId).GetSignedAssertion).Build();

var res = await myApp.AcquireTokenForClient(new string[] { $"{appClientId}/.default" }).ExecuteAsync();

Regression

2.17.5

Expected behavior

Successfully fetch a token with federated identity credentials.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs attention untriaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@arjunbalgovind