You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I was testing out some code with MSI FIC and observed that both client credentials flows as well as obo using federated identity credentials fail on version 2.18.0 but 2.17.5 seems to be working fine.
Reproduction steps
Upgrade to 2.18.0
Run the snippet mentioned below on a VM with a user assigned managed identity that has federated credentials on an AAD app on the same tenant.
Downgrade to 2.17.5 and validate that the issue does not repro.
ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource.
Status: 400 (Bad Request)
Content:
{"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named api://AzureADTokenExchange./default was not found in the tenant named REDACTED. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID:REDACTED"}
Source=Azure.Identity
StackTrace:
at Azure.Identity.DefaultAzureCredential.d__14.MoveNext()
at System.Threading.Tasks.ValueTask1.get_Result() at System.Runtime.CompilerServices.ConfiguredValueTaskAwaitable1.ConfiguredValueTaskAwaiter.GetResult()
at Azure.Identity.DefaultAzureCredential.d__12.MoveNext()
at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
at Azure.Identity.DefaultAzureCredential.d__12.MoveNext()
at System.Threading.Tasks.ValueTask1.get_Result() at System.Runtime.CompilerServices.ConfiguredValueTaskAwaitable1.ConfiguredValueTaskAwaiter.GetResult()
at Azure.Identity.DefaultAzureCredential.d__11.MoveNext()
at System.Threading.Tasks.ValueTask1.get_Result() at System.Runtime.CompilerServices.ConfiguredValueTaskAwaitable1.ConfiguredValueTaskAwaiter.GetResult()
at Microsoft.Identity.Web.ManagedIdentityClientAssertion.d__4.MoveNext()
at Microsoft.Identity.Web.ClientAssertionProviderBase.d__2.MoveNext()
at Microsoft.Identity.Client.Internal.ClientCredential.SignedAssertionDelegateClientCredential.d__10.MoveNext()
at Microsoft.Identity.Client.OAuth2.TokenClient.d__7.MoveNext()
at Microsoft.Identity.Client.OAuth2.TokenClient.d__5.MoveNext()
at Microsoft.Identity.Client.Internal.Requests.RequestBase.d__26.MoveNext()
at Microsoft.Identity.Client.Internal.Requests.OnBehalfOfRequest.d__5.MoveNext()
at Microsoft.Identity.Client.Internal.Requests.OnBehalfOfRequest.d__4.MoveNext()
at Microsoft.Identity.Client.Internal.Requests.OnBehalfOfRequest.d__3.MoveNext()
at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<b__1>d.MoveNext()
at Microsoft.Identity.Client.Utils.StopwatchService.d__4.MoveNext()
at Microsoft.Identity.Client.Internal.Requests.RequestBase.d__11.MoveNext()
at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.d__4.MoveNext()
at Program.<
$>d__0.MoveNext() in
Id Web logs
No response
Relevant code snippets
// See https://aka.ms/new-console-template for more informationusing Microsoft.Identity.Client;using Microsoft.Identity.Web;// I can repro the issue even if I use .WithTenantId instead of .WithAuthority.IConfidentialClientApplicationmyApp= ConfidentialClientApplicationBuilder.Create(appClientId).WithAuthority(new Uri($"https://login.microsoftonline.com/{tenantId}"),false).WithClientAssertion(new ManagedIdentityClientAssertion(msiClientId).GetSignedAssertion).Build();varres=await myApp.AcquireTokenForClient(newstring[]{$"{appClientId}/.default"}).ExecuteAsync();
Regression
2.17.5
Expected behavior
Successfully fetch a token with federated identity credentials.
The text was updated successfully, but these errors were encountered:
Microsoft.Identity.Web Library
Microsoft.Identity.Web
Microsoft.Identity.Web version
2.18.0
Web app
Sign-in users and call web APIs
Web API
Protected web APIs call downstream web APIs
Token cache serialization
In-memory caches
Description
I was testing out some code with MSI FIC and observed that both client credentials flows as well as obo using federated identity credentials fail on version 2.18.0 but 2.17.5 seems to be working fine.
Reproduction steps
Error message
Azure.Identity.CredentialUnavailableException
HResult=0x80131500
Message=DefaultAzureCredential failed to retrieve a token from the included credentials. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/defaultazurecredential/troubleshoot
Status: 400 (Bad Request)
Content:
{"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named api://AzureADTokenExchange./default was not found in the tenant named REDACTED. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID:REDACTED"}
Source=Azure.Identity
$>d__0.MoveNext() inStackTrace:
at Azure.Identity.DefaultAzureCredential.d__14.MoveNext()
at System.Threading.Tasks.ValueTask
1.get_Result() at System.Runtime.CompilerServices.ConfiguredValueTaskAwaitable
1.ConfiguredValueTaskAwaiter.GetResult()at Azure.Identity.DefaultAzureCredential.d__12.MoveNext()
at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
at Azure.Identity.DefaultAzureCredential.d__12.MoveNext()
at System.Threading.Tasks.ValueTask
1.get_Result() at System.Runtime.CompilerServices.ConfiguredValueTaskAwaitable
1.ConfiguredValueTaskAwaiter.GetResult()at Azure.Identity.DefaultAzureCredential.d__11.MoveNext()
at System.Threading.Tasks.ValueTask
1.get_Result() at System.Runtime.CompilerServices.ConfiguredValueTaskAwaitable
1.ConfiguredValueTaskAwaiter.GetResult()at Microsoft.Identity.Web.ManagedIdentityClientAssertion.d__4.MoveNext()
at Microsoft.Identity.Web.ClientAssertionProviderBase.d__2.MoveNext()
at Microsoft.Identity.Client.Internal.ClientCredential.SignedAssertionDelegateClientCredential.d__10.MoveNext()
at Microsoft.Identity.Client.OAuth2.TokenClient.d__7.MoveNext()
at Microsoft.Identity.Client.OAuth2.TokenClient.d__5.MoveNext()
at Microsoft.Identity.Client.Internal.Requests.RequestBase.d__26.MoveNext()
at Microsoft.Identity.Client.Internal.Requests.OnBehalfOfRequest.d__5.MoveNext()
at Microsoft.Identity.Client.Internal.Requests.OnBehalfOfRequest.d__4.MoveNext()
at Microsoft.Identity.Client.Internal.Requests.OnBehalfOfRequest.d__3.MoveNext()
at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<b__1>d.MoveNext()
at Microsoft.Identity.Client.Utils.StopwatchService.d__4.MoveNext()
at Microsoft.Identity.Client.Internal.Requests.RequestBase.d__11.MoveNext()
at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.d__4.MoveNext()
at Program.<
Id Web logs
No response
Relevant code snippets
Regression
2.17.5
Expected behavior
Successfully fetch a token with federated identity credentials.
The text was updated successfully, but these errors were encountered: