Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to authenticate on Azure China Cloud using CLI based authentication #22705

Closed
bigdatasourav opened this issue Apr 5, 2024 · 5 comments
Closed

Unable to authenticate on Azure China Cloud using CLI based authentication #22705

bigdatasourav opened this issue Apr 5, 2024 · 5 comments
Assignees
@chlowell
Labels
customer-reported Issues that are reported by GitHub users external to the Azure organization. Graph issue-addressed Workflow: The Azure SDK team believes it to be addressed and ready to close. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@bigdatasourav
Copy link

Bug Report

  • What happened?

Here is my code -

package main

import (
	"context"
	"fmt"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	a "github.com/microsoft/kiota-authentication-azure-go"
	msgraphsdkgo "github.com/microsoftgraph/msgraph-sdk-go"
)

func main() {
	ctx := context.Background()

	// Create Azure CLI credential
	cred, err := azidentity.NewAzureCLICredential(nil)
	if err != nil {
		fmt.Printf("Error creating Azure CLI Credential: %v\n", err)
		return
	}

	tokenOptions := policy.TokenRequestOptions{
		Scopes: []string{"https://management.chinacloudapi.cn/.default"},
	}
	_, err = cred.GetToken(ctx, tokenOptions)
	if err != nil {
		fmt.Printf("Error obtaining token: %v\n", err)
		return
	}

	// Create an authentication provider with the Azure CLI credential
	auth, err := a.NewAzureIdentityAuthenticationProvider(cred)
	if err != nil {
		fmt.Printf("Error creating authentication provider: %v\n", err)
		return
	}

	// Create a request adapter using the authentication provider
	adapter, err := msgraphsdkgo.NewGraphRequestAdapter(auth)
	if err != nil {
		fmt.Printf("Error creating graph adapter: %v\n", err)
		return
	}

	// Create a new Microsoft Graph client with the adapter
	client := msgraphsdkgo.NewGraphServiceClient(adapter)

	// Example of listing users
	users, err := client.Users().Get(ctx, nil)
	if err != nil {
		fmt.Printf("Error getting users: %v\n", err)
		return
	}

	// Iterate through the user list
	for _, user := range users.GetValue() {
		fmt.Printf("User ID: %s, Display Name: %s\n", *user.GetId(), *user.GetDisplayName())
	}
}
  • What did you expect or want to happen?
    It should work with Azure China Cloud
  • How can we reproduce it?
  • Anything we should know about your environment.
@github-actions github-actions bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Apr 5, 2024
@bigdatasourav bigdatasourav mentioned this issue Apr 5, 2024
Closed
@chlowell
Copy link
Member

chlowell commented Apr 5, 2024

I guess this is about the error mentioned in turbot/steampipe-plugin-azuread#167 (if not, please share details about the error)? That error suggests the CLI requested a token for Graph in Azure Public Cloud from Azure China i.e., someone called AzureCLICredential.GetToken() with the wrong scope. If it was the Graph client making the call, you need to configure that client to pass the correct scope for Azure China (https://graph.chinacloudapi.cn//.default). Looks like microsoftgraph/msgraph-sdk-go#26 shows how to do this.

@chlowell chlowell self-assigned this Apr 5, 2024
@chlowell chlowell added issue-addressed Workflow: The Azure SDK team believes it to be addressed and ready to close. and removed needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. labels Apr 5, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 5, 2024

Hi @bigdatasourav. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.

@chlowell chlowell added the Graph label Apr 5, 2024
@bigdatasourav
Copy link
Author

bigdatasourav commented Apr 6, 2024
edited
Loading

Thanks for the quick reply @chlowell, So below is the correct way(Set the base URL) to set the China Cloud endpoint? or do I need to update the authentication provider as well -

auth, _ := a.NewAzureIdentityAuthenticationProviderWithScopes(cred, []string{
		"https://microsoftgraph.chinacloudapi.cn/.default",
})

package main

import (
	"context"
	"fmt"

	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	a "github.com/microsoft/kiota-authentication-azure-go"
	msgraphsdkgo "github.com/microsoftgraph/msgraph-sdk-go"
)

func main() {
	ctx := context.Background()

	// Create Azure CLI credential
	cred, err := azidentity.NewAzureCLICredential(nil)
	if err != nil {
		fmt.Printf("Error creating Azure CLI Credential: %v\n", err)
		return
	}

	if err != nil {
		fmt.Printf("Error obtaining token: %v\n", err)
		return
	}

	// Create an authentication provider with the Azure CLI credential
	auth, err := a.NewAzureIdentityAuthenticationProvider(cred)
	if err != nil {
		fmt.Printf("Error creating authentication provider: %v\n", err)
		return
	}

	// Create a request adapter using the authentication provider
	adapter, err := msgraphsdkgo.NewGraphRequestAdapter(auth)
	if err != nil {
		fmt.Printf("Error creating graph adapter: %v\n", err)
		return
	}
	
	// set endpoint
	adapter.SetBaseUrl("https://microsoftgraph.chinaclouapi.cn/v1.0")

	// Create a new Microsoft Graph client with the adapter
	client := msgraphsdkgo.NewGraphServiceClient(adapter)

	// Example of listing users
	users, err := client.Users().Get(ctx, nil)
	if err != nil {
		fmt.Printf("Error getting users: %v\n", err)
		return
	}

	// Iterate through the user list
	for _, user := range users.GetValue() {
		fmt.Printf("User ID: %s, Display Name: %s\n", *user.GetId(), *user.GetDisplayName())
	}
}

@chlowell
Copy link
Member

chlowell commented Apr 8, 2024

That looks like the right function to me because judging by its name, NewAzureIdentityAccessTokenProviderWithScopes does what you need, but I'm not familiar with these modules (they aren't part of the Azure SDK). You may need to pass https://microsoftgraph.chinacloudapi.cn//.default for the scope--note the empty segment //.

@github-actions GitHub Actions
Copy link

Hi @bigdatasourav, since you haven’t asked that we /unresolve the issue, we’ll close this out. If you believe further discussion is needed, please add a comment /unresolve to reopen the issue.

@github-actions github-actions bot locked and limited conversation to collaborators Jul 14, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@chlowell chlowell

Labels
customer-reported Issues that are reported by GitHub users external to the Azure organization. Graph issue-addressed Workflow: The Azure SDK team believes it to be addressed and ready to close. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chlowell @bigdatasourav