From fce27c732a165688f9bc7df40e9e597d4383b797 Mon Sep 17 00:00:00 2001 From: Vinay Gera Date: Mon, 6 Nov 2023 10:30:38 -0800 Subject: [PATCH 1/4] update TSG with IntelliJ auth. --- sdk/identity/azure-identity/TROUBLESHOOTING.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/sdk/identity/azure-identity/TROUBLESHOOTING.md b/sdk/identity/azure-identity/TROUBLESHOOTING.md index 91f034fc737ad..1707fe90d0713 100644 --- a/sdk/identity/azure-identity/TROUBLESHOOTING.md +++ b/sdk/identity/azure-identity/TROUBLESHOOTING.md @@ -22,6 +22,7 @@ This troubleshooting guide covers failure investigation techniques, common error - [Troubleshoot AzureDeveloperCliCredential authentication issues](#troubleshoot-azuredeveloperclicredential-authentication-issues) - [Troubleshoot AzurePowerShellCredential authentication issues](#troubleshoot-azurepowershellcredential-authentication-issues) - [Troubleshoot WorkloadIdentityCredential authentication issues](#troubleshoot-workloadidentitycredential-authentication-issues) +- [Troubleshoot IntelliJCredential authentication issues](#troubleshoot-intellij-authentication-issues) - [Get additional help](#get-additional-help) ## Handle Azure Identity exceptions @@ -275,6 +276,12 @@ Get-AzAccessToken -ResourceUrl "https://management.core.windows.net" |---|---|---| |`CredentialUnavailableException` raised with message. "WorkloadIdentityCredential authentication unavailable. The workload options are not fully configured."|The `WorkloadIdentityCredential` requires `clientId`, `tenantId` and `tokenFilePath` to authenticate with Microsoft Entra ID.| +## Troubleshoot `IntelliJCredential` authentication issues + +| Error |Description| Mitigation | +|---|---|---| +|`CredentialUnavailableException` raised with message. "IntelliJ Authentication not available. Please log in with Azure Tools for IntelliJ plugin in the IDE."| The Credential was not able to locate the cached token to use for authentication. | Ensure that you login on the Azure Tools for IntelliJ plugin, that will populate the cache for the credential to pick up. + ## Troubleshoot multi-tenant authentication issues `ClientAuthenticationException` From c7bb877a09a89f19a5582314cd78e6970d1e42b8 Mon Sep 17 00:00:00 2001 From: Vinay Gera Date: Mon, 6 Nov 2023 10:43:11 -0800 Subject: [PATCH 2/4] add thread pool mitigation for deadlock --- .../azure-identity/TROUBLESHOOTING.md | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/sdk/identity/azure-identity/TROUBLESHOOTING.md b/sdk/identity/azure-identity/TROUBLESHOOTING.md index 1707fe90d0713..1311a1ce7aa9b 100644 --- a/sdk/identity/azure-identity/TROUBLESHOOTING.md +++ b/sdk/identity/azure-identity/TROUBLESHOOTING.md @@ -289,6 +289,38 @@ Get-AzAccessToken -ResourceUrl "https://management.core.windows.net" |---|---|---| |The current credential is not configured to acquire tokens for tenant |The application must configure the credential to allow acquiring tokens from the requested tenant.|Add the requested tenant ID it to the `additionallyAllowedTenants` on the credential builder, or add \"*\" to `additionallyAllowedTenants` to allow acquiring tokens for any tenant.

This exception was added as part of a breaking change to multi tenant authentication in version `1.6.0`. Users experiencing this error after upgrading can find details on the change and migration in [BREAKING_CHANGES.md](https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/identity/azure-identity/BREAKING_CHANGES.md) | +## Troubleshoot authentication timeout issues + +### Using Thread pool +The Azure Identity library plays a pivotal role in executing authentication requests. However, a potential concern +arises when your application concurrently relies on the common fork-join pool. This concurrency scenario can lead to +a deadlock situation, wherein both the Azure Identity library and your application compete for threads from the +common fork-join pool. In order to prevent such a deadlock and ensure smooth authentication processes, it is +strongly recommended that you configure a dedicated thread pool specifically for the credentials. By implementing +this configuration, you can ensure that the Azure Identity library and your application do not clash over the +allocation of threads from the common fork-join pool. + +To effectively address this deadlock situation, follow these steps: + +* Create a Dedicated Thread Pool: Configure a separate and dedicated thread pool for the credential processes within your application. This ensures that the Azure Identity library does not interfere with your application's use of the common fork-join pool. + +* Isolation of Thread Pools: Ensure that the dedicated thread pool for credential operations remains isolated and distinct from the common fork-join pool, which is used by the application. + +Here's a code sample below: + +```java +ExecutorService executorService = Executors.newCachedThreadPool(); +ClientSecretCredential credential = new ClientSecretCredentialBuilder() + .clientId("") + .tenantId("") + .clientSecret("") + .executorService(executorService) + .build(); + +//Shutdown the thread pool once no longer needed. +executorService.shutdown(); +``` + ## Get additional help Additional information on ways to reach out for support can be found in the [SUPPORT.md](https://github.com/Azure/azure-sdk-for-java/blob/main/SUPPORT.md) at the root of the repo. From 7ac4bfa3ddae166ab4990e03ce324bfb8ed30c73 Mon Sep 17 00:00:00 2001 From: Vinay Gera Date: Mon, 6 Nov 2023 14:10:45 -0800 Subject: [PATCH 3/4] update exception message. --- .../azure-identity/TROUBLESHOOTING.md | 27 ++++++++++++------- .../implementation/IdentityClient.java | 4 ++- 2 files changed, 20 insertions(+), 11 deletions(-) diff --git a/sdk/identity/azure-identity/TROUBLESHOOTING.md b/sdk/identity/azure-identity/TROUBLESHOOTING.md index 1311a1ce7aa9b..1a9742f3dd9be 100644 --- a/sdk/identity/azure-identity/TROUBLESHOOTING.md +++ b/sdk/identity/azure-identity/TROUBLESHOOTING.md @@ -23,6 +23,7 @@ This troubleshooting guide covers failure investigation techniques, common error - [Troubleshoot AzurePowerShellCredential authentication issues](#troubleshoot-azurepowershellcredential-authentication-issues) - [Troubleshoot WorkloadIdentityCredential authentication issues](#troubleshoot-workloadidentitycredential-authentication-issues) - [Troubleshoot IntelliJCredential authentication issues](#troubleshoot-intellij-authentication-issues) +- [Troubleshoot authentication timeout issues](#troubleshoot-authentication-timeout-issues) - [Get additional help](#get-additional-help) ## Handle Azure Identity exceptions @@ -309,18 +310,24 @@ To effectively address this deadlock situation, follow these steps: Here's a code sample below: ```java -ExecutorService executorService = Executors.newCachedThreadPool(); -ClientSecretCredential credential = new ClientSecretCredentialBuilder() - .clientId("") - .tenantId("") - .clientSecret("") - .executorService(executorService) - .build(); - -//Shutdown the thread pool once no longer needed. -executorService.shutdown(); +ExecutorService executorService = Executors.newCachedThreadPool(); + +try { + ClientSecretCredential credential = new ClientSecretCredentialBuilder() + .clientId("") + .tenantId("") + .clientSecret("") + .executorService(executorService) + .build(); + +} finally { + //Shutdown the thread pool once no longer needed. + executorService.shutdown(); +} ``` +You can find more info about Fork Join Pool [here](https://docs.oracle.com/javase/8/docs/api/java/util/concurrent/ForkJoinPool.html). + ## Get additional help Additional information on ways to reach out for support can be found in the [SUPPORT.md](https://github.com/Azure/azure-sdk-for-java/blob/main/SUPPORT.md) at the root of the repo. diff --git a/sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClient.java b/sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClient.java index edd357435b69d..72bbfd33b62f1 100644 --- a/sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClient.java +++ b/sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClient.java @@ -233,7 +233,9 @@ public Mono authenticateWithIntelliJ(TokenRequestContext request) { if (authDetails == null) { return Mono.error(LoggingUtil.logCredentialUnavailableException(LOGGER, options, new CredentialUnavailableException("IntelliJ Authentication not available." - + " Please log in with Azure Tools for IntelliJ plugin in the IDE."))); + + " Please log in with Azure Tools for IntelliJ plugin in the IDE." + + " Fore more details refer to the troubleshooting guidelines here at" + + " https://aka.ms/azsdk/java/identity/intellijcredential/troubleshoot"))); } String authType = authDetails.getAuthMethod(); if ("SP".equalsIgnoreCase(authType)) { From 92bc051019f185f9dc1d4575fb8b2f124e7538fb Mon Sep 17 00:00:00 2001 From: Vinay Gera Date: Mon, 6 Nov 2023 15:06:24 -0800 Subject: [PATCH 4/4] Fix hyperlink in TROUBLESHOOTING.md --- sdk/identity/azure-identity/TROUBLESHOOTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk/identity/azure-identity/TROUBLESHOOTING.md b/sdk/identity/azure-identity/TROUBLESHOOTING.md index 1a9742f3dd9be..7c23e0c5460b0 100644 --- a/sdk/identity/azure-identity/TROUBLESHOOTING.md +++ b/sdk/identity/azure-identity/TROUBLESHOOTING.md @@ -22,7 +22,7 @@ This troubleshooting guide covers failure investigation techniques, common error - [Troubleshoot AzureDeveloperCliCredential authentication issues](#troubleshoot-azuredeveloperclicredential-authentication-issues) - [Troubleshoot AzurePowerShellCredential authentication issues](#troubleshoot-azurepowershellcredential-authentication-issues) - [Troubleshoot WorkloadIdentityCredential authentication issues](#troubleshoot-workloadidentitycredential-authentication-issues) -- [Troubleshoot IntelliJCredential authentication issues](#troubleshoot-intellij-authentication-issues) +- [Troubleshoot IntelliJCredential authentication issues](#troubleshoot-intellijcredential-authentication-issues) - [Troubleshoot authentication timeout issues](#troubleshoot-authentication-timeout-issues) - [Get additional help](#get-additional-help)