From 66767777d85f4fd6c5148ace1734e3ca4aef3705 Mon Sep 17 00:00:00 2001 From: Scott Schaab Date: Tue, 8 Nov 2022 14:52:38 -0800 Subject: [PATCH] Updating Identity for 1.8.0 release (#32353) * [Identity] Update documentation (#31867) This updates the README and TROUBLESHOOTING files for greater consistency with other language docs and for general enhancement. Code snippets were added for the README. Ref: #31064 Signed-off-by: Paul Van Eck Co-authored-by: Scott Addie <10702007+scottaddie@users.noreply.github.com> * fix error messages with AADSTS and az login (#31949) * fix error messages with AADSTS and az login * Update SharedTokenCacheCredential XML class documentation (#32195) * [Identity] Class documentation improvements (#32043) This adds additional details to the docstrings for some of the credential classes. Users may find the added info helpful. Also added missing envvar in README. Signed-off-by: Paul Van Eck * Update Azure.Identity changelog (#32216) * Handle Managed Identity json parse errors as CredentialUnAvailableException (#32272) * handle json parse errors as CredentialNotAvailable * update changelog for 1.8.0 release * update csproj version Signed-off-by: Paul Van Eck Co-authored-by: Paul Van Eck Co-authored-by: Scott Addie <10702007+scottaddie@users.noreply.github.com> Co-authored-by: Christopher Scott --- sdk/identity/Azure.Identity/CHANGELOG.md | 22 +- sdk/identity/Azure.Identity/README.md | 207 ++++++++++-------- .../Azure.Identity/TROUBLESHOOTING.md | 150 +++++++------ .../Azure.Identity/src/Azure.Identity.csproj | 2 +- .../src/Credentials/AzureCliCredential.cs | 9 +- .../src/Credentials/EnvironmentCredential.cs | 31 ++- .../Credentials/SharedTokenCacheCredential.cs | 3 +- .../Credentials/VisualStudioCodeCredential.cs | 8 +- .../src/Credentials/VisualStudioCredential.cs | 4 +- .../src/ManagedIdentitySource.cs | 4 + .../tests/AzureCliCredentialTests.cs | 1 + .../tests/ManagedIdentityCredentialTests.cs | 7 +- .../tests/samples/ReadmeSnippets.cs | 34 +++ 13 files changed, 304 insertions(+), 178 deletions(-) diff --git a/sdk/identity/Azure.Identity/CHANGELOG.md b/sdk/identity/Azure.Identity/CHANGELOG.md index 8e065ba4461d6..3ab30d57b551e 100644 --- a/sdk/identity/Azure.Identity/CHANGELOG.md +++ b/sdk/identity/Azure.Identity/CHANGELOG.md @@ -1,14 +1,24 @@ # Release History -## 1.8.0-beta.2 (Unreleased) +## 1.8.0 (2022-11-08) -### Features Added +### Bugs Fixed +- Fixed error message parsing in `AzureCliCredential` which would misinterpret AAD errors with the need to login with `az login`. [#26894](https://github.com/Azure/azure-sdk-for-net/issues/26894), [#29109](https://github.com/Azure/azure-sdk-for-net/issues/29109) +- `ManagedIdentityCredential` will no longer fail when a response received from the endpoint is invalid JSON. It now treats this scenario as if the credential is unavailable. [#30467](https://github.com/Azure/azure-sdk-for-net/issues/30467), [#32061](https://github.com/Azure/azure-sdk-for-net/issues/32061) -### Breaking Changes +## 1.9.0-beta.1 (2022-10-13) -### Bugs Fixed +### Features Added +- Credentials that are implemented via launching a sub-process to acquire tokens now have configurable timeouts. This addresses scenarios where these proceses can take longer than the current default timeout values. (A community contribution, courtesy of _[reynaldoburgos](https://github.com/reynaldoburgos)_). The affected credentials and their associated options are: + - `AzureCliCredential` and `AzureCliCredentialOptions.CliProcessTimeout` + - `AzurePowerShellCredential` and `AzurePowerShellCredentialOptions.PowerShellProcessTimeout` + - `VisualStudioCredential` and `VisualStudioCredentialOptions.VisualStudioProcessTimeout` + - `DefaultAzureCredential` and `DefaultAzureCredentialOptions.DeveloperCredentialTimeout` Note: this option applies to all developer credentials above when using `DefaultAzureCredential`. -### Other Changes +### Acknowledgments +Thank you to our developer community members who helped to make Azure Identity better with their contributions to this release: + +- _[reynaldoburgos](https://github.com/reynaldoburgos)_ ## 1.8.0-beta.1 (2022-10-13) @@ -104,7 +114,7 @@ Thank you to our developer community members who helped to make Azure Identity b ### Breaking Changes from 1.5.0-beta.4 - The `AllowMultiTenantAuthentication` option has been removed and the default behavior is now as if it were true. The multi-tenant discovery feature can be totally disabled by either setting an `AppContext` switch named "Azure.Identity.DisableTenantDiscovery" to `true` or by setting the environment variable "AZURE_IDENTITY_DISABLE_MULTITENANTAUTH" to "true". - Removed the `IsPIILoggingEnabled` property from `TokenCredentialOptions`, similar functionality is planned to be added to `TokenCredentialOptions.Diagnostics` in a later release. -- Removed `RegionalAuthority` from `ClientCertificateCredentialOptions` and `ClientSecretCredentialOptions`, along with the `RegionalAuthority` type. This feature will stay in preview, and these APIs will be added back in `1.6.0-beta.1`. +- Removed `RegionalAuthority` from `ClientCertificateCredentialOptions` and `ClientSecretCredentialOptions`, along with the `RegionalAuthority` type. - Renamed struct `TokenCacheDetails` to `TokenCacheData`. - Renamed class `TokenCacheNotificationDetails` to `TokenCacheRefreshArgs`. - Updated `CacheBytes` property on `TokenCacheData` to be readonly and a required constructor parameter. diff --git a/sdk/identity/Azure.Identity/README.md b/sdk/identity/Azure.Identity/README.md index c2f109ca8dea6..152e06fd7c524 100644 --- a/sdk/identity/Azure.Identity/README.md +++ b/sdk/identity/Azure.Identity/README.md @@ -1,7 +1,8 @@ # Azure Identity client library for .NET - The Azure Identity library provides Azure Active Directory token authentication support across the Azure SDK. It provides a set of TokenCredential implementations which can be used to construct Azure SDK clients which support AAD token authentication. - [Source code][source] | [Package (nuget)][package] | [API reference documentation][identity_api_docs] | [Azure Active Directory documentation][aad_doc] +The Azure Identity library provides [Azure Active Directory (Azure AD)](https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) token authentication support across the Azure SDK. It provides a set of [`TokenCredential`](https://learn.microsoft.com/dotnet/api/azure.core.tokencredential?view=azure-dotnet) implementations which can be used to construct Azure SDK clients which support Azure AD token authentication. + + [Source code][source] | [Package (NuGet)][package] | [API reference documentation][identity_api_docs] | [Azure AD documentation][aad_doc] ## Getting started @@ -21,21 +22,21 @@ dotnet add package Azure.Identity When debugging and executing code locally it is typical for a developer to use their own account for authenticating calls to Azure services. There are several developer tools which can be used to perform this authentication in your development environment. -#### Authenticating via Visual Studio +#### Authenticate via Visual Studio -Developers using Visual Studio 2017 or later can authenticate an Azure Active Directory account through the IDE. Applications using the `DefaultAzureCredential` or the `VisualStudioCredential` can then use this account to authenticate calls in their application when running locally. +Developers using Visual Studio 2017 or later can authenticate an Azure AD account through the IDE. Applications using the `DefaultAzureCredential` or the `VisualStudioCredential` can then use this account to authenticate calls in their application when running locally. -To authenticate in Visual Studio select the `Tools > Options` menu to launch the Options dialog. Then navigate to the `Azure Service Authentication` options to sign in with your Azure Active Directory account. +To authenticate in Visual Studio, select the **Tools** > **Options** menu to launch the Options dialog. Then navigate to the `Azure Service Authentication` options to sign in with your Azure AD account. ![Visual Studio Account Selection][vs_login_image] -#### Authenticating via Visual Studio Code +#### Authenticate via Visual Studio Code Developers using Visual Studio Code can use the [Azure Account extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode.azure-account) to authenticate via the editor. Applications using the `DefaultAzureCredential` or the `VisualStudioCodeCredential` can then use this account to authenticate calls in their application when running locally. It's a [known issue](https://github.com/Azure/azure-sdk-for-net/issues/27263) that `VisualStudioCodeCredential` doesn't work with [Azure Account extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode.azure-account) versions newer than **0.9.11**. A long-term fix to this problem is in progress. In the meantime, consider [authenticating via the Azure CLI](#authenticating-via-the-azure-cli). -#### Authenticating via the Azure CLI +#### Authenticate via the Azure CLI Developers coding outside of an IDE can also use the [Azure CLI][azure_cli] to authenticate. Applications using the `DefaultAzureCredential` or the `AzureCliCredential` can then use this account to authenticate calls in their application when running locally. @@ -47,7 +48,7 @@ For systems without a default web browser, the `az login` command will use the d ![Azure CLI Account Device Code Sign In][azure_cli_login_device_code_image] -#### Authenticating via Azure PowerShell +#### Authenticate via Azure PowerShell Developers coding outside of an IDE can also use [Azure PowerShell][azure_powerShell] to authenticate. Applications using the `DefaultAzureCredential` or the `AzurePowerShellCredential` can then use this account to authenticate calls in their application when running locally. @@ -58,18 +59,18 @@ For systems without a default web browser, the `Connect-AzAccount` command will ## Key concepts ### Credentials -A credential is a class which contains or can obtain the data needed for a service client to authenticate requests. Service clients across Azure SDK accept credentials when they are constructed, and service clients use those credentials to authenticate requests to the service. +A credential is a class which contains or can obtain the data needed for a service client to authenticate requests. Service clients across the Azure SDK accept credentials when they're constructed. Service clients use those credentials to authenticate requests to the service. -The Azure Identity library focuses on OAuth authentication with Azure Active directory, and it offers a variety of credential classes capable of acquiring an AAD token to authenticate service requests. All of the credential classes in this library are implementations of the `TokenCredential` abstract class in [Azure.Core][azure_core_library], and any of them can be used to construct service clients capable of authenticating with a `TokenCredential`. +The Azure Identity library focuses on OAuth authentication with Azure AD, and it offers a variety of credential classes capable of acquiring an Azure AD token to authenticate service requests. All of the credential classes in this library are implementations of the `TokenCredential` abstract class in [Azure.Core][azure_core_library], and any of them can be used to construct service clients capable of authenticating with a `TokenCredential`. See [Credential Classes](#credential-classes) for a complete listing of available credential types. ### DefaultAzureCredential -The `DefaultAzureCredential` is appropriate for most scenarios where the application is intended to ultimately be run in the Azure Cloud. This is because the `DefaultAzureCredential` combines credentials commonly used to authenticate when deployed, with credentials used to authenticate in a development environment. +The `DefaultAzureCredential` is appropriate for most scenarios where the application is intended to ultimately be run in Azure. This is because the `DefaultAzureCredential` combines credentials commonly used to authenticate when deployed, with credentials used to authenticate in a development environment. > Note: `DefaultAzureCredential` is intended to simplify getting started with the SDK by handling common scenarios with reasonable default behaviors. Developers who want more control or whose scenario isn't served by the default settings should use other credential types. -The `DefaultAzureCredential` will attempt to authenticate via the following mechanisms in order. +The `DefaultAzureCredential` attempts to authenticate via the following mechanisms, in this order, stopping when one succeeds: ![DefaultAzureCredential authentication flow][default_azure_credential_authflow_image] @@ -83,7 +84,7 @@ The `DefaultAzureCredential` will attempt to authenticate via the following mech ## Examples -### Authenticating with the `DefaultAzureCredential` +### Authenticate with `DefaultAzureCredential` This example demonstrates authenticating the `SecretClient` from the [Azure.Security.KeyVault.Secrets][secrets_client_library] client library using the `DefaultAzureCredential`. @@ -92,7 +93,7 @@ This example demonstrates authenticating the `SecretClient` from the [Azure.Secu var client = new SecretClient(new Uri("https://myvault.vault.azure.net/"), new DefaultAzureCredential()); ``` -### Enabling the interactive authentication with the `DefaultAzureCredential` +### Enable interactive authentication with `DefaultAzureCredential` Interactive authentication is disabled in the `DefaultAzureCredential` by default. This example demonstrates two ways of enabling the interactive authentication portion of the `DefaultAzureCredential`. When enabled the `DefaultAzureCredential` will fall back to interactively authenticating the developer via the system's default browser if when no other credentials are available. This example then authenticates an `EventHubProducerClient` from the [Azure.Messaging.EventHubs][eventhubs_client_library] client library using the `DefaultAzureCredential` with interactive authentication enabled. @@ -103,8 +104,8 @@ var credential = new DefaultAzureCredential(includeInteractiveCredentials: true) var eventHubClient = new EventHubProducerClient("myeventhub.eventhubs.windows.net", "myhubpath", credential); ``` -### Specifying a user assigned managed identity with the `DefaultAzureCredential` -Many Azure hosts allow the assignment of a user assigned managed identity. This example demonstrates configuring the `DefaultAzureCredential` to authenticate a user assigned identity when deployed to an azure host. It then authenticates a `BlobClient` from the [Azure.Storage.Blobs][blobs_client_library] client library with credential. +### Specify a user-assigned managed identity with `DefaultAzureCredential` +Many Azure hosts allow the assignment of a user-assigned managed identity. This example demonstrates configuring the `DefaultAzureCredential` to authenticate a user-assigned identity when deployed to an Azure host. It then authenticates a `BlobClient` from the [Azure.Storage.Blobs][blobs_client_library] client library with credential. ```C# Snippet:UserAssignedManagedIdentity // When deployed to an azure host, the default azure credential will authenticate the specified user assigned managed identity. @@ -117,7 +118,7 @@ var blobClient = new BlobClient(new Uri("https://myaccount.blob.core.windows.net In addition to configuring the `ManagedIdentityClientId` via code, it can also be set using the `AZURE_CLIENT_ID` environment variable. These two approaches are equivalent when using the `DefaultAzureCredential`. -### Define a custom authentication flow with the `ChainedTokenCredential` +### Define a custom authentication flow with `ChainedTokenCredential` While the `DefaultAzureCredential` is generally the quickest way to get started developing applications for Azure, more advanced users may want to customize the credentials considered when authenticating. The `ChainedTokenCredential` enables users to combine multiple credential instances to define a customized chain of credentials. This example demonstrates creating a `ChainedTokenCredential` which will attempt to authenticate using managed identity, and fall back to authenticating via the Azure CLI if managed identity is unavailable in the current environment. The credential is then used to authenticate an `EventHubProducerClient` from the [Azure.Messaging.EventHubs][eventhubs_client_library] client library. ```C# Snippet:CustomChainedTokenCredential @@ -128,80 +129,110 @@ var credential = new ChainedTokenCredential(new ManagedIdentityCredential(), new var eventHubProducerClient = new EventHubProducerClient("myeventhub.eventhubs.windows.net", "myhubpath", credential); ``` -## Managed Identity Support +## Managed identity support -The [Managed identity authentication](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview) is supported via either the `DefaultAzureCredential` or the `ManagedIdentityCredential` directly for the following Azure Services: -* [Azure Virtual Machines](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token) -* [Azure App Service and Azure Functions](https://docs.microsoft.com/azure/app-service/overview-managed-identity?tabs=dotnet) -* [Azure Kubernetes Service](https://docs.microsoft.com/azure/aks/use-managed-identity) -* [Azure Cloud Shell](https://docs.microsoft.com/azure/cloud-shell/msi-authorization) -* [Azure Arc](https://docs.microsoft.com/azure/azure-arc/servers/managed-identity-authentication) -* [Azure Service Fabric](https://docs.microsoft.com/azure/service-fabric/concepts-managed-identity) +[Managed identity authentication](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview) is supported via either the `DefaultAzureCredential` or the `ManagedIdentityCredential` directly for the following Azure services: +* [Azure App Service and Azure Functions](https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=dotnet) +* [Azure Arc](https://learn.microsoft.com/azure/azure-arc/servers/managed-identity-authentication) +* [Azure Cloud Shell](https://learn.microsoft.com/azure/cloud-shell/msi-authorization) +* [Azure Kubernetes Service](https://learn.microsoft.com/azure/aks/use-managed-identity) +* [Azure Service Fabric](https://learn.microsoft.com/azure/service-fabric/concepts-managed-identity) +* [Azure Virtual Machines](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token) +* [Azure Virtual Machines Scale Sets](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/qs-configure-powershell-windows-vmss) -## Credential Classes +### Examples -### Authenticating Azure Hosted Applications +These examples demonstrate authenticating the `SecretClient` from the [Azure.Security.KeyVault.Secrets][secrets_client_library] client library using the `ManagedIdentityCredential`. -|Credential | Usage -|-|- -|[`DefaultAzureCredential`][ref_DefaultAzureCredential]|provides a simplified authentication experience to quickly start developing applications run in the Azure cloud -|[`ChainedTokenCredential`][ref_ChainedTokenCredential]|allows users to define custom authentication flows composing multiple credentials -|[`ManagedIdentityCredential`][ref_ManagedIdentityCredential]|authenticates the managed identity of an azure resource -|[`EnvironmentCredential`][ref_EnvironmentCredential]|authenticates a service principal or user via credential information specified in environment variables +#### Authenticate with a user-assigned managed identity -### Authenticating Service Principals +```C# Snippet:AuthenticatingWithManagedIdentityCredentialUserAssigned +var credential = new ManagedIdentityCredential(clientId: userAssignedClientId); +var client = new SecretClient(new Uri("https://myvault.vault.azure.net/"), credential); +``` -|Credential | Usage -|-|- -|[`ClientAssertionCredential`][ref_ClientAssertionCredential]|authenticates a service principal using a signed client assertion -|[`ClientCertificateCredential`][ref_ClientCertificateCredential]|authenticates a service principal using a certificate -|[`ClientSecretCredential`][ref_ClientSecretCredential]|authenticates a service principal using a secret +#### Authenticate with a system-assigned managed identity -### Authenticating Users +```C# Snippet:AuthenticatingWithManagedIdentityCredentialSystemAssigned +var credential = new ManagedIdentityCredential(); +var client = new SecretClient(new Uri("https://myvault.vault.azure.net/"), credential); +``` -|Credential | Usage -|-|- -|[`AuthorizationCodeCredential`][ref_AuthorizationCodeCredential]|authenticates a user with a previously obtained authorization code -|[`DeviceCodeCredential`][ref_DeviceCodeCredential]|interactively authenticates a user on devices with limited UI -|[`InteractiveBrowserCredential`][ref_InteractiveBrowserCredential]|interactively authenticates a user with the default system browser -|[`OnBehalfOfCredential`][ref_OnBehalfOfCredential]|propagates the delegated user identity and permissions through the request chain -|[`UsernamePasswordCredential`][ref_UsernamePasswordCredential]|authenticates a user with a username and password +## Cloud configuration + +Credentials default to authenticating to the Azure AD endpoint for the Azure public cloud. To access resources in other clouds, such as Azure Government or a private cloud, configure credentials with the `AuthorityHost` argument. [AzureAuthorityHosts](https://learn.microsoft.com/dotnet/api/azure.identity.azureauthorityhosts?view=azure-dotnet) defines authorities for well-known clouds: + +```C# Snippet:AuthenticatingWithAuthorityHost +var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { AuthorityHost = AzureAuthorityHosts.AzureGovernment }); +``` + +Not all credentials require this configuration. Credentials which authenticate through a development tool, such as `AzureCliCredential`, use that tool's configuration. + +## Credential classes -### Authenticating via Development Tools +### Authenticate Azure-hosted applications -|Credential | Usage +|Credential | Usage |-|- -|[`AzureCliCredential`][ref_AzureCliCredential]|authenticates in a development environment with the Azure CLI -|[`AzurePowerShellCredential`][ref_AzurePowerShellCredential]|authenticates in a development environment with the Azure PowerShell -|[`VisualStudioCredential`][ref_VisualStudioCredential]|authenticates in a development environment with Visual Studio -|[`VisualStudioCodeCredential`][ref_VisualStudioCodeCredential]|authenticates in a development environment with Visual Studio Code +|[`DefaultAzureCredential`][ref_DefaultAzureCredential]|Provides a simplified authentication experience to quickly start developing applications run in Azure. +|[`ChainedTokenCredential`][ref_ChainedTokenCredential]|Allows users to define custom authentication flows composing multiple credentials. +|[`ManagedIdentityCredential`][ref_ManagedIdentityCredential]|Authenticates the managed identity of an Azure resource. +|[`EnvironmentCredential`][ref_EnvironmentCredential]|Authenticates a service principal or user via credential information specified in environment variables. + +### Authenticate service principals + +|Credential | Usage | Reference +|-|-|- +|[`ClientAssertionCredential`][ref_ClientAssertionCredential]|Authenticates a service principal using a signed client assertion. | +|[`ClientCertificateCredential`][ref_ClientCertificateCredential]|Authenticates a service principal using a certificate. | [Service principal authentication](https://learn.microsoft.com/azure/active-directory/develop/app-objects-and-service-principals) +|[`ClientSecretCredential`][ref_ClientSecretCredential]|Authenticates a service principal using a secret. | [Service principal authentication](https://learn.microsoft.com/azure/active-directory/develop/app-objects-and-service-principals) + +### Authenticate users + +|Credential | Usage | Reference +|-|-|- +|[`AuthorizationCodeCredential`][ref_AuthorizationCodeCredential]|Authenticates a user with a previously obtained authorization code. | [OAuth2 authentication code](https://learn.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow) +|[`DeviceCodeCredential`][ref_DeviceCodeCredential]|Interactively authenticates a user on devices with limited UI. | [Device code authentication](https://learn.microsoft.com/azure/active-directory/develop/v2-oauth2-device-code) +|[`InteractiveBrowserCredential`][ref_InteractiveBrowserCredential]|Interactively authenticates a user with the default system browser. | [OAuth2 authentication code](https://learn.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow) +|[`OnBehalfOfCredential`][ref_OnBehalfOfCredential]|Propagates the delegated user identity and permissions through the request chain. | [On-behalf-of authentication](https://learn.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow) +|[`UsernamePasswordCredential`][ref_UsernamePasswordCredential]|Authenticates a user with a username and password. | [Username + password authentication](https://learn.microsoft.com/azure/active-directory/develop/v2-oauth-ropc) + +### Authenticate via development tools + +|Credential | Usage | Reference +|-|-|- +|[`AzureCliCredential`][ref_AzureCliCredential]|Authenticates in a development environment with the Azure CLI. | [Azure CLI authentication](https://learn.microsoft.com/cli/azure/authenticate-azure-cli) +|[`AzurePowerShellCredential`][ref_AzurePowerShellCredential]|Authenticates in a development environment with the Azure PowerShell. | [Azure PowerShell authentication](https://learn.microsoft.com/powershell/azure/authenticate-azureps) +|[`VisualStudioCredential`][ref_VisualStudioCredential]|Authenticates in a development environment with Visual Studio. | [Visual Studio configuration](https://learn.microsoft.com/dotnet/azure/configure-visual-studio) +|[`VisualStudioCodeCredential`][ref_VisualStudioCodeCredential]| Authenticates as the user signed in to the Visual Studio Code Azure Account extension. | [VS Code Azure Account extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode.azure-account) > __Note:__ All credential implementations in the Azure Identity library are threadsafe, and a single credential instance can be used by multiple service clients. -## Environment Variables +## Environment variables [`DefaultAzureCredential`][ref_DefaultAzureCredential] and [`EnvironmentCredential`][ref_EnvironmentCredential] can be configured with environment variables. Each type of authentication requires values for specific variables: #### Service principal with secret -|variable name|value +|Variable name|Value |-|- -|`AZURE_CLIENT_ID`|id of an Azure Active Directory application -|`AZURE_TENANT_ID`|id of the application's Azure Active Directory tenant +|`AZURE_CLIENT_ID`|ID of an Azure AD application +|`AZURE_TENANT_ID`|ID of the application's Azure AD tenant |`AZURE_CLIENT_SECRET`|one of the application's client secrets #### Service principal with certificate -|variable name|value +|variable name|Value |-|- -|`AZURE_CLIENT_ID`|id of an Azure Active Directory application -|`AZURE_TENANT_ID`|id of the application's Azure Active Directory tenant +|`AZURE_CLIENT_ID`|ID of an Azure AD application +|`AZURE_TENANT_ID`|ID of the application's Azure AD tenant |`AZURE_CLIENT_CERTIFICATE_PATH`|path to a PFX or PEM-encoded certificate file including private key |`AZURE_CLIENT_CERTIFICATE_PASSWORD`|(optional) the password protecting the certificate file (currently only supported for PFX (PKCS12) certificates) |`AZURE_CLIENT_SEND_CERTIFICATE_CHAIN`|(optional) send certificate chain in x5c header to support subject name / issuer based authentication #### Username and password -|variable name|value +|Variable name|Value |-|- -|`AZURE_CLIENT_ID`|id of an Azure Active Directory application +|`AZURE_CLIENT_ID`|ID of an Azure AD application +|`AZURE_TENANT_ID`|ID of the application's Azure AD tenant |`AZURE_USERNAME`|a username (usually an email address) |`AZURE_PASSWORD`|that user's password @@ -212,7 +243,7 @@ client secret and certificate are both present, the client secret will be used. See the [troubleshooting guide](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/TROUBLESHOOTING.md) for details on how to diagnose various failure scenarios. -### Error Handling +### Error handling Errors arising from authentication can be raised on any service client method which makes a request to the service. This is because the first time the token is requested from the credential is on the first call to the service, and any subsequent calls might need to refresh the token. In order to distinguish these failures from failures in the service client Azure Identity classes raise the `AuthenticationFailedException` with details to the source of the error in the exception message as well as possibly the error message. Depending on the application these errors may or may not be recoverable. ``` c# @@ -232,7 +263,7 @@ catch (AuthenticationFailedException e) } ``` -For more details on dealing with errors arising from failed requests to Azure Active Directory, or managed identity endpoints please refer to the Azure Active Directory [documentation on authorization error codes][aad_err_doc]. +For more information on dealing with errors arising from failed requests to Azure AD or managed identity endpoints, see the Azure AD [documentation on authorization error codes][aad_err_doc]. ### Logging @@ -270,7 +301,7 @@ DefaultAzureCredentialOptions options = new DefaultAzureCredentialOptions { LoggedHeaderNames = { "x-ms-request-id" }, LoggedQueryParameters = { "api-version" }, - IsAccountIdentifierLoggingEnabled = true + IsAccountIdentifierLoggingEnabled = true } }; ``` @@ -296,9 +327,9 @@ There you will also find links where you can learn more about their use, includi ### Known Issues -This library does not currently support scenarios relating to the [AAD B2C](https://docs.microsoft.com/azure/active-directory-b2c/overview) service. +This library doesn't currently support scenarios relating to the [Azure AD B2C](https://learn.microsoft.com/azure/active-directory-b2c/overview) service. -Currently open issues for the Azure.Identity library can be found [here](https://github.com/Azure/azure-sdk-for-net/issues?q=is%3Aissue+is%3Aopen+label%3AAzure.Identity). +Open issues for the `Azure.Identity` library can be found [here](https://github.com/Azure/azure-sdk-for-net/issues?q=is%3Aissue+is%3Aopen+label%3AAzure.Identity). ## Contributing This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com. @@ -308,13 +339,13 @@ When you submit a pull request, a CLA-bot will automatically determine whether y This project has adopted the [Microsoft Open Source Code of Conduct][code_of_conduct]. For more information see the [Code of Conduct FAQ][code_of_conduct_faq] or contact opencode@microsoft.com with any additional questions or comments. -[azure_cli]: https://docs.microsoft.com/cli/azure -[azure_powerShell]: https://docs.microsoft.com/powershell/azure +[azure_cli]: https://learn.microsoft.com/cli/azure +[azure_powerShell]: https://learn.microsoft.com/powershell/azure [azure_sub]: https://azure.microsoft.com/free/dotnet/ [source]: https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/identity/Azure.Identity/src [package]: https://www.nuget.org/packages/Azure.Identity -[aad_doc]: https://docs.microsoft.com/azure/active-directory/ -[aad_err_doc]: https://docs.microsoft.com/azure/active-directory/develop/reference-aadsts-error-codes +[aad_doc]: https://learn.microsoft.com/azure/active-directory/ +[aad_err_doc]: https://learn.microsoft.com/azure/active-directory/develop/reference-aadsts-error-codes [certificates_client_library]: https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/keyvault/Azure.Security.KeyVault.Certificates [code_of_conduct]: https://opensource.microsoft.com/codeofconduct/ [code_of_conduct_faq]: https://opensource.microsoft.com/codeofconduct/faq/ @@ -325,26 +356,26 @@ This project has adopted the [Microsoft Open Source Code of Conduct][code_of_con [queues_client_library]: https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/storage/Azure.Storage.Queues [eventhubs_client_library]: https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/eventhub/Azure.Messaging.EventHubs [azure_core_library]: https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/core/Azure.Core -[identity_api_docs]: https://docs.microsoft.com/dotnet/api/azure.identity?view=azure-dotnet +[identity_api_docs]: https://learn.microsoft.com/dotnet/api/azure.identity?view=azure-dotnet [vs_login_image]: https://raw.githubusercontent.com/Azure/azure-sdk-for-net/main/sdk/identity/Azure.Identity/images/VsLoginDialog.png [azure_cli_login_image]: https://raw.githubusercontent.com/Azure/azure-sdk-for-net/main/sdk/identity/Azure.Identity/images/AzureCliLogin.png [azure_cli_login_device_code_image]: https://raw.githubusercontent.com/Azure/azure-sdk-for-net/main/sdk/identity/Azure.Identity/images/AzureCliLoginDeviceCode.png [default_azure_credential_authflow_image]: https://raw.githubusercontent.com/Azure/azure-sdk-for-net/main/sdk/identity/Azure.Identity/images/mermaidjs/DefaultAzureCredentialAuthFlow.svg -[ref_DefaultAzureCredential]: https://docs.microsoft.com/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet -[ref_ChainedTokenCredential]: https://docs.microsoft.com/dotnet/api/azure.identity.chainedtokencredential?view=azure-dotnet -[ref_EnvironmentCredential]: https://docs.microsoft.com/dotnet/api/azure.identity.environmentcredential?view=azure-dotnet -[ref_ManagedIdentityCredential]: https://docs.microsoft.com/dotnet/api/azure.identity.managedidentitycredential?view=azure-dotnet -[ref_ClientSecretCredential]: https://docs.microsoft.com/dotnet/api/azure.identity.clientsecretcredential?view=azure-dotnet -[ref_ClientCertificateCredential]: https://docs.microsoft.com/dotnet/api/azure.identity.clientcertificatecredential?view=azure-dotnet -[ref_ClientAssertionCredential]: https://docs.microsoft.com/dotnet/api/azure.identity.clientassertioncredential?view=azure-dotnet -[ref_InteractiveBrowserCredential]: https://docs.microsoft.com/dotnet/api/azure.identity.interactivebrowsercredential?view=azure-dotnet -[ref_DeviceCodeCredential]: https://docs.microsoft.com/dotnet/api/azure.identity.devicecodecredential?view=azure-dotnet -[ref_UsernamePasswordCredential]: https://docs.microsoft.com/dotnet/api/azure.identity.usernamepasswordcredential?view=azure-dotnet -[ref_AuthorizationCodeCredential]: https://docs.microsoft.com/dotnet/api/azure.identity.authorizationcodecredential?view=azure-dotnet -[ref_OnBehalfOfCredential]: https://docs.microsoft.com/dotnet/api/azure.identity.onbehalfofcredential?view=azure-dotnet -[ref_AzureCliCredential]: https://docs.microsoft.com/dotnet/api/azure.identity.azureclicredential?view=azure-dotnet -[ref_AzurePowerShellCredential]: https://docs.microsoft.com/dotnet/api/azure.identity.azurepowershellcredential?view=azure-dotnet -[ref_VisualStudioCredential]: https://docs.microsoft.com/dotnet/api/azure.identity.visualstudiocredential?view=azure-dotnet -[ref_VisualStudioCodeCredential]: https://docs.microsoft.com/dotnet/api/azure.identity.visualstudiocodecredential?view=azure-dotnet +[ref_DefaultAzureCredential]: https://learn.microsoft.com/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet +[ref_ChainedTokenCredential]: https://learn.microsoft.com/dotnet/api/azure.identity.chainedtokencredential?view=azure-dotnet +[ref_EnvironmentCredential]: https://learn.microsoft.com/dotnet/api/azure.identity.environmentcredential?view=azure-dotnet +[ref_ManagedIdentityCredential]: https://learn.microsoft.com/dotnet/api/azure.identity.managedidentitycredential?view=azure-dotnet +[ref_ClientSecretCredential]: https://learn.microsoft.com/dotnet/api/azure.identity.clientsecretcredential?view=azure-dotnet +[ref_ClientCertificateCredential]: https://learn.microsoft.com/dotnet/api/azure.identity.clientcertificatecredential?view=azure-dotnet +[ref_ClientAssertionCredential]: https://learn.microsoft.com/dotnet/api/azure.identity.clientassertioncredential?view=azure-dotnet +[ref_InteractiveBrowserCredential]: https://learn.microsoft.com/dotnet/api/azure.identity.interactivebrowsercredential?view=azure-dotnet +[ref_DeviceCodeCredential]: https://learn.microsoft.com/dotnet/api/azure.identity.devicecodecredential?view=azure-dotnet +[ref_UsernamePasswordCredential]: https://learn.microsoft.com/dotnet/api/azure.identity.usernamepasswordcredential?view=azure-dotnet +[ref_AuthorizationCodeCredential]: https://learn.microsoft.com/dotnet/api/azure.identity.authorizationcodecredential?view=azure-dotnet +[ref_OnBehalfOfCredential]: https://learn.microsoft.com/dotnet/api/azure.identity.onbehalfofcredential?view=azure-dotnet +[ref_AzureCliCredential]: https://learn.microsoft.com/dotnet/api/azure.identity.azureclicredential?view=azure-dotnet +[ref_AzurePowerShellCredential]: https://learn.microsoft.com/dotnet/api/azure.identity.azurepowershellcredential?view=azure-dotnet +[ref_VisualStudioCredential]: https://learn.microsoft.com/dotnet/api/azure.identity.visualstudiocredential?view=azure-dotnet +[ref_VisualStudioCodeCredential]: https://learn.microsoft.com/dotnet/api/azure.identity.visualstudiocodecredential?view=azure-dotnet ![Impressions](https://azure-sdk-impressions.azurewebsites.net/api/impressions/azure-sdk-for-net%2Fsdk%2Fidentity%2FAzure.Identity%2FREADME.png) diff --git a/sdk/identity/Azure.Identity/TROUBLESHOOTING.md b/sdk/identity/Azure.Identity/TROUBLESHOOTING.md index b8170982a15f4..8769d8779cec8 100644 --- a/sdk/identity/Azure.Identity/TROUBLESHOOTING.md +++ b/sdk/identity/Azure.Identity/TROUBLESHOOTING.md @@ -1,33 +1,34 @@ -# Troubleshoot Azure Identity Authentication Issues +# Troubleshoot Azure Identity authentication issues This troubleshooting guide covers failure investigation techniques, common errors for the credential types in the Azure Identity .NET client library, and mitigation steps to resolve these errors. ## Table of contents -- [Handle Azure Identity Exceptions](#handle-azure-identity-exceptions) +- [Handle Azure Identity exceptions](#handle-azure-identity-exceptions) - [AuthenticationFailedException](#authenticationfailedexception) - [CredentialUnavailableException](#credentialunavailableexception) - - [Permission Issues](#permission-issues) -- [Find Relevant Information in Exception Messages](#find-relevant-information-in-exception-messages) -- [Enable and Configure Logging](#enable-and-configure-logging) -- [Troubleshoot DefaultAzureCredential Authentication Issues](#troubleshoot-defaultazurecredential-authentication-issues) -- [Troubleshoot EnvironmentCredential Authentication Issues](#troubleshoot-environmentcredential-authentication-issues) -- [Troubleshoot ClientSecretCredential Authentication Issues](#troubleshoot-clientsecretcredential-authentication-issues) -- [Troubleshoot ClientCertificateCredential Authentication Issues](#troubleshoot-clientcertificatecredential-authentication-issues) -- [Troubleshoot UsernamePasswordCredential Authentication Issues](#troubleshoot-usernamepasswordcredential-authentication-issues) -- [Troubleshoot ManagedIdentityCredential Authentication Issues](#troubleshoot-managedidentitycredential-authentication-issues) - - [Azure Virtual Machine Managed Identity](#azure-virtual-machine-managed-identity) - - [Azure App Service and Azure Functions Managed Identity](#azure-app-service-and-azure-functions-managed-identity) -- [Troubleshoot VisualStudioCodeCredential Authentication Issues](#troubleshoot-visualstudiocodecredential-authentication-issues) -- [Troubleshoot VisualStudioCredential Authentication Issues](#troubleshoot-visualstudiocredential-authenticaton-issues) -- [Troubleshoot AzureCliCredential Authentication Issues](#troubleshoot-azureclicredential-authentication-issues) -- [Troubleshoot AzurePowerShellCredential Authentication Issues](#troubleshoot-azurepowershellcredential-authentication-issues) -- [Troubleshoot Multi Tenant Authentication Issues](#troubleshoot-multi-tenant-authentication-issues) -- [Get Additional Help](#get-additional-help) - -## Handle Azure Identity Exceptions + - [Permission issues](#permission-issues) +- [Find relevant information in exception messages](#find-relevant-information-in-exception-messages) +- [Enable and configure logging](#enable-and-configure-logging) +- [Troubleshoot DefaultAzureCredential authentication issues](#troubleshoot-defaultazurecredential-authentication-issues) +- [Troubleshoot EnvironmentCredential authentication issues](#troubleshoot-environmentcredential-authentication-issues) +- [Troubleshoot ClientSecretCredential authentication issues](#troubleshoot-clientsecretcredential-authentication-issues) +- [Troubleshoot ClientCertificateCredential authentication issues](#troubleshoot-clientcertificatecredential-authentication-issues) +- [Troubleshoot ClientAssertionCredential authentication issues](#troubleshoot-clientassertioncredential-authentication-issues) +- [Troubleshoot UsernamePasswordCredential authentication issues](#troubleshoot-usernamepasswordcredential-authentication-issues) +- [Troubleshoot ManagedIdentityCredential authentication issues](#troubleshoot-managedidentitycredential-authentication-issues) + - [Azure Virtual Machine managed identity](#azure-virtual-machine-managed-identity) + - [Azure App Service and Azure Functions managed identity](#azure-app-service-and-azure-functions-managed-identity) +- [Troubleshoot VisualStudioCodeCredential authentication issues](#troubleshoot-visualstudiocodecredential-authentication-issues) +- [Troubleshoot VisualStudioCredential authentication issues](#troubleshoot-visualstudiocredential-authentication-issues) +- [Troubleshoot AzureCliCredential authentication issues](#troubleshoot-azureclicredential-authentication-issues) +- [Troubleshoot AzurePowerShellCredential authentication issues](#troubleshoot-azurepowershellcredential-authentication-issues) +- [Troubleshoot multi-tenant authentication issues](#troubleshoot-multi-tenant-authentication-issues) +- [Get additional help](#get-additional-help) + +## Handle Azure Identity exceptions ### AuthenticationFailedException -Exceptions arising from authentication errors can be raised on any service client method that makes a request to the service. This is because the token is requested from the credential on the first call to the service and on any subsequent requests to the service that need to refresh the token. +Exceptions arising from authentication errors can be raised on any service client method that makes a request to the service. This is because the token is requested from the credential on the first call to the service and on any subsequent requests to the service that need to refresh the token. To distinguish these failures from failures in the service client, Azure Identity classes raise the `AuthenticationFailedException` with details describing the source of the error in the exception message and possibly the error message. Depending on the application, these errors may or may not be recoverable. @@ -49,15 +50,15 @@ catch (AuthenticationFailedException e) ``` ### CredentialUnavailableException -The `CredentialUnavailableExcpetion` is a special exception type derived from `AuthenticationFailedException`. This exception type is used to indicate that the credential can’t authenticate in the current environment, due to lack of required configuration or setup. This exception is also used as a signal to chained credential types, such as `DefaultAzureCredential` and `ChainedTokenCredential`, that the chained credential should continue to try other credential types later in the chain. +The `CredentialUnavailableException` is a special exception type derived from `AuthenticationFailedException`. This exception type is used to indicate that the credential can't authenticate in the current environment, due to lack of required configuration or setup. This exception is also used as a signal to chained credential types, such as `DefaultAzureCredential` and `ChainedTokenCredential`, that the chained credential should continue to try other credential types later in the chain. -### Permission Issues +### Permission issues Calls to service clients resulting in `RequestFailedException` with a `StatusCode` of 401 or 403 often indicate the caller doesn't have sufficient permissions for the specified API. Check the service documentation to determine which RBAC roles are needed for the specific request, and ensure the authenticated user or service principal have been granted the appropriate roles on the resource. -## Find Relevant Information in Exception Messages +## Find relevant information in exception messages -`AuthenticationFailedException` is thrown when unexpected errors occurred while a credential is authenticating. This can include errors received from requests to the AAD STS and often contains information helpful to diagnosis. Consider the following `AuthenticationFailedException` message. +`AuthenticationFailedException` is thrown when unexpected errors occurred while a credential is authenticating. This can include errors received from requests to the Azure AD STS and often contains information helpful to diagnosis. Consider the following `AuthenticationFailedException` message. ![AuthenticationFailedException Message Example](https://raw.githubusercontent.com/Azure/azure-sdk-for-net/main/sdk/identity/Azure.Identity/images/AuthFailedErrorMessageExample.png) @@ -65,11 +66,11 @@ This error contains several pieces of information: - __Failing Credential Type__: The type of credential that failed to authenticate. This can be helpful when diagnosing issues with chained credential types such as `DefaultAzureCredential` or `ChainedTokenCredential`. -- __STS Error Code and Message__: The error code and message returned from the Azure AD STS. This can give insight into the specific reason the request failed. For instance, in this specific case because the provided client secret is incorrect. More information on STS error codes can be found [here](https://docs.microsoft.com/azure/active-directory/develop/reference-aadsts-error-codes#aadsts-error-codes). +- __STS Error Code and Message__: The error code and message returned from the Azure AD STS. This can give insight into the specific reason the request failed. For instance, in this specific case because the provided client secret is incorrect. More information on STS error codes can be found [here](https://learn.microsoft.com/azure/active-directory/develop/reference-aadsts-error-codes#aadsts-error-codes). - __Correlation ID and Timestamp__: The correlation ID and call Timestamp used to identify the request in server-side logs. This information can be useful to support engineers when diagnosing unexpected STS failures. -### Enable and Configure Logging +### Enable and configure logging The Azure Identity library provides the same [logging capabilities](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/core/Azure.Core/samples/Diagnostics.md#logging) as the rest of the Azure SDK. @@ -96,67 +97,76 @@ DefaultAzureCredentialOptions options = new DefaultAzureCredentialOptions() > CAUTION: Requests and responses in the Azure Identity library contain sensitive information. Precaution must be taken to protect logs when customizing the output to avoid compromising account security. -## Troubleshoot `DefaultAzureCredential` Authentication Issues +## Troubleshoot `DefaultAzureCredential` authentication issues | Error |Description| Mitigation | |---|---|---| |`CredentialUnavailableException` raised with message. "DefaultAzureCredential failed to retrieve a token from the included credentials."|All credentials in the `DefaultAzureCredential` chain failed to retrieve a token, each throwing a `CredentialUnavailableException`|
  • [Enable logging](#enable-and-configure-logging) to verify the credentials being tried, and get further diagnostic information.
  • Consult the troubleshooting guide for underlying credential types for more information.
    • [EnvironmentCredential](#troubleshoot-environmentcredential-authentication-issues)
    • [ManagedIdentityCredential](#troubleshoot-managedidentitycredential-authentication-issues)
    • [VisualStudioCodeCredential](#troubleshoot-visualstudiocodecredential-authentication-issues)
    • [VisualStudioCredential](#troubleshoot-visualstudiocredential-authentication-issues)
    • [AzureCLICredential](#troubleshoot-azureclicredential-authentication-issues)
    • [AzurePowershellCredential](#troubleshoot-azurepowershellcredential-authentication-issues)
    | |`RequestFailedExcpetion` raised from the client with a status code of 401 or 403|Authentication succeeded but the authorizing Azure service responded with a 401 (Authenticate), or 403 (Forbidden) status code. This can often be caused by the `DefaultAzureCredential` authenticating an account other than the intended or that the intended account does not have the correct permissions or roles assigned.|
    • [Enable logging](#enable-and-configure-logging) to determine which credential in the chain returned the authenticating token.
    • In the case a credential other than the expected is returning a token, bypass this by either signing out of the corresponding development tool, or excluding the credential with the ExcludeXXXCredential property in the `DefaultAzureCredentialOptions`
    • Ensure that the correct role is assigned to the account being used. For example, a service specific role rather than the subscription Owner role.
    | -## Troubleshoot `EnvironmentCredential` Authentication Issues +## Troubleshoot `EnvironmentCredential` authentication issues `CredentialUnavailableException` | Error Message |Description| Mitigation | |---|---|---| -|Environment variables aren't fully configured.|A valid combination of environment variables wasn't set.|Ensure the appropriate environment variables are set **prior to application startup** for the intended authentication method.

    • To authenticate a service principal using a client secret, ensure the variables `AZURE_CLIENT_ID`, `AZURE_TENANT_ID` and `AZURE_CLIENT_SECRET` are properly set.
    • To authenticate a service principal using a certificate, ensure the variables `AZURE_CLIENT_ID`, `AZURE_TENANT_ID` and `AZURE_CLIENT_CERTIFICATE_PATH` are properly set.
    • To authenticate a user using a password, ensure the variables `AZURE_USERNAME` and `AZURE_PASSWORD` are properly set.
        • | +|Environment variables aren't fully configured.|A valid combination of environment variables wasn't set.|Ensure the appropriate environment variables are set **prior to application startup** for the intended authentication method.

        • To authenticate a service principal using a client secret, ensure the variables `AZURE_CLIENT_ID`, `AZURE_TENANT_ID` and `AZURE_CLIENT_SECRET` are properly set.
        • To authenticate a service principal using a certificate, ensure the variables `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, `AZURE_CLIENT_CERTIFICATE_PATH`, and optionally `AZURE_CLIENT_CERTIFICATE_PASSWORD` are properly set.
        • To authenticate a user using a password, ensure the variables `AZURE_USERNAME` and `AZURE_PASSWORD` are properly set.
            • | |Password protection for PEM encoded certificates is not supported.|`AZURE_CLIENT_CERTIFICATE_PASSWORD` was set when using a PEM encoded certificate.|Re-encode the client certificate to a password protected PFX (PKCS12) certificate, or a PEM certificate without password protection.| -## Troubleshoot `ClientSecretCredential` Authentication Issues +## Troubleshoot `ClientSecretCredential` authentication issues `AuthenticationFailedException` | Error Code | Issue | Mitigation | |---|---|---| - |AADSTS7000215|An invalid client secret was provided.|Ensure the `clientSecret` provided when constructing the credential is valid. If unsure, create a new client secret using the Azure portal. Details on creating a new client secret can be found [here](https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret).| - |AADSTS7000222|An expired client secret was provided.|Create a new client secret using the Azure portal. Details on creating a new client secret can be found [here](https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret).| - |AADSTS700016|The specified application wasn't found in the specified tenant.|Ensure the specified `clientId` and `tenantId` are correct for your application registration. For multi-tenant apps, ensure the application has been added to the desired tenant by a tenant admin. To add a new application in the desired tenant, follow the instructions [here](https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal).| + |AADSTS7000215|An invalid client secret was provided.|Ensure the `clientSecret` provided when constructing the credential is valid. If unsure, create a new client secret using the Azure portal. Details on creating a new client secret can be found [here](https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret).| + |AADSTS7000222|An expired client secret was provided.|Create a new client secret using the Azure portal. Details on creating a new client secret can be found [here](https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret).| + |AADSTS700016|The specified application wasn't found in the specified tenant.|Ensure the specified `clientId` and `tenantId` are correct for your application registration. For multi-tenant apps, ensure the application has been added to the desired tenant by a tenant admin. To add a new application in the desired tenant, follow the instructions [here](https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal).| -## Troubleshoot `ClientCertificateCredential` Authentication Issues +## Troubleshoot `ClientCertificateCredential` authentication issues `AuthenticationFailedException` | Error Code | Description | Mitigation | |---|---|---| - |AADSTS700027|Client assertion contains an invalid signature.|Ensure the specified certificate has been uploaded to the AAD application registration. Instructions for uploading certificates to the application registration can be found [here](https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal#option-1-upload-a-certificate).| - |AADSTS700016|The specified application wasn’t found in the specified tenant.| Ensure the specified `clientId` and `tenantId` are correct for your application registration. For multi-tenant apps, ensure the application has been added to the desired tenant by a tenant admin. To add a new application in the desired tenant, follow the instructions [here](https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal). + |AADSTS700027|Client assertion contains an invalid signature.|Ensure the specified certificate has been uploaded to the AAD application registration. Instructions for uploading certificates to the application registration can be found [here](https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal#option-1-upload-a-certificate).| + |AADSTS700016|The specified application wasn't found in the specified tenant.| Ensure the specified `clientId` and `tenantId` are correct for your application registration. For multi-tenant apps, ensure the application has been added to the desired tenant by a tenant admin. To add a new application in the desired tenant, follow the instructions [here](https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal). +## Troubleshoot `ClientAssertionCredential` authentication issues +`AuthenticationFailedException` + +| Error Code | Description | Mitigation | +|---|---|---| +|AADSTS700021| Client assertion application identifier doesn't match 'client_id' parameter. Review the documentation at https://learn.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials. | Ensure the JWT assertion created has the correct values specified for the `sub` and `issuer` value of the payload, both of these should have the value be equal to `clientId`. Refer documentation for [client assertion format](https://learn.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials).| +|AADSTS700023| Client assertion audience claim does not match Realm issuer. Review the documentation at https://learn.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials. | Ensure the audience `aud` field in the JWT assertion created has the correct value for the audience specified in the payload. This should be set to `https://login.microsoftonline.com/{tenantId}/v2`.| +|AADSTS50027| JWT token is invalid or malformed. | Ensure the JWT assertion token is in the valid format. Refer to the documentation for [client assertion format](https://learn.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials).| -## Troubleshoot `UsernamePasswordCredential` Authentication Issues +## Troubleshoot `UsernamePasswordCredential` authentication issues `AuthenticationFailedException` | Error Code | Issue | Mitigation | |---|---|---| |AADSTS50126|The provided username or password is invalid|Ensure the `username` and `password` provided when constructing the credential are valid.| -## Troubleshoot `ManagedIdentityCredential` Authentication Issues +## Troubleshoot `ManagedIdentityCredential` authentication issues The `ManagedIdentityCredential` is designed to work on a variety of Azure hosts that provide managed identity. Configuring the managed identity and troubleshooting failures varies from hosts. The below table lists the Azure hosts that can be assigned a managed identity, and are supported by the `ManagedIdentityCredential`. |Host Environment| | | |---|---|---| -|Azure Virtual Machines and Scale Sets|[Configuration](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm)|[Troubleshooting](#azure-virtual-machine-managed-identity)| -|Azure App Service and Azure Functions|[Configuration](https://docs.microsoft.com/azure/app-service/overview-managed-identity)|[Troubleshooting](#azure-app-service-and-azure-functions-managed-identity)| +|Azure App Service and Azure Functions|[Configuration](https://learn.microsoft.com/azure/app-service/overview-managed-identity)|[Troubleshooting](#azure-app-service-and-azure-functions-managed-identity)| +|Azure Arc|[Configuration](https://learn.microsoft.com/azure/azure-arc/servers/managed-identity-authentication)|| |Azure Kubernetes Service|[Configuration](https://azure.github.io/aad-pod-identity/docs/)|[Troubleshooting](#azure-kubernetes-service-managed-identity)| -|Azure Arc|[Configuration](https://docs.microsoft.com/azure/azure-arc/servers/managed-identity-authentication)|| -|Azure Service Fabric|[Configuration](https://docs.microsoft.com/azure/service-fabric/concepts-managed-identity)|| -### Azure Virtual Machine Managed Identity +|Azure Service Fabric|[Configuration](https://learn.microsoft.com/azure/service-fabric/concepts-managed-identity)|| +|Azure Virtual Machines and Scale Sets|[Configuration](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm)|[Troubleshooting](#azure-virtual-machine-managed-identity)| +### Azure Virtual Machine managed identity + `CredentialUnavailableException` | Error Message |Description| Mitigation | |---|---|---| -|The requested identity hasn’t been assigned to this resource.|The IMDS endpoint responded with a status code of 400, indicating the requested identity isn’t assigned to the VM.|If using a user assigned identity, ensure the specified `clientId` is correct.

            If using a system assigned identity, make sure it has been enabled properly. Instructions to enable the system assigned identity on an Azure VM can be found [here](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm#enable-system-assigned-managed-identity-on-an-existing-vm).| -|The request failed due to a gateway error.|The request to the IMDS endpoint failed due to a gateway error, 502 or 504 status code.|Calls via proxy or gateway aren’t supported by IMDS. Disable proxies or gateways running on the VM for calls to the IMDS endpoint `http://169.254.169.254/`| -|No response received from the managed identity endpoint.|No response was received for the request to IMDS or the request timed out.|

            • Ensure managed identity has been properly configured on the VM. Instructions for configuring the manged identity can be found [here](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm).
            • Verify the IMDS endpoint is reachable on the VM, see [below](#verifying-imds-is-available-on-the-vm) for instructions.
            | -|Multiple attempts failed to obtain a token from the managed identity endpoint.|Retries to retrieve a token from the IMDS endpoint have been exhausted.|
            • Refer to inner exception messages for more details on specific failures. If the data has been truncated, more detail can be obtained by [collecting logs](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/identity/Azure.Identity#logging).
            • Ensure managed identity has been properly configured on the VM. Instructions for configuring the manged identity can be found [here](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm).
            • Verify the IMDS endpoint is reachable on the VM, see [below](#verify-imds-is-available-on-the-vm) for instructions.
            | +|The requested identity hasn't been assigned to this resource.|The IMDS endpoint responded with a status code of 400, indicating the requested identity isn't assigned to the VM.|If using a user assigned identity, ensure the specified `clientId` is correct.

            If using a system assigned identity, make sure it has been enabled properly. Instructions to enable the system assigned identity on an Azure VM can be found [here](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm#enable-system-assigned-managed-identity-on-an-existing-vm).| +|The request failed due to a gateway error.|The request to the IMDS endpoint failed due to a gateway error, 502 or 504 status code.|Calls via proxy or gateway aren't supported by IMDS. Disable proxies or gateways running on the VM for calls to the IMDS endpoint `http://169.254.169.254/`| +|No response received from the managed identity endpoint.|No response was received for the request to IMDS or the request timed out.|

            • Ensure managed identity has been properly configured on the VM. Instructions for configuring the manged identity can be found [here](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm).
            • Verify the IMDS endpoint is reachable on the VM, see [below](#verifying-imds-is-available-on-the-vm) for instructions.
            | +|Multiple attempts failed to obtain a token from the managed identity endpoint.|Retries to retrieve a token from the IMDS endpoint have been exhausted.|
            • Refer to inner exception messages for more details on specific failures. If the data has been truncated, more detail can be obtained by [collecting logs](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/identity/Azure.Identity#logging).
            • Ensure managed identity has been properly configured on the VM. Instructions for configuring the manged identity can be found [here](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm).
            • Verify the IMDS endpoint is reachable on the VM, see [below](#verify-imds-is-available-on-the-vm) for instructions.
            | #### __Verify IMDS is available on the VM__ -If you have access to the VM, you can verify the manged identity endpoint is available via the command line using curl. +If you have access to the VM, you can verify the manged identity endpoint is available via the command line using curl. ```bash curl 'http://169.254.169.254/metadata/identity/oauth2/token?resource=https://management.core.windows.net&api-version=2018-02-01' -H "Metadata: true" @@ -166,7 +176,7 @@ curl 'http://169.254.169.254/metadata/identity/oauth2/token?resource=https://man `CredentialUnavailableException` | Error Message |Description| Mitigation | |---|---|---| -|ManagedIdentityCredential authentication unavailable.|The environment variables configured by the App Services host weren’t present.|
            • Ensure the managed identity has been properly configured on the App Service. Instructions for configuring the managed identity can be found [here](https://docs.microsoft.com/azure/app-service/overview-managed-identity?tabs=dotnet).
            • Verify the App Service environment is properly configured and the managed identity endpoint is available. See [below](#verify-the-app-service-managed-identity-endpoint-is-available) for instructions.
            | +|ManagedIdentityCredential authentication unavailable.|The environment variables configured by the App Services host weren't present.|
            • Ensure the managed identity has been properly configured on the App Service. Instructions for configuring the managed identity can be found [here](https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=dotnet).
            • Verify the App Service environment is properly configured and the managed identity endpoint is available. See [below](#verify-the-app-service-managed-identity-endpoint-is-available) for instructions.
            | #### __Verify the App Service managed identity endpoint is available__ @@ -176,14 +186,14 @@ curl 'http://169.254.169.254/metadata/identity/oauth2/token?resource=https://man ``` > Note that the output of this command will contain a valid access token, and SHOULD NOT BE SHARED to avoid compromising account security. -### Azure Kubernetes Service Managed Identity -#### Pod Identity For Kubernetes +### Azure Kubernetes Service managed identity +#### Pod identity for Kubernetes `CredentialUnavailableException` | Error Message |Description| Mitigation | |---|---|---| |No Managed Identity endpoint found|The application attempted to authenticate before an identity was assigned to its pod|Verify the pod is labeled correctly. This also occurs when a correctly labeled pod authenticates before the identity is ready. To prevent initialization races, configure NMI to set the Retry-After header in its responses (see [Pod Identity documentation](https://azure.github.io/aad-pod-identity/docs/configure/feature_flags/#set-retry-after-header-in-nmi-response)). -## Troubleshoot `VisualStudioCodeCredential` Authentication Issues +## Troubleshoot `VisualStudioCodeCredential` authentication issues > It's a [known issue](https://github.com/Azure/azure-sdk-for-net/issues/27263) that `VisualStudioCodeCredential` doesn't work with [Azure Account extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode.azure-account) versions newer than **0.9.11**. A long-term fix to this problem is in progress. In the meantime, consider [authenticating via the Azure CLI](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/README.md#authenticating-via-the-azure-cli). @@ -194,44 +204,44 @@ curl 'http://169.254.169.254/metadata/identity/oauth2/token?resource=https://man |MSAL Interaction Required Error|The `VisualStudioCodeCredential` was able to read the cached credentials from the cache but the cached token is likely expired.|Log into the Azure Account extension via **View > Command Palette** to execute the **Azure: Sign In** command in the VS Code IDE.| |ADFS tenant not supported|ADFS tenants are not currently supported by Visual Stuido `Azure Service Authentication`.|Use credentials from a supported cloud when authenticating with Visual Studio. The supported clouds are:

            • AZURE PUBLIC CLOUD - https://login.microsoftonline.com/
            • AZURE GERMANY - https://login.microsoftonline.de/
            • AZURE CHINA - https://login.chinacloudapi.cn/
            • AZURE GOVERNMENT - https://login.microsoftonline.us/
            | -## Troubleshoot `VisualStudioCredential` Authentication Issues +## Troubleshoot `VisualStudioCredential` authentication issues `CredentialUnavailableException` | Error Message |Description| Mitigation | |---|---|---| |Failed To Read Credentials

            OR

            Authenticate via Azure Service Authentication|The `VisualStudioCredential` failed retrieve a token from the Visual Studio authentication utility `Microsoft.Asal.TokenService.exe`.|
            • In Visual Studio select the `Tools > Options` menu to launch the Options dialog.
            • Navigate to the `Azure Service Authentication` options to sign in with your Azure Active Directory account.
            • If you already had logged in to your account, try logging out and logging in again as that will repopulate the cache and potentially mitigate the error you're getting.
            | |ADFS tenant not supported|ADFS tenants are not currently supported by Visual Stuido `Azure Service Authentication`.|Use credentials from a supported cloud when authenticating with Visual Studio. The supported clouds are:

            • AZURE PUBLIC CLOUD - https://login.microsoftonline.com/
            • AZURE GERMANY - https://login.microsoftonline.de/
            • AZURE CHINA - https://login.chinacloudapi.cn/
            • AZURE GOVERNMENT - https://login.microsoftonline.us/
            | -## Troubleshoot `AzureCliCredential` Authentication Issues +## Troubleshoot `AzureCliCredential` authentication issues `CredentialUnavailableException` | Error Message |Description| Mitigation | |---|---|---| -|Azure CLI not installed|The Azure CLI isn’t installed or couldn’t be found.|
            • Ensure the Azure CLI is properly installed. Installation instructions can be found [here](https://docs.microsoft.com/cli/azure/install-azure-cli).
            • Validate the installation location has been added to the `PATH` environment variable.
            | -|Please run 'az login' to set up account|No account is currently logged into the Azure CLI, or the login has expired.|
            • Log into the Azure CLI using the `az login` command. More information on authentication in the Azure CLI can be found [here](https://docs.microsoft.com/cli/azure/authenticate-azure-cli).
            • Validate that the Azure CLI can obtain tokens. See [below](#verify-the-azure-cli-can-obtain-tokens) for instructions.
            | +|Azure CLI not installed|The Azure CLI isn't installed or couldn't be found.|
            • Ensure the Azure CLI is properly installed. Installation instructions can be found [here](https://learn.microsoft.com/cli/azure/install-azure-cli).
            • Validate the installation location has been added to the `PATH` environment variable.
            | +|Please run 'az login' to set up account|No account is currently logged into the Azure CLI, or the login has expired.|
            • Log into the Azure CLI using the `az login` command. More information on authentication in the Azure CLI can be found [here](https://learn.microsoft.com/cli/azure/authenticate-azure-cli).
            • Validate that the Azure CLI can obtain tokens. See [below](#verify-the-azure-cli-can-obtain-tokens) for instructions.
            | #### __Verify the Azure CLI can obtain tokens__ -You can manually verify that the Azure CLI is properly authenticated, and can obtain tokens. First use the `account` command to verify the account which is currently logged in to the Azure CLI. +You can manually verify that the Azure CLI is properly authenticated, and can obtain tokens. First use the `account` command to verify the account which is currently logged in to the Azure CLI. ```bash az account show ``` -Once you've verified the Azure CLI is using correct account, you can validate that it’s able to obtain tokens for this account. +Once you've verified the Azure CLI is using the correct account, you can validate that it's able to obtain tokens for this account. ```bash az account get-access-token --output json --resource https://management.core.windows.net ``` >Note that output of this command will contain a valid access token, and SHOULD NOT BE SHARED to avoid compromising account security. -## Troubleshoot `AzurePowerShellCredential` Authentication Issues +## Troubleshoot `AzurePowerShellCredential` authentication issues `CredentialUnavailableException` | Error Message |Description| Mitigation | |---|---|---| -|PowerShell isn’t installed.|No local installation of PowerShell was found.|Ensure that PowerShell is properly installed on the machine. Instructions for installing PowerShell can be found [here](tps://docs.microsoft.com/powershell/scripting/install/installing-powershell).| -|Az.Account module >= 2.2.0 isn’t installed.|The Az.Account module needed for authentication in Azure PowerShell isn’t installed.|Install the latest Az.Account module. Installation instructions can be found [here](https://docs.microsoft.com/powershell/azure/install-az-ps).| -|Please run 'Connect-AzAccount' to set up account.|No account is currently logged into Azure PowerShell.|
            • Login to Azure PowerShell using the `Connect-AzAccount` command. More instructions for authenticating Azure PowerShell can be found [here](https://docs.microsoft.com/powershell/azure/authenticate-azureps)
            • Validate that Azure PowerShell can obtain tokens. See [below](#verify-azure-powershell-can-obtain-tokens) for instructions.
            | +|PowerShell isn't installed.|No local installation of PowerShell was found.|Ensure that PowerShell is properly installed on the machine. Instructions for installing PowerShell can be found [here](tps://learn.microsoft.com/powershell/scripting/install/installing-powershell).| +|Az.Account module >= 2.2.0 isn't installed.|The Az.Account module needed for authentication in Azure PowerShell isn't installed.|Install the latest Az.Account module. Installation instructions can be found [here](https://learn.microsoft.com/powershell/azure/install-az-ps).| +|Please run 'Connect-AzAccount' to set up account.|No account is currently logged into Azure PowerShell.|
            • Login to Azure PowerShell using the `Connect-AzAccount` command. More instructions for authenticating Azure PowerShell can be found [here](https://learn.microsoft.com/powershell/azure/authenticate-azureps)
            • Validate that Azure PowerShell can obtain tokens. See [below](#verify-azure-powershell-can-obtain-tokens) for instructions.
            | #### __Verify Azure PowerShell can obtain tokens__ -You can manually verify that Azure PowerShell is properly authenticated, and can obtain tokens. First use the `Get-AzContext` command to verify the account which is currently logged in to the Azure CLI. +You can manually verify that Azure PowerShell is properly authenticated, and can obtain tokens. First, use the `Get-AzContext` command to verify the account which is currently logged in to the Azure CLI. ``` PS C:\> Get-AzContext @@ -241,20 +251,24 @@ Name Account SubscriptionName Subscription1 (xxxxxxxx-xxxx-xxxx-xxx... test@outlook.com Subscription1 AzureCloud xxxxxxxx-x... ``` -Once you've verified Azure PowerShell is using correct account, you can validate that it’s able to obtain tokens for this account. +Once you've verified Azure PowerShell is using correct account, validate that it's able to obtain tokens for this account: ```bash Get-AzAccessToken -ResourceUrl "https://management.core.windows.net" ``` >Note that output of this command will contain a valid access token, and SHOULD NOT BE SHARED to avoid compromising account security. -## Troubleshoot Multi Tenant Authentication Issues +## Troubleshoot multi-tenant authentication issues `AuthenticationFailedException` | Error Message |Description| Mitigation | |---|---|---| |The current credential is not configured to acquire tokens for tenant |The application must configure the credential to allow acquiring tokens from the requested tenant.|Add the requested tenant ID it to the AdditionallyAllowedTenants on the credential options, or add \"*\" to AdditionallyAllowedTenants to allow acquiring tokens for any tenant.

            This exception was added as part of functional a breaking change to multi tenant authentication in version `1.7.0`. Users experiencing this error after upgrading can find details on the change and migration in [BREAKING_CHANGES.md](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/BREAKING_CHANGES.md#170) | -## Get Additional Help +| Error Message |Description| Mitigation | +|---|---|---| +|The current credential is not configured to acquire tokens for tenant |

            The application must configure the credential to allow token acquisition from the requested tenant.|Make one of the following changes in your app:

            • Add the requested tenant ID to `AdditionallyAllowedTenants` on the credential options.
            • Add `*` to `AdditionallyAllowedTenants` to allow token acquisition for any tenant.

            This exception was added as part of a breaking change to multi-tenant authentication in version `1.7.0`. Users experiencing this error after upgrading can find details on the change and migration in [BREAKING_CHANGES.md](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/BREAKING_CHANGES.md#170).

            | + +## Get additional help Additional information on ways to reach out for support can be found in the [SUPPORT.md](https://github.com/Azure/azure-sdk-for-net/blob/main/SUPPORT.md) at the root of the repo. diff --git a/sdk/identity/Azure.Identity/src/Azure.Identity.csproj b/sdk/identity/Azure.Identity/src/Azure.Identity.csproj index 0b964ce07436b..1d4b88a1be597 100644 --- a/sdk/identity/Azure.Identity/src/Azure.Identity.csproj +++ b/sdk/identity/Azure.Identity/src/Azure.Identity.csproj @@ -2,7 +2,7 @@ This is the implementation of the Azure SDK Client Library for Azure Identity Microsoft Azure.Identity Component - 1.8.0-beta.2 + 1.8.0 1.7.0 Microsoft Azure Identity;$(PackageCommonTags) diff --git a/sdk/identity/Azure.Identity/src/Credentials/AzureCliCredential.cs b/sdk/identity/Azure.Identity/src/Credentials/AzureCliCredential.cs index a350ab3f649a8..445ad123e4a22 100644 --- a/sdk/identity/Azure.Identity/src/Credentials/AzureCliCredential.cs +++ b/sdk/identity/Azure.Identity/src/Credentials/AzureCliCredential.cs @@ -6,10 +6,10 @@ using System.Globalization; using System.IO; using System.Runtime.InteropServices; -using System.Threading; -using System.Threading.Tasks; using System.Text.Json; using System.Text.RegularExpressions; +using System.Threading; +using System.Threading.Tasks; using Azure.Core; using Azure.Core.Pipeline; using Azure.Identitiy; @@ -29,7 +29,7 @@ public class AzureCliCredential : TokenCredential internal const string Troubleshoot = "See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/azclicredential/troubleshoot"; internal const string InteractiveLoginRequired = "Azure CLI could not login. Interactive login is required."; internal const string CLIInternalError = "CLIInternalError: The command failed with an unexpected error. Here is the traceback:"; - internal TimeSpan CliProcessTimeout { get; private set;} + internal TimeSpan CliProcessTimeout { get; private set; } // The default install paths are used to find Azure CLI if no path is specified. This is to prevent executing out of the current working directory. private static readonly string DefaultPathWindows = $"{EnvironmentVariables.ProgramFilesX86}\\Microsoft SDKs\\Azure\\CLI2\\wbin;{EnvironmentVariables.ProgramFiles}\\Microsoft SDKs\\Azure\\CLI2\\wbin"; @@ -146,10 +146,11 @@ private async ValueTask RequestCliAccessTokenAsync(bool async, Toke throw new CredentialUnavailableException(AzureCLINotInstalled); } + bool isAADSTSError = exception.Message.Contains("AADSTS"); bool isLoginError = exception.Message.IndexOf("az login", StringComparison.OrdinalIgnoreCase) != -1 || exception.Message.IndexOf("az account set", StringComparison.OrdinalIgnoreCase) != -1; - if (isLoginError) + if (isLoginError && !isAADSTSError) { throw new CredentialUnavailableException(AzNotLogIn); } diff --git a/sdk/identity/Azure.Identity/src/Credentials/EnvironmentCredential.cs b/sdk/identity/Azure.Identity/src/Credentials/EnvironmentCredential.cs index 9ec7d389170d0..c5d7177ee21e1 100644 --- a/sdk/identity/Azure.Identity/src/Credentials/EnvironmentCredential.cs +++ b/sdk/identity/Azure.Identity/src/Credentials/EnvironmentCredential.cs @@ -13,18 +13,39 @@ namespace Azure.Identity { /// - /// Enables authentication to Azure Active Directory using client secret, or username and password, - /// details configured in the following environment variables: + /// Enables authentication to Azure Active Directory using a client secret or certificate, or as a user + /// with a username and password. + /// + /// Configuration is attempted in this order, using these environment variables: + /// + /// + /// Service principal with secret: /// /// VariableDescription - /// AZURE_TENANT_IDThe Azure Active Directory tenant(directory) ID. - /// AZURE_CLIENT_IDThe client(application) ID of an App Registration in the tenant. + /// AZURE_TENANT_IDThe Azure Active Directory tenant (directory) ID. + /// AZURE_CLIENT_IDThe client (application) ID of an App Registration in the tenant. /// AZURE_CLIENT_SECRETA client secret that was generated for the App Registration. + /// + /// + /// Service principal with certificate: + /// + /// VariableDescription + /// AZURE_TENANT_IDThe Azure Active Directory tenant (directory) ID. + /// AZURE_CLIENT_IDThe client (application) ID of an App Registration in the tenant. /// AZURE_CLIENT_CERTIFICATE_PATHA path to certificate and private key pair in PEM or PFX format, which can authenticate the App Registration. - /// AZURE_CLIENT_SEND_CERTIFICATE_CHAINSpecifies whether an authentication request will include an x5c header to support subject name / issuer based authentication. When set to `true` or `1`, authentication requests include the x5c header. + /// AZURE_CLIENT_CERTIFICATE_PASSWORD(Optional) The password protecting the certificate file (currently only supported for PFX (PKCS12) certificates). + /// AZURE_CLIENT_SEND_CERTIFICATE_CHAIN(Optional) Specifies whether an authentication request will include an x5c header to support subject name / issuer based authentication. When set to `true` or `1`, authentication requests include the x5c header. + /// + /// + /// Username and password: + /// + /// VariableDescription + /// AZURE_TENANT_IDThe Azure Active Directory tenant (directory) ID. + /// AZURE_CLIENT_IDThe client (application) ID of an App Registration in the tenant. /// AZURE_USERNAMEThe username, also known as upn, of an Azure Active Directory user account. /// AZURE_PASSWORDThe password of the Azure Active Directory user account. Note this does not support accounts with MFA enabled. /// + /// /// This credential ultimately uses a , , or to /// perform the authentication using these details. Please consult the /// documentation of that class for more details. diff --git a/sdk/identity/Azure.Identity/src/Credentials/SharedTokenCacheCredential.cs b/sdk/identity/Azure.Identity/src/Credentials/SharedTokenCacheCredential.cs index a02954330918b..e5d6f60720943 100644 --- a/sdk/identity/Azure.Identity/src/Credentials/SharedTokenCacheCredential.cs +++ b/sdk/identity/Azure.Identity/src/Credentials/SharedTokenCacheCredential.cs @@ -15,7 +15,8 @@ namespace Azure.Identity { /// - /// Authenticates using tokens in the local cache shared between Microsoft applications. + /// Authenticates using tokens in a local cache file. This is a legacy mechanism for authenticating clients using credentials provided to Visual Studio. + /// This mechanism for Visual Studio authentication has been replaced by the . /// public class SharedTokenCacheCredential : TokenCredential { diff --git a/sdk/identity/Azure.Identity/src/Credentials/VisualStudioCodeCredential.cs b/sdk/identity/Azure.Identity/src/Credentials/VisualStudioCodeCredential.cs index 4cf75ebee270b..c7389eb8d2b37 100644 --- a/sdk/identity/Azure.Identity/src/Credentials/VisualStudioCodeCredential.cs +++ b/sdk/identity/Azure.Identity/src/Credentials/VisualStudioCodeCredential.cs @@ -15,7 +15,13 @@ namespace Azure.Identity { /// - /// Enables authentication to Azure Active Directory using data from Visual Studio Code. + /// Enables authentication to Azure Active Directory as the user signed in to Visual Studio Code via + /// the 'Azure Account' extension. + /// + /// It's a known issue that `VisualStudioCodeCredential` + /// doesn't work with Azure Account extension + /// versions newer than 0.9.11. A long-term fix to this problem is in progress. In the meantime, consider authenticating + /// with . /// public class VisualStudioCodeCredential : TokenCredential { diff --git a/sdk/identity/Azure.Identity/src/Credentials/VisualStudioCredential.cs b/sdk/identity/Azure.Identity/src/Credentials/VisualStudioCredential.cs index 9c4d51f8a1e74..9fcef2632d867 100644 --- a/sdk/identity/Azure.Identity/src/Credentials/VisualStudioCredential.cs +++ b/sdk/identity/Azure.Identity/src/Credentials/VisualStudioCredential.cs @@ -18,7 +18,9 @@ namespace Azure.Identity { /// - /// Enables authentication to Azure Active Directory using data from Visual Studio + /// Enables authentication to Azure Active Directory using data from Visual Studio 2017 or later. See + /// for more information + /// on how to configure Visual Studio for Azure development. /// public class VisualStudioCredential : TokenCredential { diff --git a/sdk/identity/Azure.Identity/src/ManagedIdentitySource.cs b/sdk/identity/Azure.Identity/src/ManagedIdentitySource.cs index 469486aff46da..064d15c33bd85 100644 --- a/sdk/identity/Azure.Identity/src/ManagedIdentitySource.cs +++ b/sdk/identity/Azure.Identity/src/ManagedIdentitySource.cs @@ -61,6 +61,10 @@ protected virtual async ValueTask HandleResponseAsync( message = GetMessageFromResponse(json.RootElement); } + catch (JsonException jex) + { + throw new CredentialUnavailableException(UnexpectedResponse, jex); + } catch (Exception e) { exception = e; diff --git a/sdk/identity/Azure.Identity/tests/AzureCliCredentialTests.cs b/sdk/identity/Azure.Identity/tests/AzureCliCredentialTests.cs index 9754ba6a82416..b61b98067744e 100644 --- a/sdk/identity/Azure.Identity/tests/AzureCliCredentialTests.cs +++ b/sdk/identity/Azure.Identity/tests/AzureCliCredentialTests.cs @@ -111,6 +111,7 @@ public static IEnumerable AzureCliExceptionScenarios() yield return new object[] { RefreshTokenExpiredError, AzureCliCredential.InteractiveLoginRequired, typeof(CredentialUnavailableException) }; yield return new object[] { AzureCliCredential.CLIInternalError, AzureCliCredential.InteractiveLoginRequired, typeof(CredentialUnavailableException) }; yield return new object[] { "random unknown exception", AzureCliCredential.AzureCliFailedError + " " + AzureCliCredential.Troubleshoot + " random unknown exception", typeof(AuthenticationFailedException) }; + yield return new object[] { "AADSTS12345: Some AAD error. To re-authenticate, please run: az login", AzureCliCredential.AzureCliFailedError + " " + AzureCliCredential.Troubleshoot + " AADSTS12345: Some AAD error. To re-authenticate, please run: az login", typeof(AuthenticationFailedException) }; } [Test] diff --git a/sdk/identity/Azure.Identity/tests/ManagedIdentityCredentialTests.cs b/sdk/identity/Azure.Identity/tests/ManagedIdentityCredentialTests.cs index eea65bbde76eb..f66bbb5c22cff 100644 --- a/sdk/identity/Azure.Identity/tests/ManagedIdentityCredentialTests.cs +++ b/sdk/identity/Azure.Identity/tests/ManagedIdentityCredentialTests.cs @@ -15,6 +15,7 @@ using Azure.Identity.Tests.Mock; using Microsoft.AspNetCore.Http; using Microsoft.Diagnostics.Runtime.Interop; +using Newtonsoft.Json; using NUnit.Framework; namespace Azure.Identity.Tests @@ -691,7 +692,7 @@ public async Task VerifyClientAuthenticateThrows() } [Test] - public async Task VerifyClientAuthenticateReturnsInvalidJson([Values(200, 404)] int status) + public async Task VerifyClientAuthenticateReturnsInvalidJson([Values(200, 404, 403)] int status) { using var environment = new TestEnvVar( new() @@ -709,8 +710,8 @@ public async Task VerifyClientAuthenticateReturnsInvalidJson([Values(200, 404)] ManagedIdentityCredential credential = InstrumentClient(new ManagedIdentityCredential("mock-client-id", pipeline)); - var ex = Assert.ThrowsAsync(async () => await credential.GetTokenAsync(new TokenRequestContext(MockScopes.Default))); - Assert.IsInstanceOf(typeof(RequestFailedException), ex.InnerException); + var ex = Assert.ThrowsAsync(async () => await credential.GetTokenAsync(new TokenRequestContext(MockScopes.Default))); + Assert.IsInstanceOf(typeof(System.Text.Json.JsonException), ex.InnerException); Assert.That(ex.Message, Does.Contain(ManagedIdentitySource.UnexpectedResponse)); await Task.CompletedTask; } diff --git a/sdk/identity/Azure.Identity/tests/samples/ReadmeSnippets.cs b/sdk/identity/Azure.Identity/tests/samples/ReadmeSnippets.cs index 6bfd05878fdba..678990ccdff43 100644 --- a/sdk/identity/Azure.Identity/tests/samples/ReadmeSnippets.cs +++ b/sdk/identity/Azure.Identity/tests/samples/ReadmeSnippets.cs @@ -65,5 +65,39 @@ public void CustomChainedTokenCredential() #endregion } + + [Test] + public void AuthenticatingWithAuthorityHost() + { + #region Snippet:AuthenticatingWithAuthorityHost + + var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { AuthorityHost = AzureAuthorityHosts.AzureGovernment }); + + #endregion + } + + [Test] + public void AuthenticatingWithManagedIdentityCredentialUserAssigned() + { + string userAssignedClientId = ""; + + #region Snippet:AuthenticatingWithManagedIdentityCredentialUserAssigned + + var credential = new ManagedIdentityCredential(clientId: userAssignedClientId); + var client = new SecretClient(new Uri("https://myvault.vault.azure.net/"), credential); + + #endregion + } + + [Test] + public void AuthenticatingWithManagedIdentityCredentialSystemAssigned() + { + #region Snippet:AuthenticatingWithManagedIdentityCredentialSystemAssigned + + var credential = new ManagedIdentityCredential(); + var client = new SecretClient(new Uri("https://myvault.vault.azure.net/"), credential); + + #endregion + } } }