Azure.Identity Question

[lucashby]

Library name and version

Azure.Identity 1.8.0

Query/Question

I am able to use v1.7.0 of Azure.Identity with no problems. My situation is I have an AKS cluster using pod identity which is configured to a user assigned managed identity. I use the Microsoft.Extensions.Azure library to configure all of my Azure clients such as Blob client, ServiceBus client, etc.

While using v1.7.0, occasionally my application may attempt to bootstrap before the identity is available to the pod to use and gets the occasional error only during startup which is fine because the pod won't be considered ready until it successfully starts.

However, with v1.8.0 I get stuck in an infinite error state and get stuck with millions of logged failures that look like the following:

ManagedIdentityCredential authentication failed: The json containing instance metadata does not contain details about the authority in use: login.microsoftonline.us. See https://aka.ms/msal-net-custom-instance-metadata for more details. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot The json containing instance metadata does not contain details about the authority in use: login.microsoftonline.us. See https://aka.ms/msal-net-custom-instance-metadata for more details.

The links are of no help. I'm not sure what changed between 1.7.0 and 1.8.0, but could someone please explain what was changed and why this may be occurring?

Environment

No response

[jsquire]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[ohads-MSFT]

We hit the same issue, for us it manifested as this error:

Unhandled exception. Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: Configure either region discovery or custom instance metadata. Custom instance discovery metadata overrides region discovery.
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot
---> MSAL.NetCore.4.46.0.0.MsalClientException:
ErrorCode: region_discovery_with_custom_instance_metadata
Microsoft.Identity.Client.MsalClientException: Configure either region discovery or custom instance metadata. Custom instance discovery metadata overrides region discovery.
at Microsoft.Identity.Client.ConfidentialClientApplicationBuilder.Validate()
at Microsoft.Identity.Client.AbstractApplicationBuilder1.BuildConfiguration() at Microsoft.Identity.Client.ConfidentialClientApplicationBuilder.BuildConcrete() at Microsoft.Identity.Client.ConfidentialClientApplicationBuilder.Build() at Azure.Identity.MsalConfidentialClient.CreateClientAsync(Boolean async, CancellationToken cancellationToken) at Azure.Identity.MsalClientBase1.GetClientAsync(Boolean async, CancellationToken cancellationToken)
at Azure.Identity.MsalConfidentialClient.AcquireTokenForClientCoreAsync(String[] scopes, String tenantId, Boolean async, CancellationToken cancellationToken)
at Azure.Identity.MsalConfidentialClient.AcquireTokenForClientAsync(String[] scopes, String tenantId, Boolean async, CancellationToken cancellationToken)
at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)

[Dolphinsimon]

The newer version 1.8.1 has not fixed the issue. We have the same exception after upgrading to v1.8.1.

ManagedIdentityCredential authentication failed: The json containing instance metadata does not contain details about the authority in use: login.chinacloudapi.cn. See https://aka.ms/msal-net-custom-instance-metadata for more details. \nSee the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot","Data":null,"InnerException":{"$type":"Microsoft.Identity.Client.MsalClientException, Microsoft.Identity.Client","IsRetryable":false,"ErrorCode":"invalid-custom-instance-metadata","Message":"The json containing instance metadata does not contain details about the authority in use: login.chinacloudapi.cn. See https://aka.ms/msal-net-custom-instance-metadata for more details. ","Data":{"$type":"System.Collections.ListDictionaryInternal, System.Private.CoreLib"},"InnerException":null,"HelpLink":null,"Source":"Microsoft.Identity.Client","HResult":-2146233088,"StackTrace":" at Microsoft.Identity.Client.Instance.Discovery.UserMetadataProvider.GetMetadataOrThrow(String environment, ILoggerAdapter logger)\r\n at Microsoft.Identity.Client.Instance.Discovery.InstanceDiscoveryManager.GetMetadataEntryAsync(AuthorityInfo authorityInfo, RequestContext requestContext, Boolean forceValidation)\r\n at Microsoft.Identity.Client.Instance.AuthorityManager.RunInstanceDiscoveryAndValidationAsync()\r\n at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.FetchNewAccessTokenAsync(CancellationToken cancellationToken)\r\n at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.ExecuteAsync(CancellationToken cancellationToken)\r\n at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)\r\n at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenForClientParameters clientParameters, CancellationToken cancellationToken)\r\n at Azure.Identity.AbstractAcquireTokenParameterBuilderExtensions.ExecuteAsync[T](AbstractAcquireTokenParameterBuilder1 builder, Boolean async, CancellationToken cancellationToken)\r\n at Azure.Identity.MsalConfidentialClient.AcquireTokenForClientCoreAsync(String[] scopes, String tenantId, Boolean async, CancellationToken cancellationToken)\r\n at Azure.Identity.MsalConfidentialClient.AcquireTokenForClientAsync(String[] scopes, String tenantId, Boolean async, CancellationToken cancellationToken)\r\n at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)\r\n at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)"},"HelpURL":null,"StackTraceString":" at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage)\r\n at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)\r\n at Azure.Identity.ManagedIdentityCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)\r\n at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)\r\n at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)\r\n at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage)\r\n at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)\r\n at Azure.Identity.DefaultAzureCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)\r\n at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueFromCredentialAsync(TokenRequestContext context, Boolean async, CancellationToken cancellationToken)\r\n at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async)\r\n at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async)\r\n at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AuthenticateAndAuthorizeRequestAsync(HttpMessage message, TokenRequestContext context)\r\n at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.AuthorizeRequestInternal(HttpMessage message, Boolean async)\r\n at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async)\r\n at Azure.Core.Pipeline.RedirectPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async)\r\n at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async)\r\n at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async)\r\n at Azure.Core.Pipeline.HttpPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken)\r\n at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken)\r\n at Azure.Security.KeyVault.KeyVaultPipeline.GetPageAsync[T](Uri firstPageUri, String nextLink, Func1 itemFactory, String operationName, CancellationToken cancellationToken)\r\n at Azure.Core.PageResponseEnumerator.FuncAsyncPageable1.AsPages(String continuationToken, Nullable1 pageSizeHint)+MoveNext()\r\n at Azure.Core.PageResponseEnumerator.FuncAsyncPageable1.AsPages(String continuationToken, Nullable1 pageSizeHint)+System.Threading.Tasks.Sources.IValueTaskSource<System.Boolean>.GetResult()\r\n at Azure.AsyncPageable1.GetAsyncEnumerator(CancellationToken cancellationToken)+MoveNext()\r\n at Azure.AsyncPageable1.GetAsyncEnumerator(CancellationToken cancellationToken)+MoveNext()\r\n at Azure.AsyncPageable1.GetAsyncEnumerator(CancellationToken cancellationToken)+System.Threading.Tasks.Sources.IValueTaskSource<System.Boolean>.GetResult()\r\n `

[karataliu]

@jsquire @schaabs @christothes
I checked 1.8.1 still have the issue, could we reopen?

The error comes out in a different place:
With 1.8.0:

at Microsoft.Identity.Client.Instance.AuthorityManager.RunInstanceDiscoveryAndValidationAsync()
   at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.FetchNewAccessTokenAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.ExecuteAsync(CancellationToken cancellationToken)

With 1.8.1:

at Microsoft.Identity.Client.ClientApplicationBase.CreateRequestParametersAsync(AcquireTokenCommonParameters commonParameters, RequestContext requestContext, ITokenCacheInternal cache)
   at Microsoft.Identity.Client.ConfidentialClientApplication.CreateRequestParametersAsync(AcquireTokenCommonParameters commonParameters, RequestContext requestContext, ITokenCacheInternal cache)
   at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenForClientParameters clientParameters, CancellationToken cancellationToken)

[christothes]

Hi @karataliu - This is fixed in the PR referenced above so it will be in the next version of the package.

[northtyphoon]

@christothes when will the next version with the fix be released?

[karataliu]

@christothes could you please suggest which PR do you mean? Is it #33544 ?
Previous PR is picked into 1.8.1 #33478 , but it doesn't fix the issue.

[ohads-MSFT]

I think there might be several different issues here, as I'm pretty sure the following line fixes the one we ran into (Configure either region discovery or custom instance metadata): https://github.com/Azure/azure-sdk-for-net/pull/33478/files#diff-e8bef522f24b413fc37ec666d0d5e305a1e472252cacf66b2e4cf1f225de64a8R107

[christothes]

It should be fixed in #35544 - Note you can test this version by trying the latest dev package versions here.

[ohads-MSFT]

FYI this is fixed in Azure.Identity 1.8.2: https://github.com/Azure/azure-sdk-for-net/releases/tag/Azure.Identity_1.8.2