Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not able to use SignedAssertionFilePath for ClientCredentials #2251

Closed
RojaEnnam opened this issue May 18, 2023 · 0 comments
Closed

Not able to use SignedAssertionFilePath for ClientCredentials #2251

RojaEnnam opened this issue May 18, 2023 · 0 comments
Labels
question Further information is requested

Comments

@RojaEnnam
Copy link

RojaEnnam commented May 18, 2023
edited
Loading

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

2.9.0

Web app

Sign-in users and call web APIs

Web API

Protected web APIs call downstream web APIs

Token cache serialization

In-memory caches

Description

A Web Api that is running in AKS is configured to use SignedAssertionFilePath for ClientCredentials. When the Web Api is calling down stream api, it is throwing the attached error. According to the documentation if the "SignedAssertionFileDiskPath" is not provided, it is picked from AZURE_FEDERATED_TOKEN_FILE environment variable. Can confirm that this variable, file it shows and the token in the file is present on the pod running the web app.

Reproduction steps

  1. Add below section in appsettings.json file of the WebApi

"ClientCredentials": [
{
"SourceType": "SignedAssertionFilePath"
}
]

  1. Make a call to the WebApi running in AKS
  2. Should see the attached error

Error message

info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10242: Security token: 'PII of type 'System.String' is hidden. For more details, see [https://aka.ms/IdentityModel/PII.]' has a valid signature.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10239: Lifetime of the token is valid.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10234: Audience Validated.Audience: 'd4bff1b1-ae02-4475-bdee-b08ac7daf110'
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10245: Creating claims identity from the validated token: 'PII of type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see [https://aka.ms/IdentityModel/PII.]'.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10241: Security token validated. token: 'PII of type 'System.String' is hidden. For more details, see [https://aka.ms/IdentityModel/PII.]'.
info: Microsoft.Identity.Web.TokenAcquisition[402]
[MsIdWeb] Using Pod identity file not found as client credentials.
info: Microsoft.Identity.Web.TokenAcquisition[300]
[MsIdWeb] An error occured during token acquisition: IDW10501: Exception acquiring token for a confidential client.
System.ArgumentException: Delegate to an instance method cannot have null 'this'.
at System.MulticastDelegate.ThrowNullThisInDelegateToInstance()
at Microsoft.Identity.Web.ConfidentialClientApplicationBuilderExtension.WithClientCredentials(ConfidentialClientApplicationBuilder builder, IEnumerable`1 clientCredentials, ILogger logger, ICredentialsLoader credentialsLoader, CredentialSourceLoaderParameters credentialSourceLoaderParameters)
at Microsoft.Identity.Web.TokenAcquisition.BuildConfidentialClientApplication(MergedOptions mergedOptions)
fail: Microsoft.AspNetCore.Server.Kestrel[13]
Connection id "0HMQN5SQEMHBD", Request id "0HMQN5SQEMHBD:00000002": An unhandled exception was thrown by the application.
Status Code: 0
Microsoft.Graph.ServiceException: Code: generalException
Message: An error occurred sending the request.

   ---> System.ArgumentException: Delegate to an instance method cannot have null 'this'.
     at System.MulticastDelegate.ThrowNullThisInDelegateToInstance()
     at Microsoft.Identity.Web.ConfidentialClientApplicationBuilderExtension.WithClientCredentials(ConfidentialClientApplicationBuilder builder, IEnumerable`1 clientCredentials, ILogger logger, ICredentialsLoader credentialsLoader, CredentialSourceLoaderParameters credentialSourceLoaderParameters)
     at Microsoft.Identity.Web.TokenAcquisition.BuildConfidentialClientApplication(MergedOptions mergedOptions)
     at Microsoft.Identity.Web.TokenAcquisition.GetOrBuildConfidentialClientApplication(MergedOptions mergedOptions)
     at Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForUserAsync(IEnumerable`1 scopes, String authenticationScheme, String tenantId, String userFlow, ClaimsPrincipal user, TokenAcquisitionOptions tokenAcquisitionOptions)
     at Microsoft.Identity.Web.DefaultAuthorizationHeaderProvider.CreateAuthorizationHeaderForUserAsync(IEnumerable`1 scopes, AuthorizationHeaderProviderOptions downstreamApiOptions, ClaimsPrincipal claimsPrincipal, CancellationToken cancellationToken)
     at Microsoft.Identity.Web.TokenAcquisitionAuthenticationProvider.AuthenticateRequestAsync(HttpRequestMessage request)
     at Microsoft.Graph.AuthenticationHandler.SendAsync(HttpRequestMessage httpRequestMessage, CancellationToken cancellationToken)
     at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
     at Microsoft.Graph.HttpProvider.SendRequestAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)
     --- End of inner exception stack trace ---
     at Microsoft.Graph.HttpProvider.SendRequestAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)
     at Microsoft.Graph.HttpProvider.SendAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)
     at Microsoft.Graph.BaseRequest.SendRequestAsync(Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)
     at Microsoft.Graph.BaseRequest.SendAsync[T](Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)
     at Microsoft.Graph.UserRequest.GetAsync(CancellationToken cancellationToken)
     at AksTestWebApi.Controllers.WeatherForecastController.Get() in /src/AksTestWebApi/Controllers/WeatherForecastController.cs:line 31
     at lambda_method27(Closure , Object )
     at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.AwaitableObjectResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
     at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
     at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
     at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
     at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
     at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()
  --- End of stack trace from previous location ---
     at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|20_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
     at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
     at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
     at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)
     at Microsoft.AspNetCore.Authorization.Policy.AuthorizationMiddlewareResultHandler.HandleAsync(RequestDelegate next, HttpContext context, AuthorizationPolicy policy, PolicyAuthorizationResult authorizeResult)
     at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
     at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
     at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)

Id Web logs

No response

Relevant code snippets

NA

Regression

No response

Expected behavior

IdWeb should pick the federated token file from AKS environment and exchange it for a AAD access token.
@RojaEnnam RojaEnnam added the question Further information is requested label May 18, 2023
jmprieur added a commit that referenced this issue May 19, 2023
@jmprieur
Fixes ##2251
4e44fdd 
and the same issue for WIF for MSI
and adds loggin in WIF for AKS
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@RojaEnnam