azure-sdk-for-js: Unable to use TokenCredentials instances from the azure/identity library in ServiceClientCredential based SDK's for Sovereign Azure Clouds
On Azure China, Trying to use the TokenCredentials instances from the identity library that work with ServiceClientCredentials instances throw the error -
{
"stack": "AuthenticationError: invalid_resource(status code 400).\nMore details:\nAADSTS500011: The resource principal named https://management.azure.com was not found in the tenant named <tenant>. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: b633abc6-dde5-485e-a83a-380a25ad5500\r\nCorrelation ID: 619bec33-dc10-4740-ad78-e728d25f2ee9\r\nTimestamp: 2021-06-23 21:00:14Z\n at IdentityClient.<anonymous> (/app/node_modules/@azure/identity/dist/index.js:345:31)\n at Generator.next (<anonymous>)\n at fulfilled (/app/node_modules/tslib/tslib.js:114:62)\n at processTicksAndRejections (internal/process/task_queues.js:95:5)",
"message": "invalid_resource(status code 400).\nMore details:\nAADSTS500011: The resource principal named https://management.azure.com was not found in the tenant named a<tenant>. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: b633abc6-dde5-485e-a83a-380a25ad5500\r\nCorrelation ID: 619bec33-dc10-4740-ad78-e728d25f2ee9\r\nTimestamp: 2021-06-23 21:00:14Z",
"statusCode": 400,
"errorResponse": {
"error": "invalid_resource",
"errorDescription": "AADSTS500011: The resource principal named https://management.azure.com was not found in the tenant named <tenant>. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: b633abc6-dde5-485e-a83a-380a25ad5500\r\nCorrelation ID: 619bec33-dc10-4740-ad78-e728d25f2ee9\r\nTimestamp: 2021-06-23 21:00:14Z",
"correlationId": "619bec33-dc10-4740-ad78-e728d25f2ee9",
"errorCodes": [
500011
],
"timestamp": "2021-06-23 21:00:14Z",
"traceId": "b633abc6-dde5-485e-a83a-380a25ad5500"
},
"name": "AuthenticationError"
}
Looking into the code, it looks like SDK’s that use the serviceclientcredentials instances default to public azure scopes in https://github.com/Azure/ms-rest-js/blob/de6aa5157603639001785b4a43afa5f325381dbd/lib/serviceClient.ts#L189 in AzureIdentityCredentialAdapter. It is my understanding that this is causing the auth flow to fail.
Example usage:
new IotDpsClient( creds as any, subscriptionId, { baseUri } );
where credentials is a ChainedTokenCredential object with authority https://login.chinacloudapi.cn, baseUri points to https://management.chinacloudapi.cn, and IoTDpsClient is from https://www.npmjs.com/package/@azure/arm-deviceprovisioningservices.
Am I using this correctly ?
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 20 (12 by maintainers)
We have released a new version for @azure/ms-rest-js that should fix this issue. Please let us know if you can test it, and if it solves this issue for you.
Thanks for the confirmation @prashantchari
@sadasant Can you make a PR to make the required changes to
@azure/ms-rest-js?@prashantchari hello again! Thank you for giving us more information. Let’s use this issue to track the problem you’re seeing. I will need some days to route this problem internally properly. I’ll answer back next week, as soon as possible.
@voidfoo , @prashantchari since the solution to this is likely going to need a public API change from our part, please give us a couple of days to coordinate an appropriate response. Thank you for reporting this problem to us.
I could be wrong but I think the problem is the scope not the auth host. TokenCredential does not carry info about scope so when ms-rest-js creates the adapter for the token credential passed in it won’t know what scope to use.