azure-sdk-for-python: ClientSecretCredential.get_token() fails in case of azurestack if we provide 'authority' URL

  • Package Name: azure-identity:
  • Package Version: 1.6.1:
  • Operating System: ubuntu20.04:
  • Python Version: 3.8.10:

Describe the bug To authenticate python SDK to azure Stack hub we use ClientSecretCredential method and pass required parameters like ClientSecretCredential( tenant_id=tenantid, client_id=clientid, client_secret=secretkey, cloud_environment=cloud, authority=auth_resource).

when user pass authority url ‘https://management.private_domain.onmicrosoft.com/<b9ae38c5-####>’ parameter expilicitly the ClientSecretCredential.get_token() method throwing an error instead of successful response. ClientSecretCredential.get_token failed: Authentication failed: invalid_instance: The authority you provided, https://management.private_domain.onmicrosoft.com/<b9ae38c5-####>/<ed83b0eb-tenant_id>, is not whitelisted. If it is indeed your legit customized domain name, you can turn off this check by passing in validate_authority=False.

looks like the azure sdk explicitly appending tenant_id to the authority URL.

**msal_credentials.py**
def _create_app(self, cls, **kwargs):
        # type: (Type[msal.ClientApplication], **Any) -> msal.ClientApplication
        app = cls(
            client_id=self._client_id,
            client_credential=self._client_credential,
            **authority="{}/{}".format(self._authority, self._tenant_id)**,

can you please provide us more information about the change and how user can pass the authority URL. if we dont pass ‘authority URL’ then its working but with authority URL it fails.

To Reproduce Steps to reproduce the behavior:

  1. try to provide authority url along with other required parameters while creating ClientSecretCredential.

Expected behavior ClientSecretCredential.get_token() should work if user pass the authority URL.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 16 (10 by maintainers)

Commits related to this issue

Most upvoted comments

@rayluo Thanks for the information. Unfortunately, we don’t have validate_authority support yet.

I created PR #22786 to support it.