terraform-provider-azuread: azuread v2.x auth error

I want to refer to azuread_user in data source using azuread 2.0 (microsoft graph). However, as soon as I use azuread2.x, authentication (Azure CLI) doesn’t work. It did not occur before azuread 1.6 (not mictosoft graph).

【Error】 │ Error: building client: unable to parse claims in access token: illegal base64 data at input byte 631 │ │ with provider[“registry.terraform.io/hashicorp/azuread”], │ on main.tf line 22, in provider “azuread”: │ 22: provider “azuread” {

【Code】

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=2.75.0"
    }
    azuread = {
      source  = "hashicorp/azuread"
      version = "=2.1.0"
    }
  }
}

### Configure the Microsoft Azure Provider
provider "azurerm" {
  subscription_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  features {}
}

provider "azuread" {
    use_msi   = false
    use_cli   = true
    tenant_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}

data "azuread_domains" "example" {
  only_initial = true
}

data "azurerm_client_config" "my_conf" {}

data "azuread_user" "admins_operation" {
  object_id           = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 1
  • Comments: 16 (3 by maintainers)

Most upvoted comments

The reason that the bug hasn’t been hit is not obvious… The likely cause is that the original reporter and I are from the same asian country where texts in the language spoken are often encoded as UTF-8 to bytes with their MSBs being set. This might, with a higher probability, result in base64 encoded strings containing symbols. Actually, for my case, the base64 error occurred right before the place my family name in kanji that is contained in the claim occurs.

+2
moriyoshi on Sep 8, 2021

Whew! I modified auth/claims.go so that the right decoder is applied as follows and it finally worked:

diff --git a/auth/claims.go b/auth/claims.go
index 9694b23..bfa1e29 100644
--- a/auth/claims.go
+++ b/auth/claims.go
@@ -32,7 +32,7 @@ func ParseClaims(token *oauth2.Token) (claims Claims, err error) {
                return
        }
        jwt := strings.Split(token.AccessToken, ".")
-       payload, err := base64.RawStdEncoding.DecodeString(jwt[1])
+       payload, err := base64.RawURLEncoding.DecodeString(jwt[1])
        if err != nil {
                return
        }

I’m gonna send a patch to hamilton shortly.

+2
moriyoshi on Sep 8, 2021

This functionality has been released in v2.2.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

+1
github-actions[bot] on Sep 10, 2021
Read more comments on GitHub
← terraform-provider-azuread: azuread: GroupsClient.BaseClient.Post(): unexpected status 400 with OData error: Request_BadRequest: Request contains a property with duplicate values.
terraform-provider-azuread: azuread_group is broken in v1.6.0 with use_microsoft_graph = true →