mssql-jdbc: Azure WebApp, MSI Token Failure, missing 'expires_on' field in response

Driver version

=10.2.3 + 11.x

Client Operating System

Linux / Docker

JAVA/JVM version

Java 17

Problem description

We are using Azure WebApp to run our Java/SpringBoot applications. For the authentication we are using the system assigned identity. That works well so far with JDBC version 9.4.1. Now we wanted to upgrade the JDBC driver version to 11.2.3. With all JDBC versions from 10.2.3 on, we are getting the following error: com.microsoft.sqlserver.jdbc.SQLServerException: MSI Token failure: Failed to acquire token from MSI Endpoint.

After investigation, I found the following code change to be responsible for the issue (version 10.2.2 --> 10.2.3): image

Before 10.2.3 the library was using the expires-on field of the response. But with version 10.2.3 it now uses the expires-in field. But this field is not existing in the response of the provided token service. Here is a (shorted) response example:

{"access_token":"ey...w","expires_on":"1680169483","resource":"https://database.windows.net/","token_type":"Bearer","client_id":"51481984-5176-4f0f-b02e-7812ea679522"}

As you can see, the expires-in field is completely missing there. Any idea what is wrong here?

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Reactions: 1
  • Comments: 18 (10 by maintainers)

Most upvoted comments

Awesome, glad it worked. As for drivers >10.2.2<12.0.0 we’ll be releasing a hotfix and when that comes around I’ll let you guys know in this thread.

+2
tkyc on Apr 5, 2023

Found the same issue after upgrading my app to spring boot 3.0.5. Updated the JDBC driver to 12.2 and added the msal4j and azure-identity dependencies according to the above test-app. The connection worked fine on spring boot 2.7.x where the JDBC driver used the 10.2.1.jre8 version without explicitly specifying the msal4j and azure-identity dependencies.

App won’t boot due to the same 401 error: Caused by: java.io.IOException: Server returned HTTP response code: 401 for URL: http://169.254.130.3:8081/msi/token?resource=https%3A%2F%2Fdatabase.windows.net%2F&api-version=2017-09-01

Connection string is the following: jdbc:sqlserver://${DATABASE_SERVER};databaseName=${DATABASE_NAME};encrypt=${DATABASE_ENCRYPT_CONN:true};Authentication=ActiveDirectoryMSI;

+1
vitorcsbrito on Apr 4, 2023

Hi @Nyffeneggerr,

It looks like there might be some confusion on our end. The changes we made for 12.1 should work for Azure Functions and Webapps. We’re now examining whether we’ll need to make additional changes to ensure compatibility for your use case. Thank you for bringing this to our attention.

+1
Jeffery-Wasty on Mar 31, 2023
Read more comments on GitHub
← mssql-jdbc: [Azure] Failed to validate the server name in a certificate during Secure Sockets Layer (SSL) initialization
mssql-jdbc: [BUG] Performance Issues reading LocalDate,LocalDateTime, and LocalTime →