azure-cli icon indicating copy to clipboard operation
azure-cli copied to clipboard
verified publisher icon Azure

`az login` stuck on connecting to `login.microsoftonline.com:443`

Open Bouke opened this issue 1 year ago • 25 comments

Describe the bug

Running az login is stuck after confirmation in the browser. The debug output shows it is waiting to connect to login.microsoftonline.com:443.

My machine is connected to the internet. All browsing works fine. I can connect to login.microsoftonline.com in my Safari browser.

Related command

az login --scope {} --debug

Errors

No error; it is just stuck waiting.

Issue script & Debug output

cli.azure.cli.core.auth.identity: A web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`.
msal.telemetry: Generate or reuse correlation_id: c029d9c5-7926-4ab7-adc6-a0de19d2da3f
msal.oauth2cli.oauth2: Using http://localhost:64330 as redirect_uri
msal.oauth2cli.authcode: Abort by visit http://localhost:64330?error=abort
msal.oauth2cli.authcode: Open a browser on this device to visit: https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=04b07795-8ddb-461a-bbee-02f9e1bf7b46&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A64330&scope=https%3A%2F%2Fmanagement.azure.com%2F%2F.default+offline_access+openid+profile&state=NmifcZvXTDBFSpPj&code_challenge=(...)
msal.oauth2cli.authcode: Got auth response: (...)
msal.oauth2cli.authcode: "GET /?code=(...) HTTP/1.1" 200 -
urllib3.connectionpool: Starting new HTTPS connection (1): login.microsoftonline.com:443
^Ccli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x10f3e8400>]

Expected behavior

az login should just work

Environment Summary

macOS-14.3.1-x86_64-i386-64bit, Darwin 23.3.0
Python 3.11.8
Installer: HOMEBREW

azure-cli 2.58.0

Extensions:
azure-devops 1.0.0
ssh 1.1.1

Dependencies:
msal 1.26.0
azure-mgmt-resource 23.1.0b2

Additional context

Bouke avatar Mar 12 '24 08:03 Bouke

Thank you for opening this issue, we will look into it.

yonzhan avatar Mar 12 '24 08:03 yonzhan

I'm having a similar issue, but using az login --use-device-code and before it gives me a URL. Also stuck connecting to login.microsoftonline.com:443

mattsains avatar Mar 12 '24 16:03 mattsains

What's the output of python -c "import requests; print(requests.get('https://login.microsoftonline.com/').status_code)"?

bebound avatar Mar 13 '24 02:03 bebound

The problem is intermittent as it went away after an hour or so. Highly frustrating to debug.

Bouke avatar Mar 13 '24 07:03 Bouke

It's still happening to me but it does seem to be intermittent. Both Tuesday and Wednesday morning pacific time, it hung. Tuesday and Wednesday afternoon it started working again.

The result of your python code is 200, and I actually have done a curl on this URL during the time the CLI hangs and the result was a 200

mattsains avatar Mar 13 '24 23:03 mattsains

It's not working again this morning (2024-03-14 08:58:00 pacific time):

cli.knack.cli: Command arguments: ['login', '--use-device-code', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7fa00f0f8040>, <function OutputProducer.on_global_arguments at 0x7fa00f0a2160>, <function CLIQuery.on_global_arguments at 0x7fa00f0d7c40>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'login': ['azure.cli.command_modules.profile']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: profile                   0.001         2         8
cli.azure.cli.core: Total (1)                 0.001         2         8
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name                  Load Time    Groups  Commands  Directory
cli.azure.cli.core: Total (0)                 0.000         0         0
cli.azure.cli.core: Loaded 2 groups, 8 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : login
cli.azure.cli.core: Command table: login
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7fa00dfd1bc0>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/msainsbury/.azure/commands/2024-03-14.08-57-50.login.2277400.log'.
az_command_data_logger: command args: login --use-device-code --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x7fa00e069f80>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x7fa00e06a020>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x7fa00e06a160>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7fa00f0a2200>, <function CLIQuery.handle_query_parameter at 0x7fa00f0d7ce0>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x7fa00e06a0c0>]
cli.azure.cli.core.auth.persistence: build_persistence: location='/home/msainsbury/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /home/msainsbury/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/organizations/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/{tenantid}/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/organizations/kerberos', 'tenant_region_scope': None, 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
urllib3.connectionpool: Starting new HTTPS connection (1): login.microsoftonline.com:443
^Ccli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7fa00dfd1e40>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 17.710 seconds (init: 0.098, invoke: 17.611)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3571 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/opt/az/bin/python3 /opt/az/lib/python3.11/site-packages/azure/cli/telemetry/__init__.py /home/msainsbury/.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

the python command:

$ python3 -c "import requests; print(requests.get('https://login.microsoftonline.com/').status_code)"

hangs as well. I tried to curl that URL, and I got a redirect to https://www.office.com/login#, and then further to https://login.microsoftonline.com/common/oauth2/v2.0/authorize, but these seem to be interactive websites and not APIs

mattsains avatar Mar 14 '24 16:03 mattsains

Since the Python command also hangs, there is nothing we can do. It appears to be a network issue.

bebound avatar Mar 15 '24 02:03 bebound

I have the same problem on a linux machine: Ubuntu 23.10 with kernel 6.5.0-26-generic and python Python 3.11.6. Az:

{
  "azure-cli": "2.58.0",
  "azure-cli-core": "2.58.0",
  "azure-cli-telemetry": "1.1.0",
  "extensions": {}
}

Can you provide the versions used for testing?

acasanova99 avatar Mar 26 '24 10:03 acasanova99

I ran into the same issue. After a whole day of trial and error, I finally solved it by disabling IPv6 as suggested here: https://stackoverflow.com/questions/57992691/pip-hangs-on-starting-new-https-connection. However, I have no idea why disabling IPv6 would fix it.

HeyangQin avatar Apr 15 '24 18:04 HeyangQin

Disabling ipv6 worked for me!

Also, I don't think it's a "networking issue" as suggested by bebound, because if I reproduce the call in curl, it succeeds immediately:

curl -L https://login.microsoftonline.com -H "User-Agent: python-requests/2.25.1" -H "Accept-Encoding: gzip, deflate" -H "Accept: */*" -H "Connection: keep-alive" --output -

(result is binary data)

mattsains avatar Apr 17 '24 15:04 mattsains

FWIW, I am reliably reproducing this with this example: https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-daemon-app-python-acquire-token

Agree with @mattsains that it could be more interesting than a simple network issue on my side. curl works.

EDIT: I can also confirm that disabling IPv6 (as outlined here - I'm on Fedora 39 ) got things to work.

jsliacan avatar Apr 17 '24 20:04 jsliacan

I also had this issue, but only when using a full vpn tunnel. After disabling ipv6 like suggested, it now works using the full vpn tunnel as well.

Dsverre avatar May 10 '24 13:05 Dsverre

for me, I had to uninstall the azure cli and use a more recent version version I previously used was: 2.0.81 version I installed: 2.64.0

Although version 2.64.0 might result in this

enyeneraph avatar Sep 12 '24 04:09 enyeneraph

I encountered the same issue today and after following steps to disable ipv6 now I can "az login" again on Ubuntu 22.04.5 LTS $ az version { "azure-cli": "2.49.0", "azure-cli-core": "2.49.0", "azure-cli-telemetry": "1.0.8", "extensions": { "azure-devops": "0.25.0", "ssh": "2.0.5", "storage-preview": "0.9.0" } }

gjswalling avatar Oct 23 '24 22:10 gjswalling