azure-sdk-for-python icon indicating copy to clipboard operation
azure-sdk-for-python copied to clipboard
verified publisher icon Azure

ClientSecretCredential auth making call to 'https://login.microsoftonline.com/common/discovery/instance' which is failing in disconnected ADFS Azure Stack

Open rakku-ms opened this issue 3 years ago • 3 comments

  • Package Names and Versions: Python version: 3.8.10 azure-common 1.1.28 azure-identity 1.10.0 msrestazure 0.6.4 azure-mgmt-resource 21.1.0 azure-mgmt-compute 27.2.0

Describe the bug ClientSecretCredential making call to https://login.microsoftonline.com in case of disconnected ADFS Azure Stack stamp (without internet connection) which is failing

To Reproduce credentials = ClientSecretCredential( tenant_id=tenantid, client_id=clientid, client_secret=secretkey, cloud_environment=cloud, authority=auth_resource)

sc = SubscriptionClient( credentials, base_url=cloud_base_url, credential_scopes=credential_scopes)

Expected behavior This is a disconnected ADFS stamp which is not expected to have internet connection. Can this instance discovery call to https://login.microsoftonline.com be avoided?

Error Log ` 09:43:29,987 azure.core.pipeline.policies.http_logging_policy INFO Request URL: 'https://login.microsoftonline.com/common/discovery/instance?api-version=REDACTED&authorization_endpoint=REDACTED'/nRequest method: 'GET'/nRequest headers:/n 'Accept': 'application/json'/n 'User-Agent': 'azsdk-python-identity/1.6.1 Python/3.8.10 (Linux-4.18.0-372.9.1.el8.x86_64-x86_64-with-glibc2.29)'/nNo body was attached to the request 09:43:29,988 urllib3.connectionpool DEBUG Starting new HTTPS connection (1): login.microsoftonline.com:443 09:43:30,27 azure.core.pipeline.policies.http_logging_policy INFO Request URL: 'https://login.microsoftonline.com/common/discovery/instance?api-version=REDACTED&authorization_endpoint=REDACTED'/nRequest method: 'GET'/nRequest headers:/n 'Accept': 'application/json'/n 'User-Agent': 'azsdk-python-identity/1.6.1 Python/3.8.10 (Linux-4.18.0-372.9.1.el8.x86_64-x86_64-with-glibc2.29)'/nNo body was attached to the request 09:43:30,28 urllib3.connectionpool DEBUG Starting new HTTPS connection (2): login.microsoftonline.com:443 09:43:31,633 azure.core.pipeline.policies.http_logging_policy INFO Request URL: 'https://login.microsoftonline.com/common/discovery/instance?api-version=REDACTED&authorization_endpoint=REDACTED'/nRequest method: 'GET'/nRequest headers:/n 'Accept': 'application/json'/n 'User-Agent': 'azsdk-python-identity/1.6.1 Python/3.8.10 (Linux-4.18.0-372.9.1.el8.x86_64-x86_64-with-glibc2.29)'/nNo body was attached to the request 09:43:31,634 urllib3.connectionpool DEBUG Starting new HTTPS connection (3): login.microsoftonline.com:443 09:43:34,843 azure.core.pipeline.policies.http_logging_policy INFO Request URL: 'https://login.microsoftonline.com/common/discovery/instance?api-version=REDACTED&authorization_endpoint=REDACTED'/nRequest method: 'GET'/nRequest headers:/n 'Accept': 'application/json'/n 'User-Agent': 'azsdk-python-identity/1.6.1 Python/3.8.10 (Linux-4.18.0-372.9.1.el8.x86_64-x86_64-with-glibc2.29)'/nNo body was attached to the request 09:43:34,844 urllib3.connectionpool DEBUG Starting new HTTPS connection (4): login.microsoftonline.com:443 09:43:34,849 azure.identity._internal.get_token_mixin WARNING ClientSecretCredential.get_token failed: Authentication failed: <urllib3.connection.HTTPSConnection object at 0x7f29d97bd8b0>: Failed to establish a new connection: [Errno 111] Connection refused Traceback (most recent call last): File "/tmp/cloudpoint/libs/azurestack/lib/azure/identity/_internal/decorators.py", line 45, in wrapper return fn(*args, **kwargs) File "/tmp/cloudpoint/libs/azurestack/lib/azure/identity/_internal/client_credential_base.py", line 29, in _acquire_token_silently result = app.acquire_token_silent_with_error(list(scopes), account=None, **kwargs) File "/tmp/cloudpoint/libs/azurestack/lib/msal/application.py", line 1143, in acquire_token_silent_with_error for alias in self._get_authority_aliases(self.authority.instance): File "/tmp/cloudpoint/libs/azurestack/lib/msal/application.py", line 995, in _get_authority_aliases resp = self.http_client.get( File "/tmp/cloudpoint/libs/azurestack/lib/msal/individual_cache.py", line 269, in wrapper value = function(*args, **kwargs) File "/tmp/cloudpoint/libs/azurestack/lib/azure/identity/_internal/msal_client.py", line 112, in get response = self._pipeline.run(request, stream=False) File "/tmp/cloudpoint/libs/azurestack/lib/azure/core/pipeline/_base.py", line 211, in run return first_node.send(pipeline_request) # type: ignore File "/tmp/cloudpoint/libs/azurestack/lib/azure/core/pipeline/_base.py", line 71, in send response = self.next.send(request) File "/tmp/cloudpoint/libs/azurestack/lib/azure/core/pipeline/_base.py", line 71, in send response = self.next.send(request) File "/tmp/cloudpoint/libs/azurestack/lib/azure/core/pipeline/_base.py", line 71, in send response = self.next.send(request) File "/tmp/cloudpoint/libs/azurestack/lib/azure/core/pipeline/policies/_retry.py", line 467, in send raise err File "/tmp/cloudpoint/libs/azurestack/lib/azure/core/pipeline/policies/_retry.py", line 445, in send response = self.next.send(request) File "/tmp/cloudpoint/libs/azurestack/lib/azure/core/pipeline/_base.py", line 71, in send response = self.next.send(request) File "/tmp/cloudpoint/libs/azurestack/lib/azure/core/pipeline/_base.py", line 71, in send response = self.next.send(request) File "/tmp/cloudpoint/libs/azurestack/lib/azure/core/pipeline/_base.py", line 71, in send response = self.next.send(request) File "/tmp/cloudpoint/libs/azurestack/lib/azure/core/pipeline/_base.py", line 103, in send self._sender.send(request.http_request, **request.context.options), File "/tmp/cloudpoint/libs/azurestack/lib/azure/core/pipeline/transport/_requests_basic.py", line 361, in send raise error azure.core.exceptions.ServiceRequestError: <urllib3.connection.HTTPSConnection object at 0x7f29d97bd8b0>: Failed to establish a new connection: [Errno 111] Connection refused

The above exception was the direct cause of the following exception:

Traceback (most recent call last): File "/tmp/cloudpoint/libs/azurestack/lib/azure/identity/_internal/get_token_mixin.py", line 69, in get_token token = self._acquire_token_silently(*scopes) File "/tmp/cloudpoint/libs/azurestack/lib/azure/identity/_internal/decorators.py", line 50, in wrapper raise_from(auth_error, ex) File "", line 3, in raise_from azure.core.exceptions.ClientAuthenticationError: Authentication failed: <urllib3.connection.HTTPSConnection object at 0x7f29d97bd8b0>: Failed to establish a new connection: [Errno 111] Connection refused `

rakku-ms avatar Jul 15 '22 17:07 rakku-ms

@rayluo FYI.

xiangyan99 avatar Jul 15 '22 18:07 xiangyan99

Fix for this issue is here, however it won't be merged into MSAL PY directly so need to consume MSAL PY from this fork / branch. MSAL PY will release a larger change later this year with some other way to disable the internet calls.

https://github.com/AzureAD/microsoft-authentication-library-for-python/pull/490

keystroke avatar Aug 03 '22 22:08 keystroke

Hi @rakku-ms. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text “/unresolve” to remove the “issue-addressed” label and continue the conversation.

ghost avatar Sep 22 '22 16:09 ghost

Hi @rakku-ms, since you haven’t asked that we “/unresolve” the issue, we’ll close this out. If you believe further discussion is needed, please add a comment “/unresolve” to reopen the issue.

ghost avatar Sep 29 '22 22:09 ghost