You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The app is in production, I haven't upgraded MSAL, but started seeing this issue
Issue description and reproduction steps
Upgrading to Azure.Identity 1.13 triggers token validation to start to fail. I opened a ticket over there and they told me that starting with v1.13 they have delegated token acquisition to MSAL. When getting an access token to pull keys from KeyVault the following exception gets throw:
---> Microsoft.Extensions.Configuration.AzureAppConfiguration.KeyVaultReferenceException:ManagedIdentityCredential authentication failed: The input string '2024-10-18T19:51:37.0000000+00:00' was not in a correct format.
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot ErrorCode:'' ' Label:'Development' Etag:'KglaaAgZxV23Y-9AK8mdvqv1MDsaQ4pCjszEG83ZJjc' SecretIdentifier:'https://publicservicesdev.vault.azure.net/secrets/Audience'---> Azure.Identity.AuthenticationFailedException:ManagedIdentityCredential authentication failed: The input string '2024-10-18T19:51:37.0000000+00:00' was not in a correct format.
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot---> System.FormatException:The input string '2024-10-18T19:51:37.0000000+00:00' was not in a correct format.
at System.Number.ThrowFormatException[TChar](ReadOnlySpan1value) at System.Int64.Parse(Strings,IFormatProviderprovider) at Microsoft.Identity.Client.Utils.DateTimeHelpers.GetDurationFromNowInSeconds(StringunixTimestampInFuture) at Microsoft.Identity.Client.OAuth2.MsalTokenResponse.ValidateManagedIdentityResult(ManagedIdentityResponseresponse) at Microsoft.Identity.Client.OAuth2.MsalTokenResponse.CreateFromManagedIdentityResponse(ManagedIdentityResponsemanagedIdentityResponse) at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.SendTokenRequestForManagedIdentityAsync(ILoggerAdapterlogger,CancellationTokencancellationToken) at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.GetAccessTokenAsync(CancellationTokencancellationToken,ILoggerAdapterlogger) at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.ExecuteAsync(CancellationTokencancellationToken) at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()---Endof stack trace from previous location ---at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func1codeBlock)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationTokencancellationToken)
at Microsoft.Identity.Client.ApiConfig.Executors.ManagedIdentityExecutor.ExecuteAsync(AcquireTokenCommonParameterscommonParameters,AcquireTokenForManagedIdentityParametersmanagedIdentityParameters,CancellationTokencancellationToken)
at Azure.Identity.MsalManagedIdentityClient.AcquireTokenForManagedIdentityAsyncCore(Booleanasync,TokenRequestContextrequestContext,CancellationTokencancellationToken)
at Azure.Identity.MsalManagedIdentityClient.AcquireTokenForManagedIdentityAsync(TokenRequestContextrequestContext,CancellationTokencancellationToken)
at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Booleanasync,TokenRequestContextcontext,CancellationTokencancellationToken)
at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Booleanasync,TokenRequestContextrequestContext,CancellationTokencancellationToken)---End of inner exception stack trace ---atAzure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exceptionex,StringadditionalMessage,BooleanisCredentialUnavailable)
at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Booleanasync,TokenRequestContextrequestContext,CancellationTokencancellationToken)
at Azure.Identity.ManagedIdentityCredential.GetTokenAsync(TokenRequestContextrequestContext,CancellationTokencancellationToken)
at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[]sources,TokenRequestContextrequestContext,Booleanasync,CancellationTokencancellationToken)
at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Booleanasync,TokenRequestContextrequestContext,CancellationTokencancellationToken)
at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exceptionex,StringadditionalMessage,BooleanisCredentialUnavailable)
at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Booleanasync,TokenRequestContextrequestContext,CancellationTokencancellationToken)
at Azure.Identity.DefaultAzureCredential.GetTokenAsync(TokenRequestContextrequestContext,CancellationTokencancellationToken)
at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.SetResultOnTcsFromCredentialAsync(TokenRequestContextcontext,TaskCompletionSource1targetTcs,Booleanasync,CancellationTokencancellationToken) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetAuthHeaderValueAsync(HttpMessagemessage,TokenRequestContextcontext,Booleanasync) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.TokenRequestState.GetCurrentHeaderValue(Booleanasync,BooleancheckForCompletion,CancellationTokencancellationToken) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetAuthHeaderValueAsync(HttpMessagemessage,TokenRequestContextcontext,Booleanasync) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AuthenticateAndAuthorizeRequestAsync(HttpMessagemessage,TokenRequestContextcontext) at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.AuthorizeRequestOnChallengeAsyncInternal(HttpMessagemessage,Booleanasync) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.ProcessAsync(HttpMessagemessage,ReadOnlyMemory1pipeline,Booleanasync)
at Azure.Core.Pipeline.RedirectPolicy.ProcessAsync(HttpMessagemessage,ReadOnlyMemory1pipeline,Booleanasync) at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessagemessage,ReadOnlyMemory1pipeline,Booleanasync)
at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessagemessage,ReadOnlyMemory1pipeline,Booleanasync) at Azure.Core.Pipeline.HttpPipeline.SendRequestAsync(Requestrequest,CancellationTokencancellationToken) at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync(Requestrequest,CancellationTokencancellationToken) at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync[TResult](RequestMethodmethod,Func1resultFactory,CancellationTokencancellationToken,String[]path)
at Azure.Security.KeyVault.Secrets.SecretClient.GetSecretAsync(Stringname,Stringversion,CancellationTokencancellationToken)
at Microsoft.Extensions.Configuration.AzureAppConfiguration.AzureKeyVault.AzureKeyVaultSecretProvider.GetSecretValue(KeyVaultSecretIdentifiersecretIdentifier,Stringkey,Stringlabel,Loggerlogger,CancellationTokencancellationToken)
at Microsoft.Extensions.Configuration.AzureAppConfiguration.AzureKeyVault.AzureKeyVaultKeyValueAdapter.ProcessKeyValue(ConfigurationSettingsetting,Uriendpoint,Loggerlogger,CancellationTokencancellationToken)---End of inner exception stack trace ---at Microsoft.Extensions.Configuration.AzureAppConfiguration.AzureKeyVault.AzureKeyVaultKeyValueAdapter.ProcessKeyValue(ConfigurationSettingsetting,Uriendpoint,Loggerlogger,CancellationTokencancellationToken)
at Microsoft.Extensions.Configuration.AzureAppConfiguration.AzureAppConfigurationProvider.ProcessAdapters(ConfigurationSettingsetting,CancellationTokencancellationToken)
at Microsoft.Extensions.Configuration.AzureAppConfiguration.AzureAppConfigurationProvider.PrepareData(Dictionary2data,CancellationTokencancellationToken) at Microsoft.Extensions.Configuration.AzureAppConfiguration.AzureAppConfigurationProvider.InitializeAsync(IEnumerable1clients,CancellationTokencancellationToken)
at Microsoft.Extensions.Configuration.AzureAppConfiguration.AzureAppConfigurationProvider.TryInitializeAsync(IEnumerable1clients,List1startupExceptions,CancellationTokencancellationToken)
at Microsoft.Extensions.Configuration.AzureAppConfiguration.AzureAppConfigurationProvider.LoadAsync(BooleanignoreFailures,CancellationTokencancellationToken)
at Microsoft.Extensions.Configuration.AzureAppConfiguration.AzureAppConfigurationProvider.Load()
at Microsoft.Extensions.Configuration.ConfigurationManager.AddSource(IConfigurationSourcesource)
at Microsoft.Extensions.Configuration.ConfigurationManager.Microsoft.Extensions.Configuration.IConfigurationBuilder.Add(IConfigurationSourcesource)
at Microsoft.Extensions.Configuration.AzureAppConfigurationExtensions.AddAzureAppConfiguration(IConfigurationBuilderconfigurationBuilder,Action`1action,Booleanoptional)---End of inner exception stack trace ---
This starts to happen after upgrading Azure.Identity with no other changes to the code base. Azure.Identity deps 4.65.0 and I have tried pinning version 4.66.0 both versions exhibit the same behavior. This project uses Docker and is based on the mcr.microsoft.com/dotnet/aspnet:8.0 image. If I start this project outside of Docker the access token is retrieved as expected. I suspect that it's not detecting the OS correctly when run inside the container and is trying to parse a Unix time rather than the RFC3336 formatted datetime.
Library version used
4.65.0 and 4.66.0
.NET version
8.0
Scenario
Other - please specify
Is this a new or an existing app?
The app is in production, I haven't upgraded MSAL, but started seeing this issue
Issue description and reproduction steps
Upgrading to Azure.Identity 1.13 triggers token validation to start to fail. I opened a ticket over there and they told me that starting with v1.13 they have delegated token acquisition to MSAL. When getting an access token to pull keys from KeyVault the following exception gets throw:
This starts to happen after upgrading Azure.Identity with no other changes to the code base. Azure.Identity deps 4.65.0 and I have tried pinning version 4.66.0 both versions exhibit the same behavior. This project uses Docker and is based on the mcr.microsoft.com/dotnet/aspnet:8.0 image. If I start this project outside of Docker the access token is retrieved as expected. I suspect that it's not detecting the OS correctly when run inside the container and is trying to parse a Unix time rather than the RFC3336 formatted datetime.
Relevant code snippets
Expected behavior
The token should be retrieved successfully and the KeyVault secrets should be retrieved.
Identity provider
Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)
Regression
No response
Solution and workarounds
No response
The text was updated successfully, but these errors were encountered: