Authentication with msRestAzure.interactiveLogin

[henryzhang888888]

When calling sRestAzure.interactiveLogin(), there are two entries in the array credentials.tokenCache.
If I don't remove the first item, it will throw this exception when calling the other API.
Is there any special parameter I need to specify? I find out as long as I remove the first entry, it will be ok.

{ [Error: The access token is from the wrong issuer 'https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/'. It must match the tenant 'https://sts.windows.net/ad9347a6-4a9b-4893-98ee-8198c31b794f/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/ad9347a6-4a9b-4893-98ee-8198c31b794f' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later.]
statusCode: 401,
request:
{ rawResponse: false,
queryString: {},
method: 'GET',
headers:
{ 'x-ms-client-request-id': '540f5b8a-da75-43c8-add7-7de48ec6badf',
'accept-language': 'en-US',
'Content-Type': 'application/json; charset=utf-8' },
url: 'https://management.azure.com/subscriptions/e275aaba-c903-49db-b296-ffb655cbdcad/providers/Microsoft.Compute/virtualMachines?api-version=2016-03-30',
body: null },
response:
{ body: '{"error":{"code":"InvalidAuthenticationTokenTenant","message":"The access token is from the wrong issuer 'https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/\'. It must match the tenant 'https://sts.windows.net/ad9347a6-4a9b-4893-98ee-8198c31b794f/\' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/ad9347a6-4a9b-4893-98ee-8198c31b794f\' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."}}',
headers:
{ 'cache-control': 'no-cache',
pragma: 'no-cache',
'content-type': 'application/json; charset=utf-8',
expires: '-1',
'www-authenticate': 'Bearer authorization_uri="https://login.windows.net/ad9347a6-4a9b-4893-98ee-8198c31b794f", error="invalid_token", error_description="The access token is from the wrong issuer. It must match the tenant associated with this subscription. Please use correct authority to get the token."',
'x-ms-failure-cause': 'gateway',
'x-ms-request-id': '4f1be281-ccab-4cba-a41f-ec2bd62327ae',
'x-ms-correlation-request-id': '4f1be281-ccab-4cba-a41f-ec2bd62327ae',
'x-ms-routing-request-id': 'EASTASIA:20160721T002039Z:4f1be281-ccab-4cba-a41f-ec2bd62327ae',
'strict-transport-security': 'max-age=31536000; includeSubDomains',
date: 'Thu, 21 Jul 2016 00:20:39 GMT',
connection: 'close',
'content-length': '677' },
statusCode: 401 },
code: 'InvalidAuthenticationTokenTenant',
body:
{ code: 'InvalidAuthenticationTokenTenant',
message: 'The access token is from the wrong issuer 'https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/\'. It must match the tenant 'https://sts.windows.net/ad9347a6-4a9b-4893-98ee-8198c31b794f/\' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/ad9347a6-4a9b-4893-98ee-8198c31b794f\' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later.' } }

[henryzhang888888]

Could I get an update on this?

[amarzavery]

@henryzhang888888 - Sorry for the delayed response. What version of "ms-rest-azure" are you using?

When you login on the portal (based on the link provided in the console), what kind of id do you use? is it an org id [email protected] or a live id [email protected]?

[henryzhang888888]

I am using an outlook email account and ms-rest-azure version is 1.14.5
Eventually, I fix this issue by adding an domain option to specify the tenant. It seems we can't use common tenant. I am not sure if this is the right way to fix it.

[amarzavery]

yes the common tenant is a fake tenant for live ids. It is only useful for organizational accounts. However, in the new version of ms-rest-azure I have taken a dependency on azure-arm-resource package to get all the tenants and then list subscriptions across all the tenants. This should update the token cache across all the tenants.

Let me cross see if i can repro this with a liveid.

[henryzhang888888]

Ok. Sometimes, I also encounter an issue may related to token.
It will report "Error, entry not found " when calling an API if there is more than one async API is pending.
Not sure what happened. I search on someone mentions it may be related to token is expired. but it doesn't make sense to me since I just got an token. T

[amarzavery]

@henryzhang888888 - I was able to repro the problem you are facing. The problem is that, the interactiveLogin() method needs to give you a credential object. Every credential object creates an auth context and the authority url (auth end point + /domain). To explain the dilemma, let me give you some context around it.
Primary purpose is to make the login experience simple for the user. Hence we start with minimal required parameters. For interactiveLogin(), I thought it was zero. But that is incorrect. TenantId a.k.a domain must be provided when using liveID

1. InteractiveLogin will display the url and the device code.
2. User authenticates on the browser with his/her id and password.
3. After successful login the node run time gets a token against the common tenant and also gets the userId (of the person who authenticated in the browser).
4. With this information we try to get the list of tenants associated with the user id.
5. Next, we try to build the list of subscriptions across the list of tenants built in the previous step. (As a part of fetching all the subscriptions, the token cache also gets populated with tokens across all the tenants + token for common tenant).
6. Now, we create a credentials object and link the populated token cache and give this credentials to the user. The problem over here is: while creating the credentials object which tenant should we select? As the user did not provide one, we use the default tenant (common). This also sets the authority url to the common tenant.

Now, when you use this credentials object with a subscription s1 that belongs to tenant t2, the request fails with the above message.

So, for liveID, the user must provide the correct tenant as an input to the interactiveLogin() method. The user must make sure to use a subscription that belongs to that tenant later on while creating the client.

I wrote a small snippet to validate the above explanation.

var msRestAzure = require('ms-rest-azure');
var resourceManager = require('azure-arm-resource');
var util = require('util');
var subscriptionId = 'your-subscription-id-that-belongs-to-the-same-tenant';
msRestAzure.interactiveLogin({domain: 'your-tenant-id}, function(err, credentials, subscriptions) {
  if (err) {
     console.log(err);
     return;
  }
  console.log('Credentials object:\n' + util.inspect(credentials, {depth: null }));
  console.log('List of subscriptions:\n' + util.inspect(subscriptions, {depth: null }));
  var client = new resourceManager.ResourceManagementClient(credentials, subscriptionId);
  client.resourceGroups.list(function (err, result, request, response) {
 if (err) {
    console.log(err);
  } else {
    console.log('>>>List of ResourceGroups:');
    console.log(result);
  }
 });
});

content of package.json, for the snippet to run.

{
  "dependencies": {
    "azure-arm-resource": "^1.4.5-preview",
    "ms-rest": "^1.14.4",
    "ms-rest-azure": "^1.14.5"
  }
}

Hope this helps!I shall update the documentation to make this clear to customers.

Thanks a ton for filing this issue :).

[amarzavery]

The documentation has been updated.

[henryzhang888888]

Thanks for your update.
I encounter a new problem today. When I use the link to complete the authentication, it always reports

Sorry, but we’re having trouble signing you in.
We received a bad request.

Do you have some insight about it? Thanks

[amarzavery]

yup. I see that often. It can happen if the cookies in the browser get corrupted. Ctrl +Shift + Delete to clear cookies in the browser usually helps. You can also try incognito mode or a different browser.

[henryzhang888888]

I have tried to delete the cookie so many times. It didn't work by any chance. :(

[amarzavery]

Did you try a different browser?

[henryzhang888888]

Yes. I did.
The reason is "Error when processing DeviceAuthRedirect request".
I tried to login in with azure cli "azure login".
It still didn't work.
BTW, I first enabled the domain service for the default directory but I disable it before I did this step
https://azure.microsoft.com/en-us/documentation/articles/active-directory-ds-getting-started-password-sync/

[amarzavery]

The error on the webpage may also provide the correlation id. Can you provide that to us?
/cc @yugangw-msft

[henryzhang888888]

yup.
The id is "Correlation ID: 485d6667-122b-4c9a-b820-2ecc50ce5dc3"

[henryzhang888888]

BTW, I can use the username/password to login portal.azure.com
@amarzavery

[henryzhang888888]

It is interesting that it resumes working right now even I didn't do anything special.
I am curious if it is possible for us to figure out the reason with that Correlation ID.