-
Notifications
You must be signed in to change notification settings - Fork 567
Authentication with msRestAzure.interactiveLogin #1821
Comments
Could I get an update on this? |
@henryzhang888888 - Sorry for the delayed response. What version of "ms-rest-azure" are you using? When you login on the portal (based on the link provided in the console), what kind of id do you use? is it an org id [email protected] or a live id [email protected]? |
I am using an outlook email account and ms-rest-azure version is 1.14.5 |
yes the common tenant is a fake tenant for live ids. It is only useful for organizational accounts. However, in the new version of ms-rest-azure I have taken a dependency on azure-arm-resource package to get all the tenants and then list subscriptions across all the tenants. This should update the token cache across all the tenants. Let me cross see if i can repro this with a liveid. |
Ok. Sometimes, I also encounter an issue may related to token. |
@henryzhang888888 - I was able to repro the problem you are facing. The problem is that, the interactiveLogin() method needs to give you a credential object. Every credential object creates an auth context and the authority url (auth end point + /domain). To explain the dilemma, let me give you some context around it.
Now, when you use this credentials object with a subscription s1 that belongs to tenant t2, the request fails with the above message. So, for liveID, the user must provide the correct tenant as an input to the interactiveLogin() method. The user must make sure to use a subscription that belongs to that tenant later on while creating the client. I wrote a small snippet to validate the above explanation.
content of package.json, for the snippet to run.
Hope this helps!I shall update the documentation to make this clear to customers. Thanks a ton for filing this issue :). |
The documentation has been updated. |
Thanks for your update. Sorry, but we’re having trouble signing you in. Do you have some insight about it? Thanks |
yup. I see that often. It can happen if the cookies in the browser get corrupted. Ctrl +Shift + Delete to clear cookies in the browser usually helps. You can also try incognito mode or a different browser. |
I have tried to delete the cookie so many times. It didn't work by any chance. :( |
Did you try a different browser? |
Yes. I did. |
The error on the webpage may also provide the correlation id. Can you provide that to us? |
yup. |
BTW, I can use the username/password to login portal.azure.com |
It is interesting that it resumes working right now even I didn't do anything special. |
When calling sRestAzure.interactiveLogin(), there are two entries in the array credentials.tokenCache.
If I don't remove the first item, it will throw this exception when calling the other API.
Is there any special parameter I need to specify? I find out as long as I remove the first entry, it will be ok.
{ [Error: The access token is from the wrong issuer 'https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/'. It must match the tenant 'https://sts.windows.net/ad9347a6-4a9b-4893-98ee-8198c31b794f/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/ad9347a6-4a9b-4893-98ee-8198c31b794f' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later.]
statusCode: 401,
request:
{ rawResponse: false,
queryString: {},
method: 'GET',
headers:
{ 'x-ms-client-request-id': '540f5b8a-da75-43c8-add7-7de48ec6badf',
'accept-language': 'en-US',
'Content-Type': 'application/json; charset=utf-8' },
url: 'https://management.azure.com/subscriptions/e275aaba-c903-49db-b296-ffb655cbdcad/providers/Microsoft.Compute/virtualMachines?api-version=2016-03-30',
body: null },
response:
{ body: '{"error":{"code":"InvalidAuthenticationTokenTenant","message":"The access token is from the wrong issuer 'https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/\'. It must match the tenant 'https://sts.windows.net/ad9347a6-4a9b-4893-98ee-8198c31b794f/\' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/ad9347a6-4a9b-4893-98ee-8198c31b794f\' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."}}',
headers:
{ 'cache-control': 'no-cache',
pragma: 'no-cache',
'content-type': 'application/json; charset=utf-8',
expires: '-1',
'www-authenticate': 'Bearer authorization_uri="https://login.windows.net/ad9347a6-4a9b-4893-98ee-8198c31b794f", error="invalid_token", error_description="The access token is from the wrong issuer. It must match the tenant associated with this subscription. Please use correct authority to get the token."',
'x-ms-failure-cause': 'gateway',
'x-ms-request-id': '4f1be281-ccab-4cba-a41f-ec2bd62327ae',
'x-ms-correlation-request-id': '4f1be281-ccab-4cba-a41f-ec2bd62327ae',
'x-ms-routing-request-id': 'EASTASIA:20160721T002039Z:4f1be281-ccab-4cba-a41f-ec2bd62327ae',
'strict-transport-security': 'max-age=31536000; includeSubDomains',
date: 'Thu, 21 Jul 2016 00:20:39 GMT',
connection: 'close',
'content-length': '677' },
statusCode: 401 },
code: 'InvalidAuthenticationTokenTenant',
body:
{ code: 'InvalidAuthenticationTokenTenant',
message: 'The access token is from the wrong issuer 'https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/\'. It must match the tenant 'https://sts.windows.net/ad9347a6-4a9b-4893-98ee-8198c31b794f/\' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/ad9347a6-4a9b-4893-98ee-8198c31b794f\' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later.' } }
The text was updated successfully, but these errors were encountered: