Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

az login ignores scope parameter when it's set to https://vault.azure.net/.default #29968

Closed
IanKemp opened this issue Sep 24, 2024 · 3 comments
Closed

az login ignores scope parameter when it's set to https://vault.azure.net/.default #29968

IanKemp opened this issue Sep 24, 2024 · 3 comments
Assignees
@jiasli
Labels
Account az login/account ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Similar-Issue
Milestone
Backlog

Comments

@IanKemp
Copy link

IanKemp commented Sep 24, 2024
edited
Loading

Describe the bug

> az login --scope https://vault.azure.net/.default

(pops up login dialog, I do the login, login succeeds)

> az account get-access-token

and pasting the output accessToken into https://jwt.ms yields

"aud": "https://management.core.windows.net/"

when it should be https://vault.azure.net.

Thus when I try to use that access token to sign a payload using a key in a Key Vault that my user has access to, I get:

AKV10022: Invalid audience. Expected <guid>, found: https://management.core.windows.net/.

Related command

az login

Errors

As above.

Issue script & Debug output

If I run az login --scope https://vault.azure.net/.default --debug I see the following output:

msal.token_cache: event={
    "_account_id": <guid>,
    "client_id": <guid>,
    "data": {},
    "environment": "login.microsoftonline.com",
    "grant_type": "broker",
    "response": {
        "_account_id": <guid>,
        "_msalruntime_telemetry": {
            "DATA LIMITED": "Full MSALRuntime telemetry not yet implemented",
            "api_name": "SignInInteractively",
            "broker_app_used": "true",
            "client_id": <guid>,
            "correlation_id": <guid>,
            "is_successful": "true",
            "msal_version": "1.1.0+local",
            "msalruntime_version": "0.16.2"
        },
        "access_token": "********",
        "client_info": <jwt>,
        "expires_in": 3907,
        "id_token": "********",
        "id_token_claims": "********",
        "scope": "https://vault.azure.net/user_impersonation https://vault.azure.net/.default",
        "token_type": "bearer"
    },
    "scope": [
        "https://vault.azure.net/user_impersonation",
        "https://vault.azure.net/.default"
    ],
    "token_endpoint": "https://login.microsoftonline.com/organizations/oauth2/v2.0/token"
}

shortly followed by

msal.token_cache: event={
    "_account_id": <guid>,
    "client_id": <guid>,
    "data": {},
    "environment": "login.microsoftonline.com",
    "grant_type": "broker",
    "response": {
        "_account_id": <guid>,
        "_msalruntime_telemetry": {
            "DATA LIMITED": "Full MSALRuntime telemetry not yet implemented",
            "api_name": "AcquireTokenSilently",
            "broker_app_used": "true",
            "client_id": <guid>,
            "correlation_id": <guid>,
            "is_successful": "true",
            "msal_version": "1.1.0+local",
            "msalruntime_version": "0.16.2"
        },
        "access_token": "********",
        "client_info": <jwt>,
        "expires_in": 4644,
        "id_token": "********",
        "id_token_claims": "********",
        "scope": "https://management.core.windows.net//user_impersonation https://management.core.windows.net//.default",
        "token_type": "bearer"
    },
    "scope": [
        "https://management.core.windows.net//user_impersonation",
        "https://management.core.windows.net//.default"
    ],
    "token_endpoint": "https://login.microsoftonline.com/organizations/oauth2/v2.0/token"
}

Note the scope in both instances - initially it's Key Vault as expected, but later on it is incorrectly set (overwritten?) to https://management.core.windows.net/.

Expected behavior

I am logged into Key Vault and can retrieve an access token to perform operations against it.

Environment Summary

azure-cli                         2.64.0

core                              2.64.0
telemetry                          1.1.0

Extensions:
containerapp                      0.3.46

Dependencies:
msal                              1.30.0
azure-mgmt-resource               23.1.1

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory <elided>

Python (Windows) 3.11.8 (tags/v3.11.8:db85d51, Feb  6 2024, 22:03:32) [MSC v.1937 64 bit (AMD64)]

Legal docs and information: aka.ms/AzureCliLegal


Your CLI is up-to-date.

Additional context

No response
@IanKemp IanKemp added the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Sep 24, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. Auto-Assign Auto assign by bot labels Sep 24, 2024
@yonzhan
Copy link
Collaborator

yonzhan commented Sep 24, 2024

Thank you for opening this issue, we will look into it.

@microsoft-github-policy-service microsoft-github-policy-service bot added the ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group label Sep 24, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Account az login/account labels Sep 24, 2024
@github-actions GitHub Actions
Copy link

Here are some similar issues that might help you. Please check if they can solve your problem.

@IanKemp IanKemp changed the title az login ignores scope paramater when it's set to https://vault.azure.net/.default az login ignores scope parameter when it's set to https://vault.azure.net/.default Sep 24, 2024
@IanKemp
Copy link
Author

IanKemp commented Sep 24, 2024

UGH.

It helps if I pass --scope to az account get-access-token too.

> az account get-access-token --scope https://vault.azure.net/.default

yields a working token.

@IanKemp IanKemp closed this as completed Sep 24, 2024
@yonzhan yonzhan removed the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Sep 24, 2024
@yonzhan yonzhan added this to the Backlog milestone Sep 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
Account az login/account ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Similar-Issue
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@IanKemp @jiasli @yonzhan