Login/Register
Azure ChainedTokenCredential Fails after Password Change
Asked Answered
Solved pythonazurevisual-studio-codeazure-identity
K

3

8

Azure ChainedTokenCredential fails for local development after password change. I've been using ChainedTokenCredential for several weeks to authenticate using ManagedIdentityCredential in Azure and DefaultAzureCredential for local testing of my Function App. Everything was working as exected. Here is a code example that was working and still works in Azure but not locally.

def get_client():

    MSI_credential = ManagedIdentityCredential()
    default_credential = DefaultAzureCredential()
    credential_chain = ChainedTokenCredential(MSI_credential, default_credential)

    storageurl = os.environ["STORAGE_ACCOUNT"]

    client = BlobServiceClient(storageurl, credential=credential_chain)
    return client

Last week I had to change my password and since then I get the following error.

[2021-04-19T15:18:06.931Z] SharedTokenCacheCredential.get_token failed: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:06.963Z] Trace ID: xxx
[2021-04-19T15:18:06.972Z] Correlation ID: xxx
[2021-04-19T15:18:06.974Z] Timestamp: 2021-04-19 15:17:46Z'
[2021-04-19T15:18:06.977Z] DefaultAzureCredential.get_token failed: SharedTokenCacheCredential raised unexpected error "Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.014Z] Trace ID: xxx
[2021-04-19T15:18:07.040Z] Correlation ID: 
[2021-04-19T15:18:07.046Z] Timestamp: 2021-04-19 15:17:46Z'"
[2021-04-19T15:18:07.061Z] DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
        EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
        ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
        SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.094Z] Trace ID: xxx
[2021-04-19T15:18:07.097Z] Correlation xxx
[2021-04-19T15:18:07.108Z] Timestamp: 2021-04-19 15:17:46Z'
[2021-04-19T15:18:07.111Z] ChainedTokenCredential.get_token failed: DefaultAzureCredential raised unexpected error "DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
        EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
        ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
        SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.147Z] Trace ID: xxx
[2021-04-19T15:18:07.181Z] Correlation ID: xxx
[2021-04-19T15:18:07.195Z] Timestamp: 2021-04-19 15:17:46Z'"
[2021-04-19T15:18:07.201Z] ChainedTokenCredential failed to retrieve a token from the included credentials.
Attempted credentials:
        ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
        DefaultAzureCredential: DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
        EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
        ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
        SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.241Z] Trace ID: xxx
[2021-04-19T15:18:07.264Z] Correlation ID: xxx
[2021-04-19T15:18:07.303Z] Timestamp: 2021-04-19 15:17:46Z'

Things I've tried to resolve the issue:

  1. Signing in and out of VSCode Azure Extension
  2. Signing in and out of az cli
  3. az account clear
  4. Clearing browser cache.
  5. Restarting PC and VSCode.
  6. Clearing VSCode Cache
    • C:\Users\<user>\AppData\Roaming\Code\Cache
    • C:\Users\<user>\AppData\Roaming\Code\CacheData

I am using the Azure Extension 'Attach to Python Functions' to run the debugger. I am uncertain of how DefaultAzureCredential is obtaining my credentials. I believe it is stored locally because I get the same error when running the debugger while not signed into the Azure extension. I thought DefaultAzureCredential would use my Azure Extension sign in as me to authenticate but I am uncertain.

Any help would be appreciated!

Kismet answered 19/4, 2021 at 15:39 Comment(2)
It appears you have a cached refresh token issued before the password change which SharedTokenCacheCredential is attempting to use. It should remove the token when it gets an error like the one you're seeing. Which version of azure-identity do you have installed? As a workaround, you can delete the cache the credential uses: %LOCALAPPDATA%\.IdentityService\msal.cache (doing so will log you out of Visual Studio).Tutankhamen
Another workaround is to disable SharedTokenCacheCredential: DefaultAzureCredential(exclude_shared_token_cache_credential=True). Also, DefaultAzureCredential is a chain of credentials which includes managed identity. Unless you need ManagedIdentityCredential before EnvironmentCredential, you could simply use DefaultAzureCredential.Tutankhamen
K
9

The issue was resolve by using @Charles Lowell's solution. I was having trouble finding the file due to using fzf.exe (fuzzy finding tool) and it does not look in hidden folders by default. Removing C:\Users\<user>\AppData\Local\.IdentityService\msal.cache worked.

An alternative I found was using VisualStudioCodeCredential() instead of DefaultAzureCredential(). This uses the vscode extension to authenticate. I prefer this method but not all developers use VSCode. I'm glad to get DefaultAzureCredential working.

def get_client():

    MSI_credential = ManagedIdentityCredential()
    vscode_credential = VisualStudioCodeCredential()
    credential_chain = ChainedTokenCredential(MSI_credential, vscode_credential)

More information on DefaultAzureCredential() can be found here.

Thanks to all!

Kismet answered 21/4, 2021 at 21:43 Comment(1)
Just wanna say that deleting the C:\Users\<user>\AppData\Local\.IdentityService\msal.cache file also worked to fix it for me.Cuisse
S
2

After az account clear, you need to az login using your latest password, the one you can login azure portal.

DefaultAzureCredential is based on Azure Identity client library. You could skip the shared cache with

default_credential = DefaultAzureCredential(exclude_shared_token_cache_credential=True)

and try to authenticate via the Azure CLI.

Salazar answered 20/4, 2021 at 2:14 Comment(0)
V
0

I was able to fix the problem by logging in through Visual Studio 2022 Community.

Tools > Options... > Azure Service Authentication

After logging in through VS, the authentication also worked again in Rider as well as the CLI.

Vernalize answered 28/11, 2023 at 11:13 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.