Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[BUG] Unable to request token with custom scope
See original GitHub issueLibrary name and version
Azure.Identity 1.8.2, Microsoft.NET.Sdk.Functions 3.1.2
Describe the bug
I’m using the Azure.Identity from a Function App (runtime 3) calling the DefaultAzureCredential() class. I’ve already activated the Managed Identity for the Function App. I’m calling the GetTokenAsync to gather a token for another app which exposes an API using this code. The scope is in the format “api://someguid/.default”
var scope = "api://<guid>/.default"
var tokenCredential = new DefaultAzureCredential();
var tokenResponse = await tokenCredential.GetTokenAsync(
new TokenRequestContext(new[] { scope }),
cancellationToken
);
The API I’m trying to get access to, is authenticated using the Easy Auth Authentication from the portal. This auth results in a new app registration created in the Azure Active Directory. I’ve also created App Roles for the API and assigned an app role to my Managed Identity using the powershell command New-AzureADServiceAppRoleAssignment
Expected behavior
I would expect to retrieve a token, or at least have a more specific error than the 500.
Actual behavior
The code throws an exception when calling the GetTokenAsync with a 500 Internal Server error. Azure.Identity.AuthenticationFailedException : ManagedIdentityCredential authentication failed: Service request failed.Status: 500 (Internal Server Error). As a side note, if I change the scope to e.g. “https://<your-key-vault-name>.vault.azure.net/” it gets the token properly.
Reproduction Steps
Create an app service with Easy Auth activated - name: MyAPIApp Get the App Registration linked to the Easy Auth of the MyAPIApp Create a new Azure Function with HttpTrigger in Visual Studio. Import the Assembly Azure.Identity Retrieve the token for the ManagedIdentity using the code above and the scope from the App Registration of the MyAPIApp Publish the Function App to Azure - Name : MyFunctionApp Run the Trigger Http to execute the Function The error 500 appears
Environment
Microsoft Visual Studio Enterprise 2019 v. 16.10.3 Azure Function runtime 3.x
Issue Analytics
- State:
- Created 6 months ago
- Comments:10 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
After removing the ManagedClientId I run the app locally with verbose logging and I got the message that the app with api://guid/.user_impersonation wasn’t found in my tenant. So I just removed the /.user_impersonation and things started to change. I noticed that the proper scope was: api://guid/.default or only api://guid. After that, I added the ManagedIdentity to the users allowed to run the Enterprise App (the APIApp have the Assignment Required to yes) and the token was properly issued. Thank you for letting me dig in to the issue. I’ll raise an issue to the docs as the specific flow (App Identity and Permissions) may be described a little be better (IMHO)
Hi @ganniaiuei, since you haven’t asked that we “
/unresolve” the issue, we’ll close this out. If you believe further discussion is needed, please add a comment “/unresolve” to reopen the issue.