[Bug] acquire_token_interactive
fails in Cloud Shell: Audience GUID/.default is not a supported MSI token audience.
#784
Labels
Describe the bug
acquire_token_interactive
fails in Cloud Shell: Audience GUID/.default is not a supported MSI token audience.As an example, we use ARM's app ID
797f4846-ba00-4fd7-ba43-dac1f8f63013
(can be retrieved byaz ad sp show --id "https://management.azure.com/"
). MSAL can't get an access token for it:Azure CLI passes
797f4846-ba00-4fd7-ba43-dac1f8f63013/.default
asscope
to MSAL, but due to the incorrectmsal.cloudshell._scope_to_resource
logic:microsoft-authentication-library-for-python/msal/cloudshell.py
Lines 26 to 37 in 3f3d133
the
/.default
suffix is not removed. This is because only whenscope
is a URL, the/.default
suffix is removed. For GUIDscope
, the/.default
suffix is preserved.Here is a comparision of Azure CLI and MSAL's scope-to-resource conversion logic:
Output:
Another issue: Incorrect handling of trailing slash
MSAL's scope-to-resource conversion logic has another issue: When
scope
ishttps://management.azure.com//.default
, MSAL removes not only/.default
, but also the trailing slash/
, resulting inhttps://management.azure.com
. This will also trigger failure for resources that require a trailing slash. See https://learn.microsoft.com/en-us/entra/identity-platform/scopes-oidc#trailing-slash-and-defaultAzure CLI made a similar mistake before and fixed it in Azure/azure-cli#15698.
Azure CLI's implementation
The source code of
azure.cli.core.auth.util.scopes_to_resource
:https://github.com/Azure/azure-cli/blob/464a79cb0f9c474da1f9d426b9aaf56afcffc47a/src/azure-cli-core/azure/cli/core/auth/util.py#L87-L106
Instead of detecting whether
scope
is a URL, it detects if thescope
ends with/.default
. If so, remove the/.default
suffix.The text was updated successfully, but these errors were encountered: