azure-sdk-for-js icon indicating copy to clipboard operation
azure-sdk-for-js copied to clipboard

Published 20 hours ago verified publisher icon Azure

[identity] DefaultAzureCredentials do not work properly under a proxy environment

Open iamkdada opened this issue 1 year ago • 1 comments

  • Package Name: @azure.identity
  • Package Version: 4.0.0
  • Operating system: Windows 11 Enterprise 22H2
  • [ ] nodejs
    • version: v20.11.1
  • [ ] browser
    • ~name/version:~
  • [ ] typescript
    • version: 4.9.5
  • Is the bug related to documentation in
    • [ ] README.md
    • [ ] source code documentation
    • [ ] SDK API docs on https://docs.microsoft.com

Describe the bug The DefaultAzureCredential will attempt to authenticate via the following mechanisms in order:

  • Environment -> Workload Identity -> Managed Identity -> Azure Developer CLI -> Azrue CLI -> Azure PowerShell

However, when under a proxy environment, the DefaultAzureCredential is unable to utilize mechanisms beyond Managed Identity. Specifically, within a proxy environment, authentication with Managed Identity fails because it attempts to access the Managed Identity endpoint (169.254.169.254) and encounters an error, which prevents it from proceeding to the Azure Developer CLI credentials.

debug.log

To Reproduce Steps to reproduce the behavior: "Note: Use Fiddler as an alternative to Proxy."

  1. Save the following source code.
const { DefaultAzureCredential } = require("@azure/identity");

async function main() {
  const credential = new DefaultAzureCredential();
  const token = await credential.getToken(
    "https://management.azure.com/.default"
  );

  console.log("Token:", token.token);
  console.log("Expires On:", token.expiresOnTimestamp);
}

main().catch((error) => {
  console.error("An error occurred:", error);
});
  1. Open Command Prompt.
  2. Set the environment variables:
set AZURE_LOG_LEVEL=verbose
set https_proxy=http://localhost:8888/ # For Fiddler
set http_proxy=http://localhost:8888/ # For Fiddler
  1. Launch Fiddler.
  2. Execute the file from step 1
node main.js

Expected behavior The behavior should be the same as when not under a Proxy environment. Attempting authentication using the credentials of Azure Developer CLI -> Azure CLI -> Azure PowerShell, without stopping at Managed Identity.

Additional context

  • Setting the environment variable AZURE_POD_IDENTITY_AUTHORITY_HOST to empty can circumvent the issue.
  • Although I cannot reproduce it in my environment, I have confirmed that in a different proxy environment, a 403 error occurs, and it stops at the authentication with Managed Identity.

iamkdada avatar Feb 16 '24 17:02 iamkdada

For some reason, the proxyPolicy isn't used for the internal IdentityClient?

jeremymeng avatar Feb 16 '24 18:02 jeremymeng

Hiya @iamkdada - You're quite right that Managed Identity does not work with a proxy as documented in our TROUBLESHOOTING guide

The bug you described, however, is actually slated to be fixed in our next GA release (4.5.0) which will go out in October. We will ensure ManagedIdentityCredential throws the correct error, so that DefaultAzureCredential is able to continue to the next credential in the chain. Appreciate your patience and I apologize for the delay in answering here

maorleger avatar Aug 15 '24 22:08 maorleger

Hi @iamkdada. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.

github-actions[bot] avatar Aug 15 '24 22:08 github-actions[bot]

Hi @iamkdada, since you haven’t asked that we /unresolve the issue, we’ll close this out. If you believe further discussion is needed, please add a comment /unresolve to reopen the issue.

github-actions[bot] avatar Aug 22 '24 22:08 github-actions[bot]