azure-sdk-for-java icon indicating copy to clipboard operation
azure-sdk-for-java copied to clipboard
verified publisher icon Azure

[BUG] Identity SDK 1.14.0 regression with Postges

Open ccjernigan opened this issue 1 year ago • 3 comments

Describe the bug Migrating from Azure identity Java SDK 1.13.3 to 1.14.0 breaks for Postgres (Azure Cosmos DB for Postgres) when using App Service default identity credentials. Other services, such as Redis, OpenAI, and AI Search continue to work.

Exception or Stack Trace

org.postgresql.util.PSQLException: FATAL: The access token does not have a valid audience claim. Please acquire a new token for the resource "%s".
    at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:711)
    at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:213)
    at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:268)
    at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:54)
    at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:273)
    at org.postgresql.Driver.makeConnection(Driver.java:446)
    at org.postgresql.Driver.connect(Driver.java:298)
    at com.zaxxer.hikari.util.DriverDataSource.getConnection(DriverDataSource.java:139)
    at com.zaxxer.hikari.pool.PoolBase.newConnection(PoolBase.java:362)
    at com.zaxxer.hikari.pool.PoolBase.newPoolEntry(PoolBase.java:203)
    at com.zaxxer.hikari.pool.HikariPool.createPoolEntry(HikariPool.java:479)
    at com.zaxxer.hikari.pool.HikariPool.checkFailFast(HikariPool.java:568)
    at com.zaxxer.hikari.pool.HikariPool.<init>(HikariPool.java:99)
    at com.zaxxer.hikari.HikariDataSource.getConnection(HikariDataSource.java:111)
    at org.jetbrains.exposed.sql.Database$Companion.connect$lambda$7(Database.kt:196)
    at org.jetbrains.exposed.sql.Database$Companion.doConnect$lambda$3(Database.kt:170)
    at org.jetbrains.exposed.sql.transactions.ThreadLocalTransactionManager$ThreadLocalTransaction.connectio

To Reproduce Steps to reproduce the behavior:

Code Snippet // Configure finding the authentication plugin

HikariDataSource().apply {
    driverClassName = "org.postgresql.Driver"
    jdbcUrl = "jdbc:postgresql://$host:$port/$database"
    username = "$entraUserName"
    addDataSourceProperty("authenticationPluginClassName", AzureManagedAuthenticationPlugin::class.java.name)
    addDataSourceProperty("prepareThreshold", 0)
}

class AzureManagedAuthenticationPlugin : AuthenticationPlugin {

    override fun getPassword(type: AuthenticationRequestType?): CharArray {
        val tokenRequestContext =
            TokenRequestContext().apply {
                addScopes(*listOf("https://token.postgres.cosmos.azure.com/.default").toTypedArray())
            }

        val defaultAzureCredential = DefaultAzureCredentialBuilder().build()

        return defaultAzureCredential.getTokenSync(tokenRequestContext).token.toCharArray()
    }
}

Expected behavior Able to connect to database successfully.

Setup (please complete the following information):

  • OS: Linux Docker image
  • Library/Libraries: com.azure:azure-identity:1.14.0
  • Java version: 21
  • App Server/Environment: Kotlin 2.0.21
  • Frameworks: Ktor 3.0

Additional context Rolling back to identity SDK 1.13.3 works around the issue.

I'm unable to reproduce when running locally with the Azure CLI credential. It only appears to reproduce in the App Service environment.

Information Checklist Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

  • [x] Bug Description Added
  • [x] Repro Steps Added
  • [x] Setup information Added

ccjernigan avatar Oct 13 '24 18:10 ccjernigan

@billwert @g2vinay

github-actions[bot] avatar Oct 13 '24 18:10 github-actions[bot]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

github-actions[bot] avatar Oct 13 '24 18:10 github-actions[bot]

Thank you @ccjernigan for reporting this issue. Will update here with the findings, as we investigate further.

g2vinay avatar Oct 16 '24 19:10 g2vinay

We have ran into the exact same issue and exception. Downgrading com.azure:azure-identity to 1.13.3 also worked for us.

  • We are also using an App Service, specifically the Docker paradigm.
  • Java 17.
  • Not using Kotlin. We're using straight Java.
  • Trying to connect to a "Azure Database for PostgreSQL - Flexible Server".

Here's a snippet of our code that gets the password.

return new DefaultAzureCredentialBuilder()
        .build()
        .getTokenSync(
                new TokenRequestContext()
                        .addScopes("https://ossrdbms-aad.database.windows.net/.default"))
        .getToken();

halprin avatar Oct 28 '24 20:10 halprin

Obviously this issue is still open, but I want to confirm for anyone that com.azure:azure-identity version 1.14.1 did not fix this issue.

halprin avatar Nov 09 '24 02:11 halprin

We shipped a fix which related to this in version 1.14.2, try it out folks and let us know if you still run into any issues.

<dependency>
    <groupId>com.azure</groupId>
    <artifactId>azure-identity</artifactId>
    <version>1.14.2</version>
</dependency>

@halprin @ccjernigan

g2vinay avatar Nov 16 '24 03:11 g2vinay

The fix appears to be working for me.

ccjernigan avatar Nov 16 '24 20:11 ccjernigan

Closing as issue is resolved.

g2vinay avatar Nov 18 '24 18:11 g2vinay

It appears to be fixed for us too. Sorry, I realized that I never sent my comment earlier.

halprin avatar Dec 06 '24 21:12 halprin