microsoft-authentication-library-for-go
microsoft-authentication-library-for-go copied to clipboard
AzureAD
[Bug] Issuer validation failed in AKS China for WorkloadIdentity auth
Which version of MSAL Go are you using? v1.5.0
Where is the issue?
- Public client
- [ ] Device code flow
- [ ] Username/Password (ROPC grant)
- [ ] Authorization code flow
- Confidential client
- [ ] Authorization code flow
- [ ] Client credentials:
- [ ] client secret
- [ ] client certificate
- Token cache serialization
- [ ] In-memory cache
- Other (please describe)
- [x] Workload Identity in AKS
Is this a new or an existing app? The app is in production and I have upgraded to a new version of Microsoft Authentication Library for Go.
What version of Go are you using (go version)?
1.25
What operating system and processor architecture are you using (go env)?
Linux/amd64 (go env not available from user report)
Repro Try establish authorization to AzureKeyVault via azidentity and WorkloadIdentityCredential on defult injected environment variables by China AKS (mainly AZURE_AUTHORIZED_HOST)
Expected behavior WorkloadIdentity authentication and retriving access token to Azure resource (like KeyVault) should work without issue.
Actual behavior Sdk failed when try retrive access token to KeyVault base on Workload Identity:
WorkloadIdentityCredential: unable to resolve an endpoint: ResolveEndpoints(): TenantDiscoveryResponse: issuer from OIDC discovery '[https://login.partner.microsoftonline.cn/<my-tenant-guid>/v2.0'](https://login.partner.microsoftonline.cn/<my-tenant-guid>/v2.0%27) does not match authority '[https://login.chinacloudapi.cn/<my-tenant-guid>/'](https://login.chinacloudapi.cn/<my-tenant-guid>/%27) or a known pattern
It came from ValidateIssuerMatchesAuthority function: https://github.com/AzureAD/microsoft-authentication-library-for-go/blob/e59524a3625784349c625cb75de443c7d4a2a94f/apps/internal/oauth/ops/authority/authority.go#L134
Possible solution It looks that issuer validation method incorrectly treats legacy authorized host in China (login.chinacloudapi.cn), which is still used as default by AKS and Workload-Identity addon.
AZURE_AUTHORIZED_HOST is set by AKS to login.chinacloudapi.cn which is on trusted host list here https://github.com/AzureAD/microsoft-authentication-library-for-go/blob/e59524a3625784349c625cb75de443c7d4a2a94f/apps/internal/oauth/ops/authority/authority.go#L53 but issuer validation doesn's check it, but only looks to the aliases from instance discovery metadata: https://github.com/AzureAD/microsoft-authentication-library-for-go/blob/e59524a3625784349c625cb75de443c7d4a2a94f/apps/internal/oauth/ops/authority/authority.go#L118
This could be fine but aliases aren't loaded buy this condition (base on trusted hosts): https://github.com/AzureAD/microsoft-authentication-library-for-go/blob/e59524a3625784349c625cb75de443c7d4a2a94f/apps/internal/oauth/resolvers.go#L139
It looks that ValidateIssuerMatchesAuthority function should not only check issuerUrl on aliases list but also if it is trusted host.
Additional context / logs / screenshots
It's not only AKS China. The wider AKS team is experiencing this error right now, and it is extremely blocking.
We see this error returned in the scenarios when using regional Entra endpoints where there is no discovery endpoint.
Shouldn't we disable this validation when InstanceDiscoveryDisabled is set to true? Given the alias is only fetched from instance discovery?
At least we need a way-out to trust the regional Entra endpoints with InstanceDiscoveryDisabled = true.
We also found this validation only works for the first request.
This validation happens in line 76: https://github.com/AzureAD/microsoft-authentication-library-for-go/blob/a35dff77ae425eace24b2a93b5ff2f124c5719e4/apps/internal/oauth/resolvers.go#L76
But the endpoint is added to cache in line 74: https://github.com/AzureAD/microsoft-authentication-library-for-go/blob/a35dff77ae425eace24b2a93b5ff2f124c5719e4/apps/internal/oauth/resolvers.go#L74
So the next request will exit (bypass validation and succeed) from line 50: https://github.com/AzureAD/microsoft-authentication-library-for-go/blob/a35dff77ae425eace24b2a93b5ff2f124c5719e4/apps/internal/oauth/resolvers.go#L50
which causes intermittent failures.
