msgraph-sdk-powershell
msgraph-sdk-powershell copied to clipboard
microsoftgraph
Commands fail with `Unexpected exception occurred while authenticating the request.`
I can't run any commands without getting the following error:
Get-MgUser_List1: Code: generalException Message: Unexpected exception occurred while authenticating the request.
The problem seems to only occur if using -UseDeviceAuthentication as authentication method and if the command is running in a container.
While inspecting the traffic, it seems the cmdlets don't try to use a refresh token, but instead try to do the full device auth flow again and then fail silently.
Reproduce
docker pull mcr.microsoft.com/powershell
docker run --rm -it mcr.microsoft.com/powershell
Install-Module Microsoft.Graph -RequiredVersion 1.9.2 -Force
Connect-MgGraph -UseDeviceAuthentication
Get-MgUser
Debug output
PS /> Get-MgUser -Debug
DEBUG: [CmdletBeginProcessing]: - Get-MgUser begin processing with parameterSet 'List1'.
DEBUG: [Authentication]: - AuthType: 'Delegated', AuthProviderType: 'DeviceCodeProvider', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph PowerShell'.
DEBUG: [Authentication]: - Scopes: [Application.ReadWrite.All, AuditLog.Read.All, Directory.ReadWrite.All, email, Group.Read.All, openid, Policy.Read.All, profile, User.Read, User.Read.All, User.ReadWrite.All].
DEBUG: [CmdletException]: Received exception with message 'AuthenticationException - Code: generalException
Message: Unexpected exception occurred while authenticating the request.
: at Microsoft.Graph.Auth.DeviceCodeProvider.GetNewAccessTokenAsync(CancellationToken cancellationToken, AuthenticationProviderOption msalAuthProviderOption)
at Microsoft.Graph.Auth.DeviceCodeProvider.AuthenticateRequestAsync(HttpRequestMessage httpRequestMessage)
at Microsoft.Graph.AuthenticationHandler.SendAsync(HttpRequestMessage httpRequestMessage, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
at Microsoft.Graph.PowerShell.Users.UsersUserListUser1_Call(HttpRequestMessage request, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
at Microsoft.Graph.PowerShell.Users.UsersUserListUser1_Call(HttpRequestMessage request, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
at Microsoft.Graph.PowerShell.Users.UsersUserListUser1(String consistencyLevel, Nullable`1 Top, Nullable`1 Skip, String Search, String Filter, Nullable`1 Count, String[] Orderby, String[] Select, String[] Expand, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
at Microsoft.Graph.PowerShell.Cmdlets.GetMgUser_List1.ProcessRecordAsync()'
Get-MgUser_List1: Code: generalException
Message: Unexpected exception occurred while authenticating the request.
Versions
Name Value
---- -----
PSVersion 7.2.1
PSEdition Core
GitCommitId 7.2.1
OS Linux 5.10.76-linuxkit #1 SMP Mon Nov 8 10:21:19 UTC 2021
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Name Version
---- -------
Microsoft.Graph.Authentication 1.9.2
Microsoft.Graph.Users 1.9.2
I'm facing the same issue in Azure Cloud Shell. It seems there is something wrong with LinuxTokenCache when running in a Linux container. As a workaround, using -ContextScope Process works for me. This way you can use an in-memory cache instead of LinuxTokenCache.
https://github.com/microsoftgraph/msgraph-sdk-powershell/blob/dev/src/Authentication/Authentication.Core/TokenCache/TokenCacheStorage.cs
Same issue here when using PowerShell 7.2.3 in a nUbuntu-based dev-container. The workaround of setting ContextScope to Process worked fine here as well.
I am getting the same issue using Powershell Console in VS Code in macOS. Powershell version is 7.2.6 and Graph SDK Version 1.11.1
This can be fixed by adding seccomp profile to Docker engine that allows "add_key", "keyctl" and "request_key" calls to section with "SCMP_ACT_ALLOW" action, as mentioned here. I used this default seccomp profile.
I'm getting this on Powershell 7.3.1 in a Ubuntu 22 based container. Goes away if I add -ContextScope Process to Connect-MgGraph. For me, though, the first few commands to Mg cmdlets would succeed and then would start to fail maybe 7 or 8 in.
My seccomp profile has the syscalls identified int he previous comment allowed
@sam-mfb, is the issue still reproducible when using v2.x preview module? We are using Azure's token credentials to handle token acquisition and caching in v2.
See the changelog at https://github.com/microsoftgraph/msgraph-sdk-powershell/blob/features/2.0/docs/upgrade-to-v2.md for more details on what's new.
I will try to test this out this week. I'll need to make a few tweaks to our scripts to use the new format of calling beta apis but shouldn't take long.
@peombwa, i can't reproduce the issue with the preview module, however the preview module does not appear to be caching credentials for me either. In other words, even without -ContextScope Process set, I'm being prompted to do device authentication every time I run Connect-MgGraph. If this is not expected I can try to troubleshoot further.
This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.
Seeing this on Windows. PowerShell 7.3.3, Windows 10 21H1 19043.2364. Occurs with versions 1.22.0 and 1.23.0 at least.
I see it happen when I authenticate using -UseDeviceAuthentication.
Debugging shows that CustomAsyncCommandRuntime._completed is null within the same class's WaitOurTurn method, which strongly suggests the CustomAsyncCommandRuntime object is being used after Dispose.
@sam-mfb I got the same issue and tried the beta as well, but it still requires authentication every time which is unacceptable. Did you find a way to address it?
V2 has since been made generally available (GA) with a significant change to how tokens are acquired and cached - https://github.com/microsoftgraph/msgraph-sdk-powershell/releases/tag/2.0.0. Could try upgrading to v2 and let us know if the issue is still present in the new version?
Install-Module Microsoft.Graph -AllowClobber -Force
This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.
I have updated to V2 and I have not seen the issue any more so far. But of course this does not confirm the issue is fixed. This should be given some more time for others to observe and not closed within 10 days of V2 being released.
The bot should not have closed this issue after a response from a non-author. It is common for non-authors to also be able to reproduce the issue and provide feedback.
@alexbuzzbee, the bot closed the issue to the policy at https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/1065#issuecomment-1636535891. Besides that, the issue is no longer reproducible in v2.x. Please open a new issue with detailed repro steps if you run into the issue in v2.x.
This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.