6

Azure ChainedTokenCredential fails for local development after password change. I've been using ChainedTokenCredential for several weeks to authenticate using ManagedIdentityCredential in Azure and DefaultAzureCredential for local testing of my Function App. Everything was working as exected. Here is a code example that was working and still works in Azure but not locally.

def get_client():

    MSI_credential = ManagedIdentityCredential()
    default_credential = DefaultAzureCredential()
    credential_chain = ChainedTokenCredential(MSI_credential, default_credential)

    storageurl = os.environ["STORAGE_ACCOUNT"]

    client = BlobServiceClient(storageurl, credential=credential_chain)
    return client

Last week I had to change my password and since then I get the following error.

[2021-04-19T15:18:06.931Z] SharedTokenCacheCredential.get_token failed: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:06.963Z] Trace ID: xxx
[2021-04-19T15:18:06.972Z] Correlation ID: xxx
[2021-04-19T15:18:06.974Z] Timestamp: 2021-04-19 15:17:46Z'
[2021-04-19T15:18:06.977Z] DefaultAzureCredential.get_token failed: SharedTokenCacheCredential raised unexpected error "Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.014Z] Trace ID: xxx
[2021-04-19T15:18:07.040Z] Correlation ID: 
[2021-04-19T15:18:07.046Z] Timestamp: 2021-04-19 15:17:46Z'"
[2021-04-19T15:18:07.061Z] DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
        EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
        ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
        SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.094Z] Trace ID: xxx
[2021-04-19T15:18:07.097Z] Correlation xxx
[2021-04-19T15:18:07.108Z] Timestamp: 2021-04-19 15:17:46Z'
[2021-04-19T15:18:07.111Z] ChainedTokenCredential.get_token failed: DefaultAzureCredential raised unexpected error "DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
        EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
        ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
        SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.147Z] Trace ID: xxx
[2021-04-19T15:18:07.181Z] Correlation ID: xxx
[2021-04-19T15:18:07.195Z] Timestamp: 2021-04-19 15:17:46Z'"
[2021-04-19T15:18:07.201Z] ChainedTokenCredential failed to retrieve a token from the included credentials.
Attempted credentials:
        ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
        DefaultAzureCredential: DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
        EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
        ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
        SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.241Z] Trace ID: xxx
[2021-04-19T15:18:07.264Z] Correlation ID: xxx
[2021-04-19T15:18:07.303Z] Timestamp: 2021-04-19 15:17:46Z'

Things I've tried to resolve the issue:

  1. Signing in and out of VSCode Azure Extension
  2. Signing in and out of az cli
  3. az account clear
  4. Clearing browser cache.
  5. Restarting PC and VSCode.
  6. Clearing VSCode Cache
    • C:\Users\<user>\AppData\Roaming\Code\Cache
    • C:\Users\<user>\AppData\Roaming\Code\CacheData

I am using the Azure Extension 'Attach to Python Functions' to run the debugger. I am uncertain of how DefaultAzureCredential is obtaining my credentials. I believe it is stored locally because I get the same error when running the debugger while not signed into the Azure extension. I thought DefaultAzureCredential would use my Azure Extension sign in as me to authenticate but I am uncertain.

Any help would be appreciated!

warnerm06
  • 654
  • 1
  • 9
  • 20
  • 4
    It appears you have a cached refresh token issued before the password change which `SharedTokenCacheCredential` is attempting to use. It should remove the token when it gets an error like the one you're seeing. Which version of azure-identity do you have installed? As a workaround, you can delete the cache the credential uses: `%LOCALAPPDATA%\.IdentityService\msal.cache` (doing so will log you out of Visual Studio). – Charles Lowell Apr 20 '21 at 16:51
  • Another workaround is to disable `SharedTokenCacheCredential`: `DefaultAzureCredential(exclude_shared_token_cache_credential=True)`. Also, `DefaultAzureCredential` is [a chain of credentials which includes managed identity](https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/identity/azure-identity#defaultazurecredential). Unless you need `ManagedIdentityCredential` before `EnvironmentCredential`, you could simply use `DefaultAzureCredential`. – Charles Lowell Apr 20 '21 at 17:05

2 Answers2

7

The issue was resolve by using @Charles Lowell's solution. I was having trouble finding the file due to using fzf.exe (fuzzy finding tool) and it does not look in hidden folders by default. Removing C:\Users\<user>\AppData\Local\.IdentityService\msal.cache worked.

An alternative I found was using VisualStudioCodeCredential() instead of DefaultAzureCredential(). This uses the vscode extension to authenticate. I prefer this method but not all developers use VSCode. I'm glad to get DefaultAzureCredential working.

def get_client():

    MSI_credential = ManagedIdentityCredential()
    vscode_credential = VisualStudioCodeCredential()
    credential_chain = ChainedTokenCredential(MSI_credential, vscode_credential)

More information on DefaultAzureCredential() can be found here.

Thanks to all!

warnerm06
  • 654
  • 1
  • 9
  • 20
  • 4
    Just wanna say that deleting the C:\Users\\AppData\Local\.IdentityService\msal.cache file also worked to fix it for me. – Daniel Scott Apr 30 '22 at 23:24
2

After az account clear, you need to az login using your latest password, the one you can login azure portal.

DefaultAzureCredential is based on Azure Identity client library. You could skip the shared cache with

default_credential = DefaultAzureCredential(exclude_shared_token_cache_credential=True)

and try to authenticate via the Azure CLI.

unknown
  • 6,778
  • 1
  • 5
  • 14