Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Storage clients should use tenant ID from authentication challenge #23678

Open
williamw-m opened this issue Oct 31, 2024 · 6 comments
Open

Storage clients should use tenant ID from authentication challenge #23678

williamw-m opened this issue Oct 31, 2024 · 6 comments
Assignees
@tanyasethi-msft
Labels
Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request This issue requires a new behavior in the product in order be resolved. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team Storage Storage Service (Queues, Blobs, Files)

Comments

@williamw-m
Copy link

williamw-m commented Oct 31, 2024
edited
Loading

Bug Report

We used Python SDK for multi tenant authentication. Our tenant is A and we want to access the blob storage in tenant B. We have set up the cross tenant authentication. In our python SDK. Our code is as follows. We can successfully access the blob storage.

credential = ClientSecretCredential(tenant_id=A_tenant_id,
                                    client_id=A_client_id,
                                    client_secret=A_client_secret,
                                    additionally_allowed_tenants=["*"])

blob_service_client = BlobServiceClient(account_url=blob_service_url,
                                          credential=credential)
container_client = blob_service_client.get_container_client(
      container=container_name)
blob_list = container_client.list_blobs()

But when we use Go SDK we had the authentication issue.

cred, err := azidentity.NewClientSecretCredential(A_tenantID, A_clientID, A_clientSecret,
    &azidentity.ClientSecretCredentialOptions{AdditionallyAllowedTenants: additionalTenants})
serviceClient, err := azblob.NewClient(serviceURL, cred, nil)
pager := serviceClient.NewListBlobsFlatPager(containerName, nil)

We had this authentication error.

<?xml version="1.0" encoding="utf-8"?><Error><Code>InvalidAuthenticationInfo</Code><Message>Server failed to authenticate the request. Please refer to the information in the www-authenticate header.
</Message><AuthenticationErrorDetail>Issuer validation failed. Issuer did not match.</AuthenticationErrorDetail></Error>

But if we changed the tenant ID in the NewClientSecretCredential. Then we can access the blob storage in B.

cred, err := azidentity.NewClientSecretCredential(B_tenantID, A_clientID, A_clientSecret,
    &azidentity.ClientSecretCredentialOptions{AdditionallyAllowedTenants: additionalTenants})

I think there is some bug in the Go SDK. Could you check and fix the issues?
@github-actions github-actions bot added Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team labels Oct 31, 2024
@github-actions GitHub Actions
Copy link

Thank you for your feedback. Tagging and routing to the team member best able to assist.

@github-actions github-actions bot added the question The issue doesn't require a change to the product in order to be resolved. Most issues start as that label Oct 31, 2024
@chlowell chlowell added Storage Storage Service (Queues, Blobs, Files) feature-request This issue requires a new behavior in the product in order be resolved. and removed question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Azure.Identity labels Oct 31, 2024
@chlowell
Copy link
Member

This happens because the client doesn't specify the tenant when authenticating after receiving a challenge:

azure-sdk-for-go/sdk/storage/azblob/internal/shared/challenge_policy.go

Lines 45 to 46 in 4e3e7d4

// TODO: Set tenantID when policy.TokenRequestOptions supports it. https://github.com/Azure/azure-sdk-for-go/issues/19841
return authNZ(policy.TokenRequestOptions{Scopes: s.scopes})

We'll have to ship a new version to make azblob behave like the Python SDK in this scenario. As you've discovered, you can work around this in the meantime by passing the correct tenant to the credential constructor.

@chlowell chlowell assigned tanyasethi-msft and unassigned chlowell Oct 31, 2024
@chlowell chlowell changed the title Go SDK Multi Tenant Authentication issue Storage clients should use tenant ID from authentication challenge Oct 31, 2024
@MKrkkl
Copy link

MKrkkl commented Nov 8, 2024

I can confirm that passing additional tenant id helps accessing key vault as well.

Another option seems to be downgrading this package

replace github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal => github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.1

but just using

azidentity.NewAzureCLICredential( &azidentity.AzureCLICredentialOptions{ AdditionallyAllowedTenants: []string{"tenant-id1", "tenant-id2","or-go-with-*"}, }, )

is enough in my case.

@chlowell
Copy link
Member

chlowell commented Nov 8, 2024

Just to clarify, the latest Key Vault modules use tenant IDs from authentication challenges. They do this automatically, however you usually need to set corresponding AdditionallyAllowedTenants on credential options as well.

This issue tracks adding the same behavior to Storage modules.

@MKrkkl
Copy link

MKrkkl commented Nov 8, 2024 via email

@tanyasethi-msft
Copy link
Member

Hi @MKrkkl , thanks for reporting this. We are reviewing this issue, and will have a fix in our next GA release scheduled in January 2025.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tanyasethi-msft tanyasethi-msft

Labels
Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request This issue requires a new behavior in the product in order be resolved. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team Storage Storage Service (Queues, Blobs, Files)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@chlowell @MKrkkl @tanyasethi-msft @williamw-m