Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] [Azure.Identity] SharedTokenCacheCredential throws error "Multiple accounts matching the specified..." #18276

Closed
erich-wang opened this issue Jan 29, 2021 · 0 comments · Fixed by #18315
Closed

[BUG] [Azure.Identity] SharedTokenCacheCredential throws error "Multiple accounts matching the specified..." #18276

erich-wang opened this issue Jan 29, 2021 · 0 comments · Fixed by #18315
Assignees
@christothes
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. needs-team-triage Workflow: This issue needs the team to triage.

Comments

@erich-wang
Copy link
Member

Describe the bug
Please provide the description of issue you're seeing.

This is based on the issue Azure/azure-powershell#14023 reported by Azure PowerShell user.

If there're multi tenants for one account, when calling SharedTokenCacheCredential.GetToken with tenantId and _skipTenantValiation as true, we'll get error that "Multiple accounts matching the specified ...", it looks like a bug at
https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/identity/Azure.Identity/src/SharedTokenCacheCredential.cs#L148-L159.
We probably need to change the logic to:

            // filter the accounts to those matching the specified user and tenant
            List<IAccount> filteredAccounts = accounts.Where(a =>
                // if _username is specified it must match the account
                ((string.IsNullOrEmpty(_username) || string.Compare(a.Username, _username, StringComparison.OrdinalIgnoreCase) == 0))
                &&
                // if _tenantId is specified it must match the account
                (string.IsNullOrEmpty(_tenantId) || string.Compare(a.HomeAccountId?.TenantId, _tenantId, StringComparison.OrdinalIgnoreCase) == 0)
            ).ToList();

            if (filteredAccounts.Count == 0 && _skipTenantValidation)
            {
                filteredAccounts = accounts.Where(a =>
                    // if _username is specified it must match the account
                    (string.IsNullOrEmpty(_username) || string.Compare(a.Username, _username, StringComparison.OrdinalIgnoreCase) == 0)
                ).ToList();
            }

            if (filteredAccounts.Count != 1)
            {
                throw new CredentialUnavailableException(GetCredentialUnavailableMessage(accounts, filteredAccounts));
            }

Expected behavior
What is the expected behavior?

Actual behavior (include Exception or Stack Trace)
What is the actual behavior?

Get the following error:

DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ]
ParentRequestId:
DEBUG: SharedTokenCacheCredential.GetToken was unable to retrieve an access token. Scopes: [
https://management.core.windows.net//.default ] ParentRequestId: Exception:
Azure.Identity.CredentialUnavailableException (0x80131500): SharedTokenCacheCredential authentication unavailable.
Multiple accounts matching the specified username: ***@ntdconsulting.com tenantId: xxx-03bf-480b-b436-5df551f9f911
were found in the cache.

To Reproduce
Steps to reproduce the behavior (include a code snippet, screenshot, or any additional information that might help us reproduce the issue)

NA

Environment:

  • Name and version of the Library package used: [Azure.Identity 1.4.0-beta.1]
  • Hosting platform or OS and .NET runtime version (dotnet --info output for .NET Core projects): [e.g. Azure AppService or Windows 10 .NET Framework 4.8]
  • IDE and version : [e.g. Visual Studio 16.3]
@ghost ghost added the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Jan 29, 2021
@erich-wang erich-wang mentioned this issue Jan 29, 2021
Closed
@jsquire jsquire added Azure.Identity Client This issue points to a problem in the data-plane of the library. needs-team-triage Workflow: This issue needs the team to triage. labels Jan 29, 2021
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Jan 29, 2021
@christothes christothes mentioned this issue Feb 1, 2021
Merged
@github-actions github-actions bot locked and limited conversation to collaborators Mar 28, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@christothes christothes

Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. needs-team-triage Workflow: This issue needs the team to triage.
Projects
None yet
Milestone
No milestone
3 participants
@jsquire @christothes @erich-wang