更改密码后 Azure ChainedTokenCredential 失败 [英] Azure ChainedTokenCredential Fails after Password Change

问题描述

Azure ChainedTokenCredential 密码更改后本地开发失败.几周以来，我一直在使用 ChainedTokenCredential 进行身份验证，使用 Azure 中的 ManagedIdentityCredential 和 DefaultAzureCredential 对我的 Function App 进行本地测试.一切都按预期进行.这是一个在 Azure 中有效但在本地仍有效的代码示例.

Azure ChainedTokenCredential fails for local development after password change. I've been using ChainedTokenCredential for several weeks to authenticate using ManagedIdentityCredential in Azure and DefaultAzureCredential for local testing of my Function App. Everything was working as exected. Here is a code example that was working and still works in Azure but not locally.

def get_client():

    MSI_credential = ManagedIdentityCredential()
    default_credential = DefaultAzureCredential()
    credential_chain = ChainedTokenCredential(MSI_credential, default_credential)

    storageurl = os.environ["STORAGE_ACCOUNT"]

    client = BlobServiceClient(storageurl, credential=credential_chain)
    return client

上周我不得不更改我的密码，从那时起我收到以下错误.

Last week I had to change my password and since then I get the following error.

[2021-04-19T15:18:06.931Z] SharedTokenCacheCredential.get_token failed: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:06.963Z] Trace ID: xxx
[2021-04-19T15:18:06.972Z] Correlation ID: xxx
[2021-04-19T15:18:06.974Z] Timestamp: 2021-04-19 15:17:46Z'
[2021-04-19T15:18:06.977Z] DefaultAzureCredential.get_token failed: SharedTokenCacheCredential raised unexpected error "Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.014Z] Trace ID: xxx
[2021-04-19T15:18:07.040Z] Correlation ID: 
[2021-04-19T15:18:07.046Z] Timestamp: 2021-04-19 15:17:46Z'"
[2021-04-19T15:18:07.061Z] DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
        EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
        ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
        SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.094Z] Trace ID: xxx
[2021-04-19T15:18:07.097Z] Correlation xxx
[2021-04-19T15:18:07.108Z] Timestamp: 2021-04-19 15:17:46Z'
[2021-04-19T15:18:07.111Z] ChainedTokenCredential.get_token failed: DefaultAzureCredential raised unexpected error "DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
        EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
        ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
        SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.147Z] Trace ID: xxx
[2021-04-19T15:18:07.181Z] Correlation ID: xxx
[2021-04-19T15:18:07.195Z] Timestamp: 2021-04-19 15:17:46Z'"
[2021-04-19T15:18:07.201Z] ChainedTokenCredential failed to retrieve a token from the included credentials.
Attempted credentials:
        ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
        DefaultAzureCredential: DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
        EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
        ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
        SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.241Z] Trace ID: xxx
[2021-04-19T15:18:07.264Z] Correlation ID: xxx
[2021-04-19T15:18:07.303Z] Timestamp: 2021-04-19 15:17:46Z'

我尝试解决的问题:

1. 登录和注销 VSCode Azure 扩展
2. 登录和退出 az cli
3. az 帐户清除
4. 清除浏览器缓存.
5. 重新启动 PC 和 VSCode.
6. 清除 VSCode 缓存
   • C:\Users\\AppData\Roaming\Code\Cache
   • C:\Users\\AppData\Roaming\Code\CacheData

我正在使用 Azure 扩展附加到 Python 函数"来运行调试器.我不确定 DefaultAzureCredential 如何获取我的凭据.我相信它存储在本地，因为我在未登录 Azure 扩展的情况下运行调试器时遇到相同的错误.我以为 DefaultAzureCredential 会使用我的 Azure 扩展登录作为我进行身份验证，但我不确定.

I am using the Azure Extension 'Attach to Python Functions' to run the debugger. I am uncertain of how DefaultAzureCredential is obtaining my credentials. I believe it is stored locally because I get the same error when running the debugger while not signed into the Azure extension. I thought DefaultAzureCredential would use my Azure Extension sign in as me to authenticate but I am uncertain.

任何帮助将不胜感激！

推荐答案

该问题已通过使用 @Charles Lowell 的解决方案解决.由于使用 fzf.exe(模糊查找工具)，我无法找到该文件，并且默认情况下它不会在隐藏文件夹中查找.删除 C:\Users\\AppData\Local\.IdentityService\msal.cache 有效.

The issue was resolve by using @Charles Lowell's solution. I was having trouble finding the file due to using fzf.exe (fuzzy finding tool) and it does not look in hidden folders by default. Removing C:\Users\<user>\AppData\Local\.IdentityService\msal.cache worked.

我发现的另一种方法是使用 VisualStudioCodeCredential() 而不是 DefaultAzureCredential().这使用 vscode 扩展进行身份验证.我更喜欢这种方法，但并非所有开发人员都使用 VSCode.我很高兴让 DefaultAzureCredential 正常工作.

An alternative I found was using VisualStudioCodeCredential() instead of DefaultAzureCredential(). This uses the vscode extension to authenticate. I prefer this method but not all developers use VSCode. I'm glad to get DefaultAzureCredential working.

def get_client():

    MSI_credential = ManagedIdentityCredential()
    vscode_credential = VisualStudioCodeCredential()
    credential_chain = ChainedTokenCredential(MSI_credential, vscode_credential)

有关 DefaultAzureCredential() 的更多信息可以在 此处.

More information on DefaultAzureCredential() can be found here.

谢谢大家！

这篇关于更改密码后 Azure ChainedTokenCredential 失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！