[BUG] LogsQueryClientBuilder.queryWorkspace fails to acquire token: scope null/.default openid profile offline_access is not valid

[Bestyan]

Describe the bug
Using the LogsQueryClientBuilder to build a LogsQueryClient with any TokenCredential throws a MsalServiceException when querying the workspace via queryWorkspace(...)

Exception or Stack Trace

[Correlation ID: 1cb53550-f27d-437f-baf1-5d03ed9ad57e] Execution of class com.microsoft.aad.msal4j.AcquireTokenByClientCredentialSupplier failed.

com.microsoft.aad.msal4j.MsalServiceException: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope null/.default openid profile offline_access is not valid.
Trace ID: 7c828f9f-b5fd-411d-87f9-5f6051674200
Correlation ID: 1cb53550-f27d-437f-baf1-5d03ed9ad57e
Timestamp: 2023-01-18 07:17:23Z
	at com.microsoft.aad.msal4j.MsalServiceExceptionFactory.fromHttpResponse(MsalServiceExceptionFactory.java:45)
	at com.microsoft.aad.msal4j.TokenRequestExecutor.createAuthenticationResultFromOauthHttpResponse(TokenRequestExecutor.java:103)
	at com.microsoft.aad.msal4j.TokenRequestExecutor.executeTokenRequest(TokenRequestExecutor.java:34)
	at com.microsoft.aad.msal4j.AbstractClientApplicationBase.acquireTokenCommon(AbstractClientApplicationBase.java:128)
	at com.microsoft.aad.msal4j.AcquireTokenByAuthorizationGrantSupplier.execute(AcquireTokenByAuthorizationGrantSupplier.java:63)
	at com.microsoft.aad.msal4j.AcquireTokenByClientCredentialSupplier.acquireTokenByClientCredential(AcquireTokenByClientCredentialSupplier.java:86)
	at com.microsoft.aad.msal4j.AcquireTokenByClientCredentialSupplier.execute(AcquireTokenByClientCredentialSupplier.java:49)
	at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:69)
	at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:18)
	at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run$$$capture(CompletableFuture.java:1768)
	at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java)
	at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.exec(CompletableFuture.java:1760)
	at java.base/java.util.concurrent.ForkJoinTask.doExec$$$capture(ForkJoinTask.java:373)
	at java.base/java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java)
	at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1182)
	at java.base/java.util.concurrent.ForkJoinPool.scan(ForkJoinPool.java:1655)
	at java.base/java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1622)
	at java.base/java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:165)

To Reproduce
Create a LogsQueryClient object using the LogsQueryClientBuilder and try to query the workspace. Authentication will fail.

Code Snippet

LogsQueryClient client= new LogsQueryClientBuilder()
                    .credential(new DefaultAzureCredentialBuilder().build())
                    .buildClient();
client.queryWorkspace(
                        "my-workspace-id",
                        "my-query",
                        new QueryTimeInterval(Duration.ofDays(1));

Expected behavior
LogsQueryClientBuilder builds the client in such a way that it is able to acquire a BearerToken.

Setup (please complete the following information):

• OS: Windows 10
• IDE: IntelliJ IDEA
• Library/Libraries: com.azure:azure-monitor-query:1.1.0
• Java version: 17
• App Server/Environment: Tomcat
• Frameworks: Spring Boot 2.7.7

Additional context
I've had a look into AzureLogAnalyticsImplBuilder and the issue is the host attribute being set after the call to createHttpPipeline(). In version com.azure:azure-monitor-query:1.0.12 the host attribute is set before, avoiding the null scope issue.

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

• Bug Description Added
• Repro Steps Added
• Setup information Added

[joshfree]

@g2vinay could you please assist @Bestyan with this github issue?

[Fabio1988]

This is related to a recently change in the SDK. It was working before updating to 1.1.0

It's the same issue for the MetricsQueryClientBuilder.

Found the issue, it's related to the fallback of host not set.

azure-sdk-for-java/sdk/monitor/azure-monitor-query/src/main/java/com/azure/monitor/query/implementation/metrics/MonitorManagementClientImplBuilder.java

Line 240 in b3a4bb4

String localHost = (host != null) ? host : "https://management.azure.com";

on this line it's defaulting to https://management.azure.com... But for the policy it uses the null value of host, not the default:

azure-sdk-for-java/sdk/monitor/azure-monitor-query/src/main/java/com/azure/monitor/query/implementation/metrics/MonitorManagementClientImplBuilder.java

Line 276 in b3a4bb4

policies.add(new BearerTokenAuthenticationPolicy(tokenCredential, String.format("%s/.default", host)));

My previous implementation:

MetricsQueryClientBuilder()
.credential(getTokenCredential())
.buildClient();

changed to:

MetricsQueryClientBuilder()
.endpoint("https://management.azure.com")
.credential(getTokenCredential())
.buildClient();

[srnagar]

@Bestyan and @Fabio1988 thank you for reporting this issue. I have a PR to fix this and it should be released early Feb.