Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[QUERY] - Get AAD Auth token from Azure Commercial to Azure Gov Cloud - is it possible? #16622

Closed
tapasudenia opened this issue Jul 28, 2021 · 2 comments
Assignees
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-author-feedback Workflow: More information is needed from author to address the issue. no-recent-activity There has been no recent activity on this issue. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@tapasudenia
Copy link

Query/Question
I am working on one project which is the integration of an app hosted in Azure commercial cloud with an app hosted in Azure Gov Cloud(.us). I need to get AAD auth token for an app-registration present in commercial cloud with the scope for an app registration created in Azure Gov Cloud.

Scenario

app registration id: app-reg-a-id
Tenant: some-commercial-tenant-a

app registration id: app-reg-b-id
Tenant: some-usgov-tenant-a

Referring to https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

  1. This is my postman request
    POST - https://login.microsoftonline.com/common/oauth2/v2.0/token
    grant_type - client_credentials
    client_id - app-reg-a-id
    client_secret - app-reg-a-secret-value
    scope- app-reg-b-id/.default

Error:
AADSTS50059: No tenant-identifying information found in either the request or implied by any provided credentials

I tried setting tenant value too, get the same error.

  1. Also I tried using The Azure Identity package - https://www.npmjs.com/package/@azure/identity
    Sample Code:

const newToken = async () => {
process.env.AZURE_CLIENT_SECRET = appSecret;
const scope = app-reg-b-id/.default;
const credential = new ClientSecretCredential(
'some-usgov-tenant-a',
'app-reg-a-id',
'app-reg-a-secret-value',
{
authorityHost: https://login.microsoftonline.us,
},
);
const {token: aadToken} = await credential.getToken(scope);
return aadToken;
};

Error: AADSTS700016 - Application with identifier 'app-reg-a-id' was not found in the directory 'some-usgov-tenant-a'

Also tried changing the authorityHost to https://login.microsoftonline.com

Error: AADSTS900382: Confidential Client is not supported in Cross Cloud request.

Question:

  1. Is it possible to auth app registrations created in different clouds, commercial auth to us gov ?
  2. If it is not possible, can someone please share some examples or reference for this as a workaround?
  3. How to use the global - https://login.microsoftonline.com/common/oauth2/v2.0/token to get the token cross cloud? Please share examples if it is possible.
  4. Can someone point out if I am doing anything wrong?

Please share any other thoughts.

@jsquire jsquire transferred this issue from Azure/azure-sdk-for-net Jul 28, 2021
@ghost ghost added needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jul 28, 2021
@ramya-rao-a ramya-rao-a added Azure.Identity Client This issue points to a problem in the data-plane of the library. labels Jul 29, 2021
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Jul 29, 2021
@sadasant
Copy link
Contributor

sadasant commented Aug 2, 2021

@tapasudenia Hello, Mr Udenia! I’m Daniel. I’ll be doing my best to help you!

First, I’ll answer your questions. Second, I’ll ask you some :)

Your questions:

Is it possible to auth app registrations created in different clouds, commercial auth to us gov?

Yes it is! We’re working on a sample for this scenario, but essentially, you can send the most appropriate authorityHost through the credentials’ constructor. We provide a set of common values through the AzureAuthorityHosts interface. So, for the US Government cloud, you could instantiate a credential this way:

const identity = require("@azure/identity");
const credential = new identity.ClientSecretCredential({
    authorityHost: identity.AzureAuthorityHosts.AzureGovernment
});

How to use the global - https://login.microsoftonline.com/common/oauth2/v2.0/token to get the token cross cloud? Please share examples if it is possible.

I believe you’ll need to use https://login.microsoftonline.us/ to access the Government cloud! Other common endpoints are: https://login.chinacloudapi.cn/ for China, or https://login.microsoftonline.de/ for Germany.

My questions:

Are you expecting to use app-reg-b-id in the scope?

Generally, I see scopes that represent the permissions given to the app registration on the API permissions section of your application in the portal. For example, one scope that is generally available is https://graph.microsoft.com/.default, as Microsoft Graph is enabled by default on most app registrations.

Are you able to reproduce the same problem with a scope like https://graph.microsoft.com/.default (or, for example, https://vault.azure.net/.default in case you’re working with a Key Vault).

What services are you expecting to reach with this credential? I can help you find an appropriate scope.

@sadasant sadasant added the needs-author-feedback Workflow: More information is needed from author to address the issue. label Aug 4, 2021
@ghost ghost added the no-recent-activity There has been no recent activity on this issue. label Aug 11, 2021
@ghost
Copy link

ghost commented Aug 11, 2021

Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

@ghost ghost closed this as completed Aug 27, 2021
openapi-sdkautomation bot pushed a commit to AzureSDKAutomation/azure-sdk-for-js that referenced this issue Jan 19, 2022
Compute 2021-11-01 Release (Azure#17120)

* compute folder with pre-population

* fix examples folder

* fix an example file

* update compute to match last version

* run prettier fix examples

* change capitalization

* Compute Swagger changes to include cross-region Restore Points scenarios (Azure#16570)

* RRP changes in swagger

* Fix conflicts

* fix validations

* Fix instance view

* Revert "Compute Swagger changes to include cross-region Restore Points scenarios (Azure#16570)" (Azure#16663)

This reverts commit 70a8729e86b30440cdd3c239272e31dff7f9627b.

* sync with last version

* add missing examples

* suppress bodyTopLevelProperties

* Add VMSS filter to List VMs (Azure#16813)

* change1 for change file

* change description

* change description

* add suppression for required properties

* Revert "Add VMSS filter to List VMs (Azure#16813)" (Azure#16956)

This reverts commit 231fd2260cb9e63ba16d8b15d405f3134fe612c1.

* Remove impossible state from example (Azure#16544)

* Downmerging change from Azure:main (Azure#16654)

Co-authored-by: Avinash Akka <[email protected]>

* Added CVM settings for version 2021-11-01 (Azure#16622)

* Added CVM settings

* added examples

* Add CMK examples

* fixed typo

* fixed file name

* prettier check

* removed a br

* changed to VMDiskSecurityProfile

* type as object

* Added vm size properties for vm scale set (Azure#16723)

* Added vm size properties

* Added get examples

* Added example for vm size properties

* Added example for vm size properties

Co-authored-by: Theodore Chang <[email protected]>

* Spec for ProtectedSettingsFromKeyVault and AllowExtensionOperations (Azure#16590)

* KV changes

* adding allowExtensionOperation

* fixing examples

* Add repairAction to auto repairs feature and update grace period to PT10M (Azure#16535)

* Add timeCreated to properties for VM, VMSS, CR, DH resources (Azure#16539)

* add creationTime to properties for VM, VMSS, CR, DH resources + remove
required location for Resources

* rename creationTime to timeCreated

* examples for timeCreated

* add minimum api-version to descriptions for timeCreated

* add GetVirtualMachineScaleSet example

* reformat example

Co-authored-by: Chase Van Buskirk <[email protected]>

* DedicatedHost Reboot Feature (Azure#16737)

* added new feature to compute.json

* added example for my feature

* prettier check on the reboot example

* fixed names of parameters in example file:

* changed name to DedicatedHosts_reboot and moved change to where the other DH APIs are

* added cloud error to the reboot

* fixed default error, it was in the wrong spot

* moved reboot to end of specs

* moved older swagger files to 2021-11-01

* reverted previous commit

* renamed reboot to restart as per sameers comment

* updated description as per sameers comment

* updated api version to 2021-11-01 per sameers comment

* Adding the new paramaters zone/placementGroupId to forceRecoveryServiceFabricPlatformUpdateDomainWalk VMSS API (Azure#17041)

* save (Azure#17091)

Co-authored-by: Theodore Chang <[email protected]>

* Update compute.json (Azure#16482)

When a customer tries to scale VMSS using Terraform, since the current definitions do not have publicIpPrefix property, the new VM will be assigned a random IP address which is outside the range of public Ip prefix. Customer has to resolve the issue by deleting the Vmss and recreating it. This PR tries to resolve the issue by adding the publicIpPrefix property in the JSON definition which is used to generate a request for VMSS update.

More details about the issue can be found here - Azure/azure-rest-api-specs#10190

* add vmss filter to list  (Azure#16957)

* change1 for change file

* change description

* change description

Co-authored-by: LexieXie <[email protected]>

* move Kashif's change to 2021-11-01

* Revert "Spec for ProtectedSettingsFromKeyVault and AllowExtensionOperations (Azure#16590)" (Azure#17121)

This reverts commit 220cfd0638942c04275d69fd485ceb2da02a96d3.

* fix CI failures, and run prettier on added examples

* for credscan. change password example

* Update readme.python.md

* Compute Swagger changes to include cross-region Restore Points scenarios (Azure#16682)

* RRP changes in swagger

* Fix conflicts

* fix validations

* Fix instance view

* change instance view

* Fix example

* Fix prettier

* Fix and modify description

* Review comments

* make new api call long-running-operation

* compute folder with pre-population

* fix examples folder

* fix an example file

* update compute to match last version

* run prettier fix examples

* change capitalization

* Compute Swagger changes to include cross-region Restore Points scenarios (Azure#16570)

* RRP changes in swagger

* Fix conflicts

* fix validations

* Fix instance view

* Revert "Compute Swagger changes to include cross-region Restore Points scenarios (Azure#16570)" (Azure#16663)

This reverts commit 70a8729e86b30440cdd3c239272e31dff7f9627b.

* sync with last version

* add missing examples

* Add VMSS filter to List VMs (Azure#16813)

* change1 for change file

* change description

* change description

* Revert "Add VMSS filter to List VMs (Azure#16813)" (Azure#16956)

This reverts commit 231fd2260cb9e63ba16d8b15d405f3134fe612c1.

* Remove impossible state from example (Azure#16544)

* Added CVM settings for version 2021-11-01 (Azure#16622)

* Added CVM settings

* added examples

* Add CMK examples

* fixed typo

* fixed file name

* prettier check

* removed a br

* changed to VMDiskSecurityProfile

* type as object

* Added vm size properties for vm scale set (Azure#16723)

* Added vm size properties

* Added get examples

* Added example for vm size properties

* Added example for vm size properties

Co-authored-by: Theodore Chang <[email protected]>

* Spec for ProtectedSettingsFromKeyVault and AllowExtensionOperations (Azure#16590)

* KV changes

* adding allowExtensionOperation

* fixing examples

* Add repairAction to auto repairs feature and update grace period to PT10M (Azure#16535)

* Add timeCreated to properties for VM, VMSS, CR, DH resources (Azure#16539)

* add creationTime to properties for VM, VMSS, CR, DH resources + remove
required location for Resources

* rename creationTime to timeCreated

* examples for timeCreated

* add minimum api-version to descriptions for timeCreated

* add GetVirtualMachineScaleSet example

* reformat example

Co-authored-by: Chase Van Buskirk <[email protected]>

* DedicatedHost Reboot Feature (Azure#16737)

* added new feature to compute.json

* added example for my feature

* prettier check on the reboot example

* fixed names of parameters in example file:

* changed name to DedicatedHosts_reboot and moved change to where the other DH APIs are

* added cloud error to the reboot

* fixed default error, it was in the wrong spot

* moved reboot to end of specs

* moved older swagger files to 2021-11-01

* reverted previous commit

* renamed reboot to restart as per sameers comment

* updated description as per sameers comment

* updated api version to 2021-11-01 per sameers comment

* Adding the new paramaters zone/placementGroupId to forceRecoveryServiceFabricPlatformUpdateDomainWalk VMSS API (Azure#17041)

* save (Azure#17091)

Co-authored-by: Theodore Chang <[email protected]>

* Update compute.json (Azure#16482)

When a customer tries to scale VMSS using Terraform, since the current definitions do not have publicIpPrefix property, the new VM will be assigned a random IP address which is outside the range of public Ip prefix. Customer has to resolve the issue by deleting the Vmss and recreating it. This PR tries to resolve the issue by adding the publicIpPrefix property in the JSON definition which is used to generate a request for VMSS update.

More details about the issue can be found here - Azure/azure-rest-api-specs#10190

* add vmss filter to list  (Azure#16957)

* change1 for change file

* change description

* change description

Co-authored-by: LexieXie <[email protected]>

* move Kashif's change to 2021-11-01

* fix CI failures, and run prettier on added examples

* Revert "Spec for ProtectedSettingsFromKeyVault and AllowExtensionOperations (Azure#16590)" (Azure#17121)

This reverts commit 220cfd0638942c04275d69fd485ceb2da02a96d3.

* for credscan. change password example

* make new api call long-running-operation

* Update readme.python.md

* Compute Swagger changes to include cross-region Restore Points scenarios (Azure#16682)

* RRP changes in swagger

* Fix conflicts

* fix validations

* Fix instance view

* change instance view

* Fix example

* Fix prettier

* Fix and modify description

* Review comments

* update Repair action to enum and update readme

* rebase to main since 2021-08-01 merged. update readme

* update x-ms-enum name for RepairType

* add default response to operations

* update

* put back 'required' tag for Resource.Location property
and use a new object for VM_LIST return object

* fix json format

* update examples

* run prettier on updated examples

* update example for credScan

* add VirtualMachineResource for toplevel property suppression.

* lint diff errors

* lint diff fix update

* remove change for VMextensions.location bug

* return readme file and examples before vm.vmextension.location change

Co-authored-by: sukodava <[email protected]>
Co-authored-by: Dapeng Zhang <[email protected]>
Co-authored-by: xielexie <[email protected]>
Co-authored-by: Mike Richmond <[email protected]>
Co-authored-by: Avinash <[email protected]>
Co-authored-by: Avinash Akka <[email protected]>
Co-authored-by: ms-saypaul <[email protected]>
Co-authored-by: Raktima Das <[email protected]>
Co-authored-by: kamusta-msft <[email protected]>
Co-authored-by: frank-pang-msft <[email protected]>
Co-authored-by: Chase VanBuskirk <[email protected]>
Co-authored-by: Chase Van Buskirk <[email protected]>
Co-authored-by: vbhasker-msft <[email protected]>
Co-authored-by: avjai <[email protected]>
Co-authored-by: kangsun-ctrl <[email protected]>
Co-authored-by: karthikka4820 <[email protected]>
Co-authored-by: LexieXie <[email protected]>
Co-authored-by: Yuchao Yan <[email protected]>
@github-actions github-actions bot locked and limited conversation to collaborators Apr 11, 2023
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-author-feedback Workflow: More information is needed from author to address the issue. no-recent-activity There has been no recent activity on this issue. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Development

No branches or pull requests

3 participants