Skip to content

[Bug] HttpClientTransport setting is not applied after MSAL upgraded to 4.71.1 #5286

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
xula2018 opened this issue May 16, 2025 · 3 comments
Open

[Bug] HttpClientTransport setting is not applied after MSAL upgraded to 4.71.1 #5286

xula2018 opened this issue May 16, 2025 · 3 comments
Labels
bug P2 regression Behavior that worked in a previous release that no longer works in a newer release scenario:ManagedIdentity Similar-Issue

Comments

@xula2018
Copy link

xula2018 commented May 16, 2025
edited
Loading

Library version used

4.71.1

.NET version

.Net 472

Scenario

ManagedIdentityClient - managed identity

Is this a new or an existing app?

The app is in production, and I have upgraded to a new version of MSAL

Issue description and reproduction steps

The application, running on an Azure VM (tenant xxxx), directs calls to a separate Azure VM (tenant cccc), and it is from this VM that Azure API requests are sent. Access tokens were acquired from the VM (tenant cccc). After upgraded Microsoft.Identity.Client to 4.71.1, requests start failing with error message like:

Azure.RequestFailedException: The access token is from the wrong issuer 'https://sts.windows.net/xxxx'. It must match one of the tenants 'https://sts.windows.net/cccc/,https://sts.windows.net/bbbb/' associated with this subscription. Please use any authority (URL) from 'https://sts.windows.net/ccc/,https://sts.windows.net/bbbb/ to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later.
Status: 401 (Unauthorized)
ErrorCode: InvalidAuthenticationTokenTenant

Relevant code snippets

var tokenCredentialOptions = new TokenCredentialOptions()
{
    Transport = new HttpClientTransport(customHttpClient);
}

var credential = new ManagedIdentityCredential(null, tokenCredentialOptions);

var options = new ArmClientOptions
{
    Environment = new ArmEnvironment(endpoint, authAudience),    
    Transport = new HttpClientTransport(customHttpClient)
};
var client = new ArmClient(credential, subscriptionId, options)

Expected behavior

No response

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response
@xula2018 xula2018 added untriaged Do not delete. Needed for Automation needs attention Delete label after triage labels May 16, 2025
@github-actions GitHub Actions
Copy link

Here are some similar issues that might help you. Please check if they can solve your problem.

Powered by issue-sentinel

@bgavrilMS bgavrilMS added bug P2 and removed untriaged Do not delete. Needed for Automation needs attention Delete label after triage labels May 19, 2025
@bgavrilMS bgavrilMS changed the title [Bug]HttpClientTransport setting is not applied when ArmClient acquire authentication token after upgraded to 4.71.1 [Bug] HttpClientTransport setting is not applied when ArmClient acquire authentication token after upgraded to 4.71.1 May 19, 2025
@bgavrilMS
Copy link
Member

@neha-bhargava - I believe this is a bug in MSAL. The new interface IMsalSFHttpClientFactory has a method GetHttpClient(callback) and this method now gets invoked every time we are in a Managed Identity scenario, even for IMDS (this bug), Arc etc.

But this should only affect ServiceFabric.

This is also affecting a bunch a tests other libs, like UserFIC>

I propose as solution that GetHttpClient(callback) to be invokved only on ServiceFabric.

@bgavrilMS
Copy link
Member

CC @chlowell and @christothes , as this bug mainly affects Azure SDK.

@xula2018 - You'll need to stay on MSAL 4.71.0 until this fixed.

@bgavrilMS bgavrilMS changed the title [Bug] HttpClientTransport setting is not applied when ArmClient acquire authentication token after upgraded to 4.71.1 [Bug] HttpClientTransport setting is not applied afetr MSAL upgraded to 4.71.1 May 19, 2025
@bgavrilMS bgavrilMS added the regression Behavior that worked in a previous release that no longer works in a newer release label May 19, 2025
@bgavrilMS bgavrilMS changed the title [Bug] HttpClientTransport setting is not applied afetr MSAL upgraded to 4.71.1 [Bug] HttpClientTransport setting is not applied after MSAL upgraded to 4.71.1 May 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug P2 regression Behavior that worked in a previous release that no longer works in a newer release scenario:ManagedIdentity Similar-Issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bgavrilMS @xula2018