Skip to content

Storage clients should use tenant ID from authentication challenge #44167

New issue
New issue
Closed
#44280
Closed
Storage clients should use tenant ID from authentication challenge#44167
#44280
Assignees
ibrahimrabab
Labels
ClientThis issue points to a problem in the data-plane of the library.StorageStorage Service (Queues, Blobs, Files)customer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-team-attentionWorkflow: This issue needs attention from Azure service team or SDK teamquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that
@slashmili

Description

@slashmili
slashmili
opened on Feb 12, 2025

Is your feature request related to a problem? Please describe.

We used Python SDK for multi tenant authentication. Our tenant is A and we want to access the blob storage in tenant B. We have set up the cross tenant authentication. In our python SDK. Our code is as follows. We can successfully access the blob storage.

from azure.identity import ClientSecretCredential
from azure.storage.blob import BlobServiceClient
import os

TENANT_ID = "TENANT_ID_A"
CLIENT_ID = "CLIENT_ID_A"
CLIENT_SECRET = "CLIENT_SECRET_A"
STORAGE_ACCOUNT_URL = "https://tenent-b.blob.core.windows.net/"
CONTAINER_NAME = "CONTAINER_NAME_B"
credential = ClientSecretCredential(
    tenant_id=TENANT_ID, client_id=CLIENT_ID,
    client_secret=CLIENT_SECRET, 
    additionally_allowed_tenants=["*"])
blob_service_client = BlobServiceClient(account_url=STORAGE_ACCOUNT_URL, credential=credential)
container_client = blob_service_client.get_container_client(CONTAINER_NAME)
...

But when we use the Java SDK, we had the authentication issue.

    val credential = ClientSecretCredentialBuilder()
        .tenantId(tenantId)
        .clientId(clientId)
        .clientSecret(clientSecret)
        .additionallyAllowedTenants("*")
        .build()
    val blobServiceClient = BlobServiceClientBuilder().endpoint(storageAccountURL)
        .credential(credential)
        .buildClient()

    val blobContainerClient = blobServiceClient.getBlobContainerClient("CONTAINER_NAME_B")
    blobContainerClient.exists()
2025-02-12 18:10:39 [main] ERROR c.a.storage.blob.BlobContainerClient - Status code 401, "<?xml version="1.0" encoding="utf-8"?><Error><Code>InvalidAuthenticationInfo</Code><Message>Server failed to authenticate the request. Please refer to the information in the www-authenticate header.RequestId:a2c5b546-201e-005c-0271-7d3564000000Time:2025-02-12T17:10:39.4624141Z</Message><AuthenticationErrorDetail>Issuer validation failed. Issuer did not match.</AuthenticationErrorDetail></Error>"

Describe the solution you'd like

I'd like that Java SDK behaves the same way as Python SDK. Based on my debugging, the Python SDK tries to access to storage and if the http status is 401, it extracts the destination tenant ID and use it to fetch the access token again: _authentication.py:167

Describe alternatives you've considered

I can extract the tenant id separately or ask our customers to provide it but I've found the python sdk solution a convenient and hide the complexity from the end user.

Additional context

The issue was reported to the go-sdk as well: Azure/azure-sdk-for-go#23678

Metadata

Metadata

Assignees

Labels

ClientThis issue points to a problem in the data-plane of the library.StorageStorage Service (Queues, Blobs, Files)customer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-team-attentionWorkflow: This issue needs attention from Azure service team or SDK teamquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions