Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Storage clients should use tenant ID from authentication challenge #44167

Open
slashmili opened this issue Feb 12, 2025 · 2 comments
Open

Storage clients should use tenant ID from authentication challenge #44167

slashmili opened this issue Feb 12, 2025 · 2 comments
Assignees
@ibrahimrabab
Labels
Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Storage Storage Service (Queues, Blobs, Files)

Comments

@slashmili
Copy link

slashmili commented Feb 12, 2025
edited
Loading

Is your feature request related to a problem? Please describe.

We used Python SDK for multi tenant authentication. Our tenant is A and we want to access the blob storage in tenant B. We have set up the cross tenant authentication. In our python SDK. Our code is as follows. We can successfully access the blob storage.

from azure.identity import ClientSecretCredential
from azure.storage.blob import BlobServiceClient
import os

TENANT_ID = "TENANT_ID_A"
CLIENT_ID = "CLIENT_ID_A"
CLIENT_SECRET = "CLIENT_SECRET_A"
STORAGE_ACCOUNT_URL = "https://tenent-b.blob.core.windows.net/"
CONTAINER_NAME = "CONTAINER_NAME_B"
credential = ClientSecretCredential(
    tenant_id=TENANT_ID, client_id=CLIENT_ID,
    client_secret=CLIENT_SECRET, 
    additionally_allowed_tenants=["*"])
blob_service_client = BlobServiceClient(account_url=STORAGE_ACCOUNT_URL, credential=credential)
container_client = blob_service_client.get_container_client(CONTAINER_NAME)
...

But when we use the Java SDK, we had the authentication issue.

    val credential = ClientSecretCredentialBuilder()
        .tenantId(tenantId)
        .clientId(clientId)
        .clientSecret(clientSecret)
        .additionallyAllowedTenants("*")
        .build()
    val blobServiceClient = BlobServiceClientBuilder().endpoint(storageAccountURL)
        .credential(credential)
        .buildClient()

    val blobContainerClient = blobServiceClient.getBlobContainerClient("CONTAINER_NAME_B")
    blobContainerClient.exists()
2025-02-12 18:10:39 [main] ERROR c.a.storage.blob.BlobContainerClient - Status code 401, "<?xml version="1.0" encoding="utf-8"?><Error><Code>InvalidAuthenticationInfo</Code><Message>Server failed to authenticate the request. Please refer to the information in the www-authenticate header.RequestId:a2c5b546-201e-005c-0271-7d3564000000Time:2025-02-12T17:10:39.4624141Z</Message><AuthenticationErrorDetail>Issuer validation failed. Issuer did not match.</AuthenticationErrorDetail></Error>"

Describe the solution you'd like

I'd like that Java SDK behaves the same way as Python SDK. Based on my debugging, the Python SDK tries to access to storage and if the http status is 401, it extracts the destination tenant ID and use it to fetch the access token again: _authentication.py:167

Describe alternatives you've considered

I can extract the tenant id separately or ask our customers to provide it but I've found the python sdk solution a convenient and hide the complexity from the end user.

Additional context

The issue was reported to the go-sdk as well: Azure/azure-sdk-for-go#23678
@github-actions github-actions bot added Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Storage Storage Service (Queues, Blobs, Files) labels Feb 12, 2025
@github-actions GitHub Actions
Copy link

@ibrahimrabab @ibrandes @kyleknap @seanmcc-msft

@github-actions GitHub Actions
Copy link

Thank you for your feedback. Tagging and routing to the team member best able to assist.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ibrahimrabab ibrahimrabab

Labels
Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Storage Storage Service (Queues, Blobs, Files)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@slashmili @ibrahimrabab