ImdsManagedIdentitySource (Managed Identity authentication) exception when parsing the identity endpoint response

[v-mkmiecik]

Describe the bug
Hello,

I'm hitting an issue with the Managed Identity authentication (ManagedIdentityCredential class). I'm getting the following exception when trying to obtain an access token:
GetToken(): [json.exception.type_error.302] type must be number, but is string

The exception comes from the TokenCredentialImpl::ParseToken method in token_credential_impl.cpp when trying to obtain the expiresInPropertyName value from parsed json. It looks like the code expects json to contain a number, but the identity endpoint to which the request is sent returns a string instead.

Exception or Stack Trace
OLEDB sandbox.exe!Azure::Identity::_detail::TokenCredentialImpl::GetToken'::1'::catch$20() Line 136 C++
[External Code]
OLEDB sandbox.exe!Azure::Identity::_detail::TokenCredentialImpl::GetToken(const Azure::Core::Context & context, const std::function<std::unique_ptr<Azure::Identity::_detail::TokenCredentialImpl::TokenRequest,std::default_deleteAzure::Identity::_detail::TokenCredentialImpl::TokenRequest> __cdecl(void)> & createRequest, const std::function<std::unique_ptr<Azure::Identity::_detail::TokenCredentialImpl::TokenRequest,std::default_deleteAzure::Identity::_detail::TokenCredentialImpl::TokenRequest> __cdecl(enum Azure::Core::Http::HttpStatusCode,Azure::Core::Http::RawResponse const &)> & shouldRetry) Line 125 C++
OLEDB sandbox.exe!Azure::Identity::_detail::ImdsManagedIdentitySource::GetToken::__l2::<lambda_1>::operator()() Line 360 C++
[External Code]
OLEDB sandbox.exe!Azure::Identity::_detail::TokenCache::GetToken(const std::string & scopeString, std::chrono::duration<__int64,std::ratio<1,10000000>> minimumExpiration, const std::function<Azure::Core::Credentials::AccessToken __cdecl(void)> & getNewToken) Line 116 C++
OLEDB sandbox.exe!Azure::Identity::_detail::ImdsManagedIdentitySource::GetToken(const Azure::Core::Credentials::TokenRequestContext & tokenRequestContext, const Azure::Core::Context & context) Line 359 C++
OLEDB sandbox.exe!Azure::Identity::ManagedIdentityCredential::GetToken(const Azure::Core::Credentials::TokenRequestContext & tokenRequestContext, const Azure::Core::Context & context) Line 60 C++
OLEDB sandbox.exe!main() Line 46 C++

To Reproduce
The client application is very simple:
Azure::Core::Context context; Azure::Core::Credentials::TokenRequestContext tokenRequestContext; Azure::Core::Credentials::AccessToken accessToken; tokenRequestContext.Scopes.push_back("https://database.windows.net"); Azure::Identity::ManagedIdentityCredential managedIdentityCredential; try { accessToken = managedIdentityCredential.GetToken(tokenRequestContext, context); } catch (const std::exception& e) { std::cout << "Exception caught: " << e.what() << std::endl; }
Please note that variables such as MSI_ENDPOINT, MSI_SECRET, IDENTITY_ENDPOINT, IDENTITY_HEADER are not defined in my environment, so the CreateManagedIdentitySource function (managed_identity_credential.cpp) uses the ImdsManagedIdentitySource implementation which targets the "http://169.254.169.254/metadata/identity/oauth2/token" endpoint.

Expected behavior
The library should be able to correctly parse the json response from the identity endpoint.

Setup (please complete the following information):

• OS: Windows
• IDE : Visual Studio
• 1.4.0

Additional context
The example response from the endpoint is as follows:
{ "access_token": "...", "client_id": "...", "expires_in": "84671", "expires_on": "1687364401", "ext_expires_in": "86399", "not_before": "1687277701", "resource": "https://database.windows.net", "token_type": "Bearer" }

Please note that the "expires_in" property has a string value.
Here's another response when using the ClientSecretCredential class (different endpoint):
{ "token_type": "Bearer", "expires_in": 86399, "ext_expires_in": 86399, "access_token": "..." }

In this case, the "expires_in" value is a number (which is what the TokenCredentialImpl::ParseToken method expects).

Information Checklist

• Bug Description Added
• Repro Steps Added
• Setup information Added

[antkmsft]

Thank you Mateusz! I think the json type that server returns has changed, and we need to fix it in the SDK, I'll look into this.

[antkmsft]

The fix is available in Identity 1.5.1, which was released and is now available on github and in vcpkg registries.

[v-mkmiecik]

Anton, I was able to use v1.5.1 to obtain an access token, thank you for the quick fix!

[antkmsft]

Thanks Mateusz, I'm very glad to hear that. And also thank you for all the details you put into this issue!

I also improved the logging around token parsing (#4744), so should something like this happen the next time, you could set AZURE_LOG_LEVEL=verbose (environment variable) and then in the stderr you'll see something like

[2023-07-01T08:28:30.5602314Z] DEBUG : Identity: TokenCredentialImpl::ParseToken(): Please report an 
issue with the following details:
Token JSON: Access token property ('access_token'): string.length=2062, relative expiration property 
('expires_in'): "84671", absolute expiration property (''): undefined, other properties: 'client_id': 
string.length=36, 'expires_on': "1687364401", 'ext_expires_in': "86399", 'not_before': "1687277701", 
'resource': string.length=28, 'token_type': string.length=6.

I.e. there hopefully would be no need to debug the SDK in order to get detailed enough information to report the bug.

Although I also hope that we have it now covered once and for all :)