更改密码后 Azure ChainedTokenCredential 失败

Posted 2023-02-26

【中文标题】更改密码后 Azure ChainedTokenCredential 失败

【英文标题】：Azure ChainedTokenCredential Fails after Password Change

【发布时间】：2021-07-13 20:00:23

【问题描述】：

更改密码后，Azure ChainedTokenCredential 本地开发失败。我已经使用 ChainedTokenCredential 在 Azure 中使用 ManagedIdentityCredential 进行身份验证，并使用 DefaultAzureCredential 对我的 Function App 进行本地测试。一切都按执行进行。这是一个在 Azure 中有效但在本地无效的代码示例。

def get_client():

    MSI_credential = ManagedIdentityCredential()
    default_credential = DefaultAzureCredential()
    credential_chain = ChainedTokenCredential(MSI_credential, default_credential)

    storageurl = os.environ["STORAGE_ACCOUNT"]

    client = BlobServiceClient(storageurl, credential=credential_chain)
    return client

上周我不得不更改我的密码，从那以后我收到以下错误。

[2021-04-19T15:18:06.931Z] SharedTokenCacheCredential.get_token failed: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:06.963Z] Trace ID: xxx
[2021-04-19T15:18:06.972Z] Correlation ID: xxx
[2021-04-19T15:18:06.974Z] Timestamp: 2021-04-19 15:17:46Z'
[2021-04-19T15:18:06.977Z] DefaultAzureCredential.get_token failed: SharedTokenCacheCredential raised unexpected error "Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.014Z] Trace ID: xxx
[2021-04-19T15:18:07.040Z] Correlation ID: 
[2021-04-19T15:18:07.046Z] Timestamp: 2021-04-19 15:17:46Z'"
[2021-04-19T15:18:07.061Z] DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
        EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
        ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
        SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.094Z] Trace ID: xxx
[2021-04-19T15:18:07.097Z] Correlation xxx
[2021-04-19T15:18:07.108Z] Timestamp: 2021-04-19 15:17:46Z'
[2021-04-19T15:18:07.111Z] ChainedTokenCredential.get_token failed: DefaultAzureCredential raised unexpected error "DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
        EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
        ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
        SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.147Z] Trace ID: xxx
[2021-04-19T15:18:07.181Z] Correlation ID: xxx
[2021-04-19T15:18:07.195Z] Timestamp: 2021-04-19 15:17:46Z'"
[2021-04-19T15:18:07.201Z] ChainedTokenCredential failed to retrieve a token from the included credentials.
Attempted credentials:
        ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
        DefaultAzureCredential: DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
        EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
        ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
        SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-02-08T20:05:01.4240000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-04-15T15:49:33.0000000Z'.
[2021-04-19T15:18:07.241Z] Trace ID: xxx
[2021-04-19T15:18:07.264Z] Correlation ID: xxx
[2021-04-19T15:18:07.303Z] Timestamp: 2021-04-19 15:17:46Z'

我尝试解决的问题：

登录和注销 VSCode Azure 扩展 登录和注销az cli az account clear 正在清除浏览器缓存。 重新启动 PC 和 VSCode。 清除 VSCode 缓存 C:\Users\<user>\AppData\Roaming\Code\Cache C:\Users\<user>\AppData\Roaming\Code\CacheData

我正在使用 Azure 扩展“附加到 Python 函数”来运行调试器。我不确定DefaultAzureCredential 是如何获得我的凭据的。我相信它存储在本地，因为在未登录 Azure 扩展的情况下运行调试器时出现相同的错误。我以为DefaultAzureCredential 会使用我的 Azure 扩展登录作为我进行身份验证，但我不确定。

任何帮助将不胜感激！

【问题讨论】：

在SharedTokenCacheCredential 尝试使用的密码更改之前，您似乎有一个缓存的刷新令牌。当它遇到像你看到的那样的错误时，它应该删除令牌。您安装了哪个版本的 azure-identity？作为一种解决方法，您可以删除凭据使用的缓存：%LOCALAPPDATA%\.IdentityService\msal.cache（这样做会使您退出 Visual Studio）。

另一种解决方法是禁用SharedTokenCacheCredential:DefaultAzureCredential(exclude_shared_token_cache_credential=True)。此外，DefaultAzureCredential 是 a chain of credentials which includes managed identity。除非您在 EnvironmentCredential 之前需要 ManagedIdentityCredential，否则您可以简单地使用 DefaultAzureCredential。

【参考方案1】：

在az account clear 之后，您需要使用最新密码az login，您可以使用该密码登录 azure 门户。

DefaultAzureCredential 基于Azure Identity 客户端库。你可以跳过共享缓存

default_credential = DefaultAzureCredential(exclude_shared_token_cache_credential=True)

并尝试通过 Azure CLI 进行身份验证。

【讨论】：

如果我的回复有帮助，请采纳，谢谢。

【参考方案2】：

使用@Charles Lowell 的解决方案解决了这个问题。由于使用 fzf.exe（模糊查找工具），我在查找文件时遇到了麻烦，并且默认情况下它不会在隐藏文件夹中查找。删除 C:\Users\<user>\AppData\Local\.IdentityService\msal.cache 有效。

我发现的另一种方法是使用VisualStudioCodeCredential() 而不是DefaultAzureCredential()。这使用 vscode 扩展进行身份验证。我更喜欢这种方法，但并非所有开发人员都使用 VSCode。我很高兴DefaultAzureCredential 工作。

def get_client():

    MSI_credential = ManagedIdentityCredential()
    vscode_credential = VisualStudioCodeCredential()
    credential_chain = ChainedTokenCredential(MSI_credential, vscode_credential)

更多关于DefaultAzureCredential()的信息可以在here找到。

谢谢大家！