Azure Identity => ERROR in getToken() call with microsoft-graph

huangapple go评论72阅读模式
英文:

Azure Identity => ERROR in getToken() call with microsoft-graph

问题

我们将一个小型的Java Spring Boot应用程序从本地迁移到云端,该应用程序用于从Office365获取电子邮件。在迁移的同时,进行了很多基础设施的更改。在此之前,该应用程序使用了代理,但在我们的新设置中,代理不再存在,我们只需要打开防火墙规则,以便让我们的应用程序访问正确的外部URL。

我可以在microsoft-graph jar包中看到主要的URL是https://graph.microsoft.com/v1.0,所以我请求打开了这个路由。但是当我部署到我们托管的Kubernetes上时,它无法检索电子邮件,我只是得到了以下错误:

Azure Identity => 在请求范围为 [https://graph.microsoft.com/.default] 的 getToken() 调用中发生错误:使用用户名和密码获取令牌失败。要解决此问题,请参考此处的故障排除指南:https://aka.ms/azsdk/net/identity/usernamepasswordcredential/troubleshoot

连接到容器后,对https://graph.microsoft.com/v1.0的curl请求是成功的,所以路由是打开的。

在我的本地机器上运行代码时,它总是正常工作的。因此,凭证是正确的。

我真的不知道该怎么办了...我不明白为什么在部署到我们的常规环境时它不起作用。

英文:

We migrated one small java Spring Boot application that fetches emails from Office365, from on-prem to the cloud - a lot of infrastructure was changed at the same time. Before, the application was using a proxy, but in our new setup, the proxy is not here anymore, and we "simply" need to open firewall rules to let our application access the right external URLs.

I can see in microsoft-graph jar that the main URL is https://graph.microsoft.com/v1.0 , so I requested the route opening. but when I deploy in our managed Kubernetes, it fails to retrieve the email, I simply get :

Azure Identity => ERROR in getToken() call for scopes [https://graph.microsoft.com/.default]: Failed to acquire token with username and password. To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/net/identity/usernamepasswordcredential/troubleshoot

When connecting to the container, a curl to https://graph.microsoft.com/v1.0 is successful, so the route is open.

When running the code on my machine, it has always worked. So the credentials are correct.

I am really not sure how to proceed here.. I don't understand why it doesn't work when deployed in our regular environment(s)

答案1

得分: 0

这是我采取的步骤:

  • 由于它在我的机器上运行,我仔细查看了调试日志
  • 我特别关注了所做的调用,并发现不仅有https://graph.microsoft.com/v1.0。通过reactor.netty.http.client.HttpClientConnect记录的有趣(经过编辑的)行是:
    15:19:09.978 [reactor-http-nio-1] DEBUG reactor.netty.http.client.HttpClientConnect - [id:feb11a80-1 - R:login.microsoftonline.com] 正在应用处理程序:{uri=https://login.microsoftonline.com/common/userrealm/firstname.lastname@my-domain.com?api-version=1.0,method=GET}
    15:19:10.780 [reactor-http-nio-2] DEBUG reactor.netty.http.client.HttpClientConnect - [id:4952bd80-1 - R:some.internal.domain.com] 正在应用处理程序:{uri=https://some.internal.domain.com/foo/services/trust/mex,method=GET} 
    15:19:10.989 [reactor-http-nio-2] DEBUG reactor.netty.http.client.HttpClientConnect - [id:4952bd80-2 - R:some.internal.domain.com] 正在应用处理程序:{uri=https://some.internal.domain.com/foo/services/trust/13/usernamemixed,method=POST}
    15:19:11.306 [reactor-http-nio-1] DEBUG reactor.netty.http.client.HttpClientConnect - [id:feb11a80-2 - R:login.microsoftonline.com] 正在应用处理程序:{uri=https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize,method=GET}
    15:19:11.448 [reactor-http-nio-1] DEBUG reactor.netty.http.client.HttpClientConnect - [id:feb11a80-3 - R:login.microsoftonline.com] 正在应用处理程序:{uri=https://login.microsoftonline.com/organizations/oauth2/v2.0/token,method=POST}

所以我们清楚地看到先是对 login.microsoftonline.com 的第一次调用,然后是对某个内部域的调用(我猜是某种额外身份验证的额外步骤..)- 我并不知道这个步骤,因为它是“自动魔法”发生的。

它在我的机器上工作,因为基于URL的调用路由自动发生。但是在部署时,由于不再有代理,它就不再发生了,并且在调用 https://some.internal.domain.com/foo/services/trust/mex 时,应用程序会超时。

所以我现在想有两个选择:

  • 在新环境中设置代理,与之前的情况类似
  • ProxyOptions中调整选项,根据URL模式手动进行路由,并将其用于我注入到GraphServiceClient中的httpClient中。
英文:

Here's how I proceeded :

  • since it is running on my machine, I had a closer look at the debug logs
  • I especially looked at the calls that were made, and I found that there were more than https://graph.microsoft.com/v1.0. the interesting (edited) lines are the ones logged by reactor.netty.http.client.HttpClientConnect :
    15:19:09.978 [reactor-http-nio-1] DEBUG reactor.netty.http.client.HttpClientConnect - [id:feb11a80-1 - R:login.microsoftonline.com] Handler is being applied: {uri=https://login.microsoftonline.com/common/userrealm/firstname.lastname@my-domain.com?api-version=1.0, method=GET}
    15:19:10.780 [reactor-http-nio-2] DEBUG reactor.netty.http.client.HttpClientConnect - [id:4952bd80-1 - R:some.internal.domain.com] Handler is being applied: {uri=https://some.internal.domain.com/foo/services/trust/mex, method=GET} 
    15:19:10.989 [reactor-http-nio-2] DEBUG reactor.netty.http.client.HttpClientConnect - [id:4952bd80-2 - R:some.internal.domain.com] Handler is being applied: {uri=https://some.internal.domain.com/foo/services/trust/13/usernamemixed, method=POST}
    15:19:11.306 [reactor-http-nio-1] DEBUG reactor.netty.http.client.HttpClientConnect - [id:feb11a80-2 - R:login.microsoftonline.com] Handler is being applied: {uri=https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize, method=GET}
    15:19:11.448 [reactor-http-nio-1] DEBUG reactor.netty.http.client.HttpClientConnect - [id:feb11a80-3 - R:login.microsoftonline.com] Handler is being applied: {uri=https://login.microsoftonline.com/organizations/oauth2/v2.0/token, method=POST}

So we clearly see that there's a first call to login.microsoftonline.com, and then to some internal domain (for some extra authentication of some kind I guess..) - I was not aware of that step, since it happens "auto-magically"..

It works on my machine because the routing of the calls based on the URL happens automatically. But when deployed, now that there's no proxy anymore, it doesn't happen and the application gets a timeout when calling https://some.internal.domain.com/foo/services/trust/mex .

So I guess I now have 2 options :

  • set up a proxy in the new environment, more or less like it was before

  • play with the options in ProxyOptions , to do the routing myself based on the URL pattern, and use it in an httpClient that I inject in the GraphServiceClient.

huangapple
  • 本文由 发表于 2023年3月31日 21:48:28
  • 转载请务必保留本文链接:https://go.coder-hub.com/75899293.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定