`az login` fails: ValueError: Unable to get authority configuration for https://login.microsoftonline.com/9a2e....

This is autogenerated. Please review and update as needed.

Describe the bug

Command Name az login

Errors:

The command failed with an unexpected error. Here is the traceback:
Unable to get authority configuration for https://login.microsoftonline.com/9a2e6147-7e4b-4c5a-b997-dfedfb47a1a3. Authority would typically be in a format of https://login.microsoftonline.com/your_tenant_name
Traceback (most recent call last):
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/msal/authority.py", line 83, in __init__
    openid_config = tenant_discovery(
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/msal/authority.py", line 151, in tenant_discovery
    raise ValueError("OIDC Discovery endpoint rejects our request")
ValueError: OIDC Discovery endpoint rejects our request

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/knack/cli.py", line 231, in invoke
    cmd_result = self.invocation.execute(args)
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 657, in execute
    raise ex
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 720, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 691, in _run_job
    result = cmd_copy(params)
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 328, in __call__
    return self.handler(*args, **kwargs)
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
    return op(**command_args)
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/azure/cli/command_modules/profile/custom.py", line 145, in login
    subscriptions = profile.login(
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/azure/cli/core/_profile.py", line 160, in login
    identity.login_with_service_principal(username, password, scopes=scopes)
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/azure/cli/core/auth/identity.py", line 146, in login_with_service_principal
    cred = ServicePrincipalCredential(sp_auth, **self._msal_app_kwargs)
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/azure/cli/core/auth/msal_authentication.py", line 120, in __init__
    super().__init__(service_principal_auth.client_id, client_credential=client_credential, **kwargs)
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/msal/application.py", line 381, in __init__
    self.authority = Authority(
  File "/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/msal/authority.py", line 87, in __init__
    raise ValueError(
ValueError: Unable to get authority configuration for https://login.microsoftonline.com/9a2e6147-7e4b-4c5a-b997-dfedfb47a1a3. Authority would typically be in a format of https://login.microsoftonline.com/your_tenant_name

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

Put any pre-requisite steps here…
az login --service-principal -u {} -p {} --tenant {}

Expected Behavior

Environment Summary

macOS-12.0.1-x86_64-i386-64bit, Darwin 21.1.0
Python 3.10.0
Installer: HOMEBREW

azure-cli 2.30.0

Additional Context

Issue Analytics

State:
Created 2 years ago
Comments:8 (4 by maintainers)

Top GitHub Comments

1reaction

rayluocommented, Dec 1, 2021

I have merged in the error message improvement in upstream. It will be shipped with next release of MSAL.

This issue here can be closed due to inactivity.

1reaction

rayluocommented, Nov 26, 2021

File “/usr/local/Cellar/azure-cli/2.30.0_1/libexec/lib/python3.10/site-packages/msal/authority.py”, line 151, in tenant_discovery raise ValueError(“OIDC Discovery endpoint rejects our request”) ValueError: OIDC Discovery endpoint rejects our request

This error is raised from here:

    if 400 <= resp.status_code < 500:
        # Nonexist tenant would hit this path
        # e.g. https://login.microsoftonline.com/nonexist_tenant/v2.0/.well-known/openid-configuration
        raise ValueError("OIDC Discovery endpoint rejects our request")

Indeed, the url derived from the reporter’s tenant GUID is https://login.microsoftonline.com/9a2e6147-7e4b-4c5a-b997-dfedfb47a1a3/v2.0/.well-known/openid-configuration, visit it in browser will give us an error.

Looks like @AnilPeriyedath pasted an incorrect GUID. Can you check that, Anil?

P.S.: MSAL Python ~would need to~ WILL improve the error message in this case, to help self-troubleshooting. 😕