- Package Name: azure.identity.aio
- Package Version: 1.7.1
- Operating System: Windows
- Python Version: 3.8.10
Describe the bug
If the OnBehalfOfCredential from azure.identity.aio is used, the token is not refreshed properly, while OnBehalfOfCredential from azure.identity does refresh the token.
The root cause:
azure.identity.OnBehalfOfCredential uses msal to handle the token, while azure.identity.aio.OnBehalfOfCredential uses an internal AadClient. This AadClient does two things different from msal:
- Msal automatically adds the openid, profile, and offline_access scopes
- Msal includes the client_secret in the refresh request
Without the client_secret, the authority server returns:
AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
I cannot find a reference to this error and the documentation also suggests that it should not be needed for refresh tokens, but the error itself is self-explanatory.
Note that OnBehalfOfCredential swallows this error and continues using the old token. When this token finally expires we get an error that the assertion token has expired (which is correct, but this hides the underlying problem).
To Reproduce
Steps to reproduce the behavior:
- Create an OnBehalfOfCredential object with client_secret
- Create an object that uses this async credential, in our case adlfs.AzureBlobFileSystem
- Every minute, do an operation on the object that requires a token (e.g. exists()
- After 60-90 minutes, an exception is raised that explains that the assertion token is out-of-date
Expected behavior
The operation should continue to succeed for a long time (refresh tokens are long-running tokens)
Screenshots
Additional context
Note that if the synchronous variant of OnBehalfOfCredential is used and an object that uses it (e.g. BlobServiceClient), the token is refreshed properly.
By adding the client_secret and extending the scopes of the token (I do not know if the latter is actually needed), the library can be made to work (I tried this with some hack code, but I'm not familiar enough with the code to suggest a proper solution).
Describe the bug
If the OnBehalfOfCredential from azure.identity.aio is used, the token is not refreshed properly, while OnBehalfOfCredential from azure.identity does refresh the token.
The root cause:
azure.identity.OnBehalfOfCredential uses msal to handle the token, while azure.identity.aio.OnBehalfOfCredential uses an internal AadClient. This AadClient does two things different from msal:
Without the client_secret, the authority server returns:
AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
I cannot find a reference to this error and the documentation also suggests that it should not be needed for refresh tokens, but the error itself is self-explanatory.
Note that OnBehalfOfCredential swallows this error and continues using the old token. When this token finally expires we get an error that the assertion token has expired (which is correct, but this hides the underlying problem).
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The operation should continue to succeed for a long time (refresh tokens are long-running tokens)
Screenshots
Additional context
Note that if the synchronous variant of OnBehalfOfCredential is used and an object that uses it (e.g. BlobServiceClient), the token is refreshed properly.
By adding the client_secret and extending the scopes of the token (I do not know if the latter is actually needed), the library can be made to work (I tried this with some hack code, but I'm not familiar enough with the code to suggest a proper solution).