Which version of MSAL Go are you using?
v1.5.0
Where is the issue?
- Public client
- Confidential client
- Token cache serialization
- Other (please describe)
Is this a new or an existing app?
The app is in production and I have upgraded to a new version of Microsoft Authentication Library for Go.
What version of Go are you using (go version)?
1.25
What operating system and processor architecture are you using (go env)?
Linux/amd64 (go env not available from user report)
Repro
Try establish authorization to AzureKeyVault via azidentity and WorkloadIdentityCredential on defult injected environment variables by China AKS (mainly AZURE_AUTHORIZED_HOST)
Expected behavior
WorkloadIdentity authentication and retriving access token to Azure resource (like KeyVault) should work without issue.
Actual behavior
Sdk failed when try retrive access token to KeyVault base on Workload Identity:
WorkloadIdentityCredential: unable to resolve an endpoint: ResolveEndpoints(): TenantDiscoveryResponse: issuer from OIDC discovery '[https://login.partner.microsoftonline.cn/<my-tenant-guid>/v2.0'](https://login.partner.microsoftonline.cn/<my-tenant-guid>/v2.0%27) does not match authority '[https://login.chinacloudapi.cn/<my-tenant-guid>/'](https://login.chinacloudapi.cn/<my-tenant-guid>/%27) or a known pattern
It came from ValidateIssuerMatchesAuthority function:
|
return fmt.Errorf("TenantDiscoveryResponse: issuer from OIDC discovery '%s' does not match authority '%s' or a known pattern", |
Possible solution
It looks that issuer validation method incorrectly treats legacy authorized host in China (login.chinacloudapi.cn), which is still used as default by AKS and Workload-Identity addon.
AZURE_AUTHORIZED_HOST is set by AKS to login.chinacloudapi.cn which is on trusted host list here
|
"login.chinacloudapi.cn": true, // Microsoft Azure China (legacy, backward compatibility) |
but issuer validation doesn's check it, but only looks to the aliases from instance discovery metadata:
|
if aliases != nil && aliases[issuerURL.Host] { |
This could be fine but aliases aren't loaded buy this condition (base on trusted hosts):
|
} else if authorityInfo.ValidateAuthority && !authority.TrustedHost(authorityInfo.Host) { |
It looks that ValidateIssuerMatchesAuthority function should not only check issuerUrl on aliases list but also if it is trusted host.
Additional context / logs / screenshots
Which version of MSAL Go are you using?
v1.5.0
Where is the issue?
Is this a new or an existing app?
The app is in production and I have upgraded to a new version of Microsoft Authentication Library for Go.
What version of Go are you using (
go version)?1.25
What operating system and processor architecture are you using (
go env)?Linux/amd64 (go env not available from user report)
Repro
Try establish authorization to AzureKeyVault via azidentity and WorkloadIdentityCredential on defult injected environment variables by China AKS (mainly AZURE_AUTHORIZED_HOST)
Expected behavior
WorkloadIdentity authentication and retriving access token to Azure resource (like KeyVault) should work without issue.
Actual behavior
Sdk failed when try retrive access token to KeyVault base on Workload Identity:
It came from ValidateIssuerMatchesAuthority function:
microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/authority.go
Line 134 in e59524a
Possible solution
It looks that issuer validation method incorrectly treats legacy authorized host in China (login.chinacloudapi.cn), which is still used as default by AKS and Workload-Identity addon.
AZURE_AUTHORIZED_HOST is set by AKS to login.chinacloudapi.cn which is on trusted host list here
microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/authority.go
Line 53 in e59524a
microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/authority.go
Line 118 in e59524a
This could be fine but aliases aren't loaded buy this condition (base on trusted hosts):
microsoft-authentication-library-for-go/apps/internal/oauth/resolvers.go
Line 139 in e59524a
It looks that ValidateIssuerMatchesAuthority function should not only check issuerUrl on aliases list but also if it is trusted host.
Additional context / logs / screenshots