[BUG] SecretClient.GetSecret using an InteractiveBrowserCredential hangs indefinitely

[HenningNT]

Describe the bug
Calling SecretClient.GetSecret using an InteractiveBrowserCredential hangs indefinitely. Problem also in latest in main branch. It appear to hang in class AbstractAcquireTokenParameterBuilderExtensions when calling builder.ExecuteAsync(cancellationToken).GetAwaiter().GetResult();

Expected behavior
I would have expected the call to return Response with a secret.

Actual behavior
Calling SecretClient.GetSecret using an InteractiveBrowserCredential hangs indefinitely.

To Reproduce

var InteractiveCred = new InteractiveBrowserCredential();
_client = new SecretClient(keyVaultUri, InteractiveCred);
var response = _client.GetSecret("secretName");

Environment:
Azure.Identity v1.2.1
Azure.Identity.KeyVault.Secrets v4.0.3

Windows 10 .NET Framework 4.6.1
Visual Studio 16.8.4
Windows 10 .NET Framework 4.8]

[jsquire]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[heaths]

Key Vault can't return a response until you authenticate. Are you seeing a browser window pop up? Are you doing this in an environment without a window manager (e.g. WSL on Windows does not yet support a window manager, or perhaps on linux with no X server running)?

If this happens after authenticating via the browser, please be sure to log additional calls so we can see why the connection is not authenticating (or whatever else is going on).

[HenningNT]

I'm running a Windows application in Windows, or more specifically, I'm creating a DLL for a 3D CAD program that uses my DLL to transfer data to a database. I'm using Key Vault to store connection strings and such.

When I use GetSecretAsync the browser login screen appears, and I can retrieve the secret successfully.
When I use the sync version, I see two unauthorized exceptions (HTTP code 401), and then it appears to hang.

Here's the log:

Request [c4da2a00-ddea-438f-867a-d368bb0d82b1] GET https://vault.vault.azure.net/secrets/secret/?api-version=7.0
Accept:application/json
x-ms-client-request-id:c4da2a00-ddea-438f-867a-d368bb0d82b1
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Security.KeyVault.Secrets/4.0.3,(.NET Framework 4.8.4250.0; Microsoft Windows 10.0.17763 )
Content-Type:application/json
client assembly: Azure.Security.KeyVault.Secrets
Request [c4da2a00-ddea-438f-867a-d368bb0d82b1] GET https://vault.vault.azure.net/secrets/secret/?api-version=7.0
Accept:application/json
x-ms-client-request-id:c4da2a00-ddea-438f-867a-d368bb0d82b1
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Security.KeyVault.Secrets/4.0.3,(.NET Framework 4.8.4250.0; Microsoft Windows 10.0.17763 )
Content-Type:application/json
client assembly: Azure.Security.KeyVault.Secrets
Error response [c4da2a00-ddea-438f-867a-d368bb0d82b1] 401 Unauthorized (00.7s)
Pragma:no-cache
x-ms-keyvault-region:norwayeast
x-ms-request-id:REDACTED
x-ms-keyvault-service-version:1.2.139.0
x-ms-keyvault-network-info:conn_type=Ipv4;addr=213.52.102.79;act_addr_fam=InterNetwork;
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
Proxy-Support:REDACTED
Cache-Control:no-cache
Date:Fri, 05 Feb 2021 09:01:23 GMT
WWW-Authenticate:REDACTED
X-Powered-By:REDACTED
Content-Length:87
Content-Type:application/json; charset=utf-8
Expires:-1

Error response [c4da2a00-ddea-438f-867a-d368bb0d82b1] 401 Unauthorized (00.7s)
Pragma:no-cache
x-ms-keyvault-region:norwayeast
x-ms-request-id:REDACTED
x-ms-keyvault-service-version:1.2.139.0
x-ms-keyvault-network-info:conn_type=Ipv4;addr=213.52.102.79;act_addr_fam=InterNetwork;
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
Proxy-Support:REDACTED
Cache-Control:no-cache
Date:Fri, 05 Feb 2021 09:01:23 GMT
WWW-Authenticate:REDACTED
X-Powered-By:REDACTED
Content-Length:87
Content-Type:application/json; charset=utf-8
Expires:-1

Error response [c4da2a00-ddea-438f-867a-d368bb0d82b1] content: {"error":{"code":"Unauthorized","message":"Request is missing a Bearer or PoP token."}}
Error response [c4da2a00-ddea-438f-867a-d368bb0d82b1] content: {"error":{"code":"Unauthorized","message":"Request is missing a Bearer or PoP token."}}
InteractiveBrowserCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: c4da2a00-ddea-438f-867a-d368bb0d82b1
InteractiveBrowserCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: c4da2a00-ddea-438f-867a-d368bb0d82b1


Request [c300fc07-9467-4828-87eb-0537bee938fc] GET https://login.microsoftonline.com/common/discovery/instance?api-version=REDACTED&authorization_endpoint=REDACTED
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-CPU:REDACTED
x-client-OS:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-app-name:REDACTED
x-app-ver:REDACTED
x-ms-client-request-id:c300fc07-9467-4828-87eb-0537bee938fc
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.2.1,(.NET Framework 4.8.4250.0; Microsoft Windows 10.0.17763 )
client assembly: Azure.Identity
Request [c300fc07-9467-4828-87eb-0537bee938fc] GET https://login.microsoftonline.com/common/discovery/instance?api-version=REDACTED&authorization_endpoint=REDACTED
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-CPU:REDACTED
x-client-OS:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-app-name:REDACTED
x-app-ver:REDACTED
x-ms-client-request-id:c300fc07-9467-4828-87eb-0537bee938fc
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.2.1,(.NET Framework 4.8.4250.0; Microsoft Windows 10.0.17763 )
client assembly: Azure.Identity
Response [c300fc07-9467-4828-87eb-0537bee938fc] 200 OK (00.7s)
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
Access-Control-Allow-Origin:REDACTED
Access-Control-Allow-Methods:REDACTED
client-request-id:REDACTED
x-ms-request-id:REDACTED
x-ms-ests-server:REDACTED
Cache-Control:max-age=86400, private
P3P:REDACTED
Set-Cookie:REDACTED
Date:Fri, 05 Feb 2021 09:01:24 GMT
Content-Length:957
Content-Type:application/json; charset=utf-8

Response [c300fc07-9467-4828-87eb-0537bee938fc] 200 OK (00.7s)
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
Access-Control-Allow-Origin:REDACTED
Access-Control-Allow-Methods:REDACTED
client-request-id:REDACTED
x-ms-request-id:REDACTED
x-ms-ests-server:REDACTED
Cache-Control:max-age=86400, private
P3P:REDACTED
Set-Cookie:REDACTED
Date:Fri, 05 Feb 2021 09:01:24 GMT
Content-Length:957
Content-Type:application/json; charset=utf-8

[christothes]

@HenningNT Can you still reproduce this with the latest GA version of Azure.Identity?

https://www.nuget.org/packages/Azure.Identity/1.3.0

[ghost]

Hi, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

[bherrsk]

I've experienced this same problem in 1.3.0 Azure.Identity. I can also call the async version just fine and it will pop up a login box. The sync version does not display a login box and the application hangs indefinitely.

Oddly enough (and this might be me being a very novice programmer), the identical lines in a console app works fine and has the desired outcome (async and sync) but a Windows app sync call just hangs.

Was hoping when I found this thread it wouldn't be abandoned hoping for a fix....

[christothes]

Thanks @bherrsk - Could you reproduce with logging enabled and send the output?

You should be able to enable such logging by adding an event source listener somewhere in your process startup.

using AzureEventSourceListener listener = new AzureEventSourceListener(
    (e, message) => Console.WriteLine("[{​​​​​​​​0:HH:mm:ss:fff}​​​​​​​​][{​​​​​​​​1}​​​​​​​​] {​​​​​​​​2}​​​​​​​​", DateTimeOffset.Now, e.Level, message),
    level: EventLevel.Verbose);

More information around logging and diagnostics can be found in the Azure.Identity readme, as well as the Azure.Core diagnostics documentation.

[ghost]

Hi, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

[bherrsk]

Flipped code back. There is no login window that pops up at all. The application hangs indefinitely. Removed some information I figured... would not be useful. I can always turn on more but got tied up recently and had to come back to this.

[Informational] Azure-Core: Request [1uu005ce-f411-4362-b23e-f5c867274de6] GET https://redacted-keyvault.vault.azure.net/secrets/webhook-redacted/?api-version=7.1
Content-Type:application/json
Accept:application/json
x-ms-client-request-id:1aa111ce-f480-4363-b23e-f5c867274de6
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Security.KeyVault.Secrets/4.1.0 (.NET Framework 4.8.4341.0; Microsoft Windows 10.0.19042 )
client assembly: Azure.Security.KeyVault.Secrets
[Warning] Azure-Core: Error response [1aa005qq-f480-4363-b23e-f5c867274de6] 401 Unauthorized (01.3s)
Pragma:no-cache
x-ms-keyvault-region:canadacentral
x-ms-client-request-id:1aa005ce-f426-4363-b23e-f5c867274de6
x-ms-request-id:REDACTED
x-ms-keyvault-service-version:1.2.205.0
x-ms-keyvault-network-info:conn_type=Ipv4;addr=REDACTED;act_addr_fam=InterNetwork;
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
Content-Length:87
Cache-Control:no-cache
Content-Type:application/json; charset=utf-8
Date:Thu, 25 Mar 2021 03:37:20 GMT
Expires:-1
WWW-Authenticate:REDACTED
X-Powered-By:REDACTED

[Informational] Azure-Identity: InteractiveBrowserCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 1aa005ce-f480-4363-b23e-f5c81234de6

[Informational] Azure-Core: Request [87eec88a-3bbc-44f7-be28-6b713ae8a640] GET https://login.microsoftonline.com/common/discovery/instance?api-version=REDACTED&authorization_endpoint=REDACTED
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-CPU:REDACTED
x-client-OS:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-app-name:REDACTED
x-app-ver:REDACTED
x-ms-client-request-id:87ec886a-3bbc-44f7-be28-6b721aa8a640
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.3.0 (.NET Framework 4.8.4341.0; Microsoft Windows 10.0.19042 )
client assembly: Azure.Identity

[Informational] Azure-Core: Response [87ec886a-3qqf-44f7-be28-6b713ae8a640] 200 OK (00.2s)
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
Access-Control-Allow-Origin:REDACTED
Access-Control-Allow-Methods:REDACTED
client-request-id:REDACTED
x-ms-request-id:REDACTED
x-ms-ests-server:REDACTED
Cache-Control:max-age=86400, private
Content-Type:application/json; charset=utf-8
P3P:REDACTED
Set-Cookie:REDACTED
Date:Thu, 25 Mar 2021 03:37:20 GMT
Content-Length:957

[heaths]

Are you able to start the same browser (default browser) standalone? Does it create a new process group (parent process plus child processes like renders, per-frame processes, etc.), or parent to the same process group? While rare, I've seen both parent processes for Chrome and Edge (both Chromium) hang and prevent other windows from opening until killed.

If that's the case, @christothes, one idea might be to make sure we start a new process group.

[bherrsk]

I've watched during process explorer and there is no additional processes being spawned. I've flipped the default browser around from Chrome to Edge (well, both Chromium) and Firefox. No change in behavior. All browsers operate as expected. Tried execution with pre-existing browsers open / closed, no change.

I've monitored during execution using process monitor and I don't see anything out of the ordinary or the browser throwing some sort of indicators it's even trying to launch (or something to indicate problems).

The application and system logs are clean.

[schaabs]

@bherrsk Thanks providing all the information here it was very helpful in the investigation. I've been able to reproduce the issue, and was able to root cause it. The Azure.Identity library is using Microsoft.Identity.Client (MSAL) to do the actual authentication, and MSAL is actually launching the browser. When running in a UI application such as WPF or Winforms on full framework, or in UWP, MSAL launches an embedded browser rather than launching the system browser as a separate process. This posses a problem with how we were waiting on the token response, as it was blocking MSAL from launching the embedded browser.

With some experimentation I found that executing the MSAL call with Task.Run resolves this deadlock, though I'm not 100% sure this is the best fix it does work. I've created the PR linked above, and hope to get a fix merged before our next release.

[bherrsk]

Sounds good.

As well (not sure if I said this before), flipping to GetSecretAsync and using await displays the browser window properly as expected. My use case is extremely simple and exploratory at this point and I suspect the snippet below is not completely ideal. I'm also not a Developer by trade..... so there is that :)

var clientad = new SecretClient(new Uri(kvUri), new InteractiveBrowserCredential());
var secret = await clientad.GetSecretAsync(secretName);

[ghost]

Hi, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!