Comments (31)
I don't have a lot of context here, but Microsoft recently started blocking MSI as Audience in a token. Tenants that were using this flow before/around April, should be on an allow list.
from botbuilder-dotnet.
Hi @ceciliaavila @tracyboehrer would it be possible to triage this item? This is very high priority for our customers
from botbuilder-dotnet.
@jamesemann Ya. I wouldn't expect any changes between those two versions. Was trying to isolate if a major jump in SDK version had been made. Like from 4.18 to 4.22 or something larger. We will get setup to repro. Worth noting, we haven't made any explicit changes to this. But dependency changes can be wicked on occasion.
from botbuilder-dotnet.
@jamesemann Still conferring with some about this.
from botbuilder-dotnet.
@jamesemann I created new ones, which is what the ARM templates do. I have confirmed that our support folks can't get the Skill to work. It remains a mystery why mine do. I have confirmed both Root and Skill are MSI.
from botbuilder-dotnet.
@jamesemann Thanks. I wouldn't expect there to be a difference in the SDK versions, rather checking out the MSAL dependencies in use.
from botbuilder-dotnet.
@jamesemann Was this previously working in production with MSI?
from botbuilder-dotnet.
@jamesemann Was this previously working in production with MSI?
Yes it was @tracyboehrer
from botbuilder-dotnet.
@jamesemann When did it stop? Any updates to the SDK version?
from botbuilder-dotnet.
@jamesemann When did it stop? Any updates to the SDK version?
@tracyboehrer i first spotted it yesterday as it is the first time I’ve provisioned a skill for a few weeks. No recent updates to the sdk version
from botbuilder-dotnet.
@tracyboehrer apologies I was away from the computer yesterday so couldn't confirm the exact version. I've checked and:
- our production code is using
4.21.1
(since 24th Nov 2023) - the repro using your EchoSkillBot is using
4.22.3
(I see the same behaviour in both)
from botbuilder-dotnet.
@jamesemann How did you deploy the bots? One of us encounters a failure that matches your screenshot when they used AZ commands. I used the ARM Templates (and associated doc) and this sample appears to work normally.
from botbuilder-dotnet.
@tracyboehrer thank you - interesting info. I created them through the Azure portal - in our product we use the Arm templates (through a template spec) though and the properties look the same.
Let me deploy a new set of resources for the sample using the Arm templates in the doc, and re-test. I'll report back as soon as possible
from botbuilder-dotnet.
@jamesemann We should be able to compare here too.
from botbuilder-dotnet.
@tracyboehrer unfortunately I'm getting the same error (HTTP 500 when requesting the managed identity token) after provisioning the resources using the templates in the bot builder repo.
It seems to be a global problem for me. One thing I haven't tried is deploying to a different Azure subscription, so I'll try that next. I'll report back with the result of that.
from botbuilder-dotnet.
Update - same result using the arm templates on new subscription
from botbuilder-dotnet.
@tracyboehrer I've found the underlying error when we see the HTTP 500. It is visible in the managed identity sign-in logs in Azure AD/Entra
AppId: '{appId}' can not use Managed Service Identity (MSI) as audience in token as it is unsupported. MSI should not be set as audience as it does not accept tokens.
(I can share the activity details privately, if necessary)
from botbuilder-dotnet.
@tracyboehrer any luck on this?
One question I did have was that the sample worked for you - did you use an existing managed identity or create a new one? One thing I have noticed is that this seems to be a problem only with recently created managed identities. We have a lot of existing managed identities for other customers and are not seeing the same behaviour.
from botbuilder-dotnet.
Hi @tracyboehrer , is there any additional context (or anything!) I can provide to help move this forward? It is unfortunately still impacting our tenant and our customers
from botbuilder-dotnet.
Status at the moment is that for some it works fine. For example, I don't have an issue, and multiple internal MS groups haven't had issues switching to MSI with Skills.
from botbuilder-dotnet.
Thank you @tracyboehrer, can you explain how that impacts the status of this ticket. For example, will it continue to be investigated?
We have several large existing customers this impacts and it will impact new customers too. This problem unfortunately doesn’t seem to be going away , so need a plan.
from botbuilder-dotnet.
@jamesemann It doesn't change the status at all. Still actively being worked on.
from botbuilder-dotnet.
@jamesemann These would be customers on their own tenant, correct? Microsoft in general is required to switch from secret based to UserAssignedMSI or certificate. Though some customers are moving to SingleTenant. Still secret based though.
from botbuilder-dotnet.
Yes that is correct. We have a few app reg backed bots, mostly on our saas platform but >95% of our marketplace customers (who host an instance of our platform on their own azure tenant) have exclusively user assigned managed identity bots.
from botbuilder-dotnet.
@shusson do you have a source for this? This is our suspicion too, although new MSIs on our tenant (created within the last few weeks) are failing. Existing MSIs seem ok.
from botbuilder-dotnet.
@jamesemann Can you confirm that the MSI client ID is being used as the MicrosoftAppId, and the version of the SDK?
from botbuilder-dotnet.
@tracyboehrer yes it is, and the version is 4.22.3.
It is also happening for version 4.21.1 which we have been using in production since 24th November.
from botbuilder-dotnet.
We have had an ongoing ticket with Azure support for this. We've received the following update which basically confirms our suspicion regarding MSI now being invalid as audience.
Product group was able confirm tenant "<tenant>.onmicrosoft.com" is not in the allowed list. You will need to use a different audience (service principal) for token, as MSI should not be used as audience in token.
Sharing in case of
- It's useful info
- Do you know how we can be added to the allow list to preserve the old behaviour?
from botbuilder-dotnet.
@jamesemann I rather doubt there is a way to get on that list, and I've had this suspicion its working for some now on borrowed time. The alternative would be certificate auth. This has been confirmed to work in JS. Fix merged in DotNet, expecting a patch release this week.
from botbuilder-dotnet.
Ok thanks @tracyboehrer . Will there also be a fix for managed identity? I am assuming (maybe incorrectly - please correct me if so) that certificate auth uses an Azure AD/Entra ID app - we have some restrictions around creating Azure AD apps in our customers tenants (we can't create them)
from botbuilder-dotnet.
@jamesemann There is no known "fix" for MSI at the moment. At least in code. All of this goes through the MS auth packages. There could be other ways to configure this though.
from botbuilder-dotnet.
Related Issues (20)
- Token Service Gives a 500 Service Error When Exchanging Token
- And the Useless Constructor Overload Award goes to... HOT 1
- Wrong results when using OAuthPrompt from group or channel
- Bot returns an error when using Regex validation in adaptive cards HOT 6
- Migrate to System.Text.Json - remove newtonsoft HOT 1
- CosmosDBKeyEscape.TruncateKeyIfNeeded return different value after compiled
- The Bot Framework SDK for C# does not return a value in the Activity.LocalTimezone property when using Copilot in Microsoft Teams HOT 2
- File Attachment gives error in private endpoint enabled bot
- Adaptive card sent by bot builder framework only shows "Sent a card" as the message, in iPhone
- Teams V2 messaging extension started from commandbox has no context (URL placeholder are not replaced with values) HOT 2
- Provide Logging around config issues with auth HOT 3
- Convert to new CodeQL suppression syntax
- Add SingleTenant/MSI Issuer to ValidTokenIssuers for Skill samples
- How to migrate from Bot SDK 4.3 to Azure Bot Service HOT 3
- Add M365 channel id's to Microsoft.Bot.Connector.Channels.
- AdaptiveExpressions: AOT and System.Text.Json
- Composer Bot with QnA Intent recognized triggers duplicate QnA queries
- CS0012 The type 'InvokeResponse' is defined in an assembly that is not referenced. HOT 1
- Updating Package Microsoft.Bot.Builder.Integration.Aspt.Core from 4.21.1 to 4.22.4 no longer finds ITeamsCommandHandler HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from botbuilder-dotnet.