[Bug] ManagedIdentity broken in 1.18.0 and up

[lilgreenbird]

Library version used

1.18.0, 1.19.0

Java version

23

Scenario

ManagedIdentityClient - managed identity

Is this a new or an existing app?

None

Issue description and reproduction steps

We (Microsoft JDBC Driver for SQL Server) are trying to update to the latest msal4j version that fixed the vulnerability in earlier versions however Managed Identity is broken in this version.

The following repro works for 1.17.3 and older versions but throws error ""Managed Identity authentication is not available." for 1.18.0 and 1.19.0

Relevant code snippets

package org.example;

import com.azure.core.credential.AccessToken;
import com.azure.core.credential.TokenRequestContext;
import com.azure.identity.ManagedIdentityCredential;
import com.azure.identity.ManagedIdentityCredentialBuilder;
import com.microsoft.aad.msal4j.*;
import java.net.URI;
import java.util.Collections;
import java.util.concurrent.CompletableFuture;

import java.util.Arrays;

public class Main {
	// get token using azure-identity
    public static String getManagedIdentityToken1(String scope, String clientId) {
            ManagedIdentityCredential mic = new ManagedIdentityCredentialBuilder()
                    .clientId(clientId) // only required for user-assigned
                    .build();
            TokenRequestContext tokenRequestContext = new TokenRequestContext();
            tokenRequestContext.setScopes(Arrays.asList(scope+"/.default"));

            AccessToken accessTokenOptional = mic.getToken(tokenRequestContext).block();
            return accessTokenOptional.getToken();
    }

	// get token using msal
    public static String getManagedIdentityToken2(String scope, String clientId) throws Exception {
        ManagedIdentityApplication miApp = ManagedIdentityApplication
                .builder(ManagedIdentityId.userAssignedClientId(clientId))
                .build();

        ManagedIdentityParameters parameters = ManagedIdentityParameters.builder(scope).build();

        IAuthenticationResult result = miApp.acquireTokenForManagedIdentity(
                ManagedIdentityParameters.builder(scope)
                        .build()).get();

        return result.accessToken();

    }

    public static void main(String[] args) {

        try {
            System.out.println("Starting...");

            String scope = "https://database.windows.net";
            String clientId = "a0bc0c34-a024-4037-9368-9f904a008c36";
            System.out.println("Access Token1: " + getManagedIdentityToken1(scope, clientId));
            System.out.println("Access Token2: " + getManagedIdentityToken2(scope, clientId));

        } catch (Exception e) {
            System.out.println(e.toString());
        }
    }
}

Expected behavior

No response

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

1.17.3

Solution and workarounds

No response

[Avery-Dunn]

Could you provide some more info about the exact error you're getting (logs and/or stack trace), and where you're getting it? Were any other dependencies updated or just msal4j, and what version of com.azure.identity are you using?

I haven't yet tested your code in an environment where the Managed Identity request should work, but as an example I can get that same "Managed Identity authentication is not available." error message by simply cancelling the request. That error message is coming from com.azure.identity, and seems to be a generic message when the request fails: https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClient.java#L511

There was one change for Azure Arc scenarios in v1.18.0 (#884), but that doesn't seem to be the problem here and I'm not sure what other changes would've caused this. The only other thing I could think of is a change in com.azure.identity, since they also use msal4j if you didn't update that then maybe there's a versioning issue.

[lilgreenbird]

the error message is misleading and not very helpful, I got the same error msg when we made a typo in the scope and specified "http" instead of "https". The only dependencies used are azure-identity 1.15.3 and msal4j 1.19.0
When this was done using the 1st method and azure-identity we were able to get the token successfully. Then add msal4j and call method 2 (getManagedIdentityToken2) it will fail with the "Managed Identity authentication is not available" error. If we go back to 1.17.3 then this works.

Here's the stack trace

com.azure.identity.CredentialUnavailableException: Managed Identity authentication is not available.
com.azure.identity.CredentialUnavailableException: Managed Identity authentication is not available.
	at com.azure.identity.implementation.IdentityClient.lambda$getTokenFromMsalMIClient$28(IdentityClient.java:535)
	at reactor.core.publisher.Mono.lambda$onErrorMap$31(Mono.java:3811)
	at reactor.core.publisher.FluxOnErrorResume$ResumeSubscriber.onError(FluxOnErrorResume.java:94)
	at reactor.core.publisher.MonoFlatMap$FlatMapMain.secondError(MonoFlatMap.java:192)
	at reactor.core.publisher.MonoFlatMap$FlatMapInner.onError(MonoFlatMap.java:259)
	at reactor.core.publisher.MonoCompletionStage.lambda$subscribe$0(MonoCompletionStage.java:94)
	at java.base/java.util.concurrent.CompletableFuture.uniHandle(CompletableFuture.java:978)
	at java.base/java.util.concurrent.CompletableFuture$UniHandle.tryFire(CompletableFuture.java:955)
	at java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:554)
	at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1817)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:572)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
	at java.base/java.lang.VirtualThread.run(VirtualThread.java:329)
	Suppressed: java.lang.Exception: #block terminated with an error
		at reactor.core.publisher.BlockingSingleSubscriber.blockingGet(BlockingSingleSubscriber.java:100)
		at reactor.core.publisher.Mono.block(Mono.java:1742)
		at org.example.Main.getManagedIdentityToken1(Main.java:22)
		at org.example.Main.main(Main.java:61)
Caused by: java.lang.NoSuchMethodError: 'void com.fasterxml.jackson.core.base.ParserMinimalBase.<init>(com.fasterxml.jackson.core.StreamReadConstraints)'
	at com.fasterxml.jackson.databind.util.TokenBuffer$Parser.<init>(TokenBuffer.java:1562)
	at com.fasterxml.jackson.databind.util.TokenBuffer.asParser(TokenBuffer.java:283)
	at com.fasterxml.jackson.databind.util.TokenBuffer.asParser(TokenBuffer.java:249)
	at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownProperties(BeanDeserializerBase.java:1766)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeUsingPropertyBased(BeanDeserializer.java:469)
	at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromObjectUsingNonDefault(BeanDeserializerBase.java:1497)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:348)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:185)
	at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:342)
	at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4917)
	at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3860)
	at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3828)
	at com.microsoft.aad.msal4j.JsonHelper.convertJsonToObject(JsonHelper.java:33)
	at com.microsoft.aad.msal4j.AbstractManagedIdentitySource.getSuccessfulResponse(AbstractManagedIdentitySource.java:73)
	at com.microsoft.aad.msal4j.AbstractManagedIdentitySource.handleResponse(AbstractManagedIdentitySource.java:54)
	at com.microsoft.aad.msal4j.IMDSManagedIdentitySource.handleResponse(IMDSManagedIdentitySource.java:117)
	at com.microsoft.aad.msal4j.AbstractManagedIdentitySource.getManagedIdentityResponse(AbstractManagedIdentitySource.java:46)
	at com.microsoft.aad.msal4j.ManagedIdentityClient.getManagedIdentityResponse(ManagedIdentityClient.java:48)
	at com.microsoft.aad.msal4j.AcquireTokenByManagedIdentitySupplier.fetchNewAccessTokenAndSaveToCache(AcquireTokenByManagedIdentitySupplier.java:90)
	at com.microsoft.aad.msal4j.AcquireTokenByManagedIdentitySupplier.execute(AcquireTokenByManagedIdentitySupplier.java:70)
	at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:69)
	at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:18)
	at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1812)
	... 6 more

Process finished with exit code 0

[lilgreenbird]

oh, it's a version mismatch in the jackson dependencies.

looks like you guys bumped the jackson-databind version explicitly in 1.18.0 in #887 but azure-identity uses azure-core which is still on 2.17.2. If I explicitly add a dependency for the jackson-databind version to 2.17.2 which effectively disables the msal specified version then this works, but we do not want to add a hard dependency on this in the jdbc driver.

This is a bit of a pain, and may cause issues in the future as well. Why isn't msal also using azure-core? I thought that is a shared library for java??

[Avery-Dunn]

the error message is misleading and not very helpful

I agree, "not available" is very misleading wording for that sort of error case. That error message is coming from Azure SDK, so their repo would be a better place to point out this problem: https://github.com/Azure/azure-sdk-for-java/issues

Why isn't msal also using azure-core?

I'm not sure why it wasn't used historically, however we're currently working on cleaning up our dependencies because of the exact problems you're running into: #909

One of the first dependencies we've started working on is jackson-databind and are aligning with dependencies used in azure-identity, so the next release will use either azure-core or azure-json like they do.

[lilgreenbird]

ok we got around this problem by removing msal as an explicit dependency! since azure-identity depends on msal it's now just a transitive dependency for the driver as well so it will just use jackson-bind 2.17.2 and avoids out problem :)

Thanks for your help you can close this issue as the problem is resolved at our end.

[Avery-Dunn]

Glad to hear it! If you ever run into other issues with MSAL feel free to reach out again.