Skip to content

az login with EC cert fails #30254

New issue
New issue
Open
Open
az login with EC cert fails#30254
Assignees
jiasli
Labels
AADAccountaz login/accountAuto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamOKR CandidateThis label is used to track how many GitHub issues we have resolved for OKR purpose.customer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-team-attentionThis issue needs attention from Azure service team or SDK teamquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
Backlog
@Jamesits

Description

@Jamesits
Jamesits
opened on Nov 4, 2024

Describe the bug

az login with a EC certificate fails.

Related command

az login

Errors

The command failed with an unexpected error. Here is the traceback:
ECPrivateKey.sign() takes 2 positional arguments but 3 were given
Traceback (most recent call last):
  File "/opt/azure-cli/lib/python3.12/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 666, in execute
    raise ex
  File "/opt/azure-cli/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 733, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 703, in _run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 336, in __call__
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/azure/cli/command_modules/profile/custom.py", line 165, in login
    subscriptions = profile.login(
                    ^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/azure/cli/core/_profile.py", line 181, in login
    identity.login_with_service_principal(username, password, scopes=scopes)
  File "/opt/azure-cli/lib/python3.12/site-packages/azure/cli/core/auth/identity.py", line 197, in login_with_service_principal
    result = cca.acquire_token_for_client(scopes)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/msal/application.py", line 2339, in acquire_token_for_client
    return _clean_up(self._acquire_token_silent_with_error(
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/msal/application.py", line 1439, in _acquire_token_silent_with_error
    result = self._acquire_token_silent_from_cache_and_possibly_refresh_it(
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/msal/application.py", line 1580, in _acquire_token_silent_from_cache_and_possibly_refresh_it
    result = self._acquire_token_for_client(
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/msal/application.py", line 2358, in _acquire_token_for_client
    response = client.obtain_token_for_client(
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/msal/oauth2cli/oauth2.py", line 757, in obtain_token_for_client
    return self._obtain_token("client_credentials", data=data, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/msal/oauth2cli/oidc.py", line 170, in _obtain_token
    ret = super(Client, self)._obtain_token(grant_type, *args, **kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/msal/oauth2cli/oauth2.py", line 776, in _obtain_token
    resp = super(Client, self)._obtain_token(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/msal/oauth2cli/oauth2.py", line 202, in _obtain_token
    self.client_assertion()  # Do lazy on-the-fly computation
    ^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/msal/oauth2cli/assertion.py", line 63, in __call__
    self._buf = {VALUE: self._factory(), EXPIRES_AT: now + self._expires_in}
                        ^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/msal/oauth2cli/assertion.py", line 42, in <lambda>
    self.create_normal_assertion(a, i, s, expires_in=e, **kwargs),
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/msal/oauth2cli/assertion.py", line 122, in create_normal_assertion
    str_or_bytes = jwt.encode(  # PyJWT 1 returns bytes, PyJWT 2 returns str
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/jwt/api_jwt.py", line 64, in encode
    return api_jws.encode(json_payload, key, algorithm, headers, json_encoder)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/jwt/api_jws.py", line 134, in encode
    signature = alg_obj.sign(signing_input, key)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/jwt/algorithms.py", line 373, in sign
    return key.sign(msg, padding.PKCS1v15(), self.hash_alg())
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: ECPrivateKey.sign() takes 2 positional arguments but 3 were given
To check existing issues, please visit: https://github.com/Azure/azure-cli/issues

Issue script & Debug output

N/A

Expected behavior

The command should succeed

Environment Summary

azure-cli 2.65.0

core 2.65.0
telemetry 1.1.0

Extensions:
aks-preview 9.0.0b8

Dependencies:
msal 1.31.0
azure-mgmt-resource 23.1.1

Python location '/opt/azure-cli/bin/python'
Extensions directory '/home/james/.azure/cliextensions'

Python (Linux) 3.12.7 (main, Oct 1 2024, 11:15:50) [GCC 14.2.1 20240910]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

Reproduction:

Create the cert:

openssl ecparam -out test.key -name prime256v1 -genkey
openssl req -new -key test.key -x509 -nodes -days 720 -out test.crt
cat test.crt test.key > test-full.crt

Create the AAD application:

resource "azuread_application" "test" {
  display_name = "test"
}

resource "azuread_service_principal" "test" {
  client_id = azuread_application.test.client_id
  tags = [
    "AppServiceIntegratedApp",
    "WindowsAzureActiveDirectoryIntegratedApp",
    "HideApp",
  ]
  app_role_assignment_required = true
}

resource "azuread_application_certificate" "test" {
  application_id = azuread_application.test.id
  type           = "AsymmetricX509Cert"
  value          = file("test.crt")
}

Trigger the bug:

az login --service-principal --tenant <tenant id> --username <client id> --password test-full.crt

Metadata

Metadata

Assignees

Labels

AADAccountaz login/accountAuto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamOKR CandidateThis label is used to track how many GitHub issues we have resolved for OKR purpose.customer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-team-attentionThis issue needs attention from Azure service team or SDK teamquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions