Connect to Azure Service Bus using RBAC stopped working

0
votes

I am using Managed Identity to connect to Azure Service Bus and it used to work fine.

This morning, I realized that this approach wasn't working anymore locally (using Visual Studio) and also on the deployed application (using managed identity).

I have a custom token provider class:

public class AzureServicebusManagedIdentityTokenProvider : TokenProvider
{
    private const string Resource = "https://servicebus.azure.net/";

    protected readonly string TenantId;

    public AzureServicebusManagedIdentityTokenProvider(string tenantId = null)
    {
        TenantId = string.IsNullOrWhiteSpace(tenantId) ? null : tenantId;
    }

    public override async Task<SecurityToken> GetTokenAsync(string appliesTo, TimeSpan timeout)
    {
        string accessToken = await GetAccessToken(Resource);
        return new JsonSecurityToken(accessToken, appliesTo);
    }

    private async Task<string> GetAccessToken(string resource)
    {
        var authProvider = new AzureServiceTokenProvider();
        return await authProvider.GetAccessTokenAsync(resource, TenantId);
    }
}

Then for example to send a message: 

var sbMessageSender = new MessageSender(new ServiceBusConnection("<my connectionstring>")
{
    TransportType = TransportType.Amqp,
    TokenProvider = new AzureServicebusManagedIdentityTokenProvider("<my tenant id>")
}, "my queue name", RetryPolicy.Default);
var json = JsonConvert.SerializeObject(<message to send>);
var message = new Message(Encoding.UTF8.GetBytes(json));
await sbMessageSender.SendAsync(message);

This error is thrown:

Put token failed. status-code: 401, status-description: InvalidIssuer: Token issuer is invalid. TrackingId:5c6c17c7-7a9e-49f3-adf7-5dbfb35b3daf, SystemTracker:NoSystemTracker, Timestamp:2019-10-29T08:56:17.

I've checked that I have 'Azure Service Bus Data Owner' role and that the 'Azure App authentication' tool in visual studio is set to the appropriate account.

I am using these nuget packages:

  • Microsoft.Azure.Services.AppAuthentication v1.3.1
  • Microsoft.Azure.ServiceBus v3.4.0

Not sure If I am doing something stupid (as it used to work ) but any help would be appreciated.

1
azureazureservicebusazure-managed-identity
It's not working both locally and on Azure? Are you specifying the TenantID on Azure, too or is that just for using your account locally? Have you tried catching the token and pasting it in a tool like jwt.io to see who the issuer is (since that's the error message)?rickvdbosch
Is the managed identity of the application in the same tenant as where the token is from?rickvdbosch
Hmm... That's strange. If you're absolutely sure the configuration is correct (which you probably are since it used to work) I would expect best thing to do is to contact support. As far as I can see your code is exactly the same as the example I have on GitHub. And I know that used to work :)rickvdbosch
Just tried with QueueClient and still the same. I will contact support. anyway thanks a lot for your help. at least we double checked that I haven't missed obvious stuff.Thomas
I am currently dealing with the exact same problem, which started yesterday evening. I've got a ticket open but no response yet. I'll post an useful answers I get when I get them.AresonDeladious

1 Answers

1
votes

This appears to be due to an issue within Azure. Per the response on my support ticket:

...this issue was caused by the latest service update where there was a syncing issue on the backend subscription ID info for the namespace. This only happens when a namespace is updated. Since RBAC authentication relies on constructing ARM resourceID using the stored subscription ID you saw authentication issues. The issue is now resolved and it should not re-occur.