Reputation: 376
Azure Active Directory Error. The access token is from the wrong issuer
I am trying to call a Azure ARM Rest API to create a resource group. I am passing tenant_id, client_id and client_secret to get the access token which will be later used as authorization header. My code is like below. The application ID is the client ID off the application and application secret is the key which is generated after selecting the time duration.
import adal
import requests
token_response = adal.acquire_token_with_client_credentials(
'https://login.microsoftonline.com/' + '<tenantId>',
'<ApplicationId>',
'<Application Secret>'
)
access_token = token_response.get('accessToken')
endpoint = 'https://management.azure.com/subscriptions/xxxx/resourcegroups/resourcename?api-version=2015-01-01'
headers = {"Authorization": 'Bearer ' + access_token}
json_output = requests.put(endpoint,headers=headers).json()
print json_output
But this is throwing me an error as below
{u'error': {u'message': u"The access token is from the wrong issuer 'https://sts
.windows.net/xxx/'. It must match the tenant 'h
ttps://sts.windows.net/xxx/' associated with th
is subscription. Please use the authority (URL) 'https://login.windows.net/xxx' to get the token. Note, if the subscription is
transferred to another tenant there is no impact to the services, but informatio
n about new tenant could take time to propagate (up to an hour). If you just tra
nsferred your subscription and see this error message, please try back later.",
u'code': u'InvalidAuthenticationTokenTenant'}}
What does this error mean and am I passing the right credentials. If I use the credentials mentioned in the error, I get another error which says application with mentioned client_id not found.
Upvotes: 1
Views: 10595
Answers (4)
Reputation: 161
In client credentials use
"https://management.core.windows.net/"
instead of https://login.microsoftonline.com/ in your code.
token_response = adal.acquire_token_with_client_credentials(
'https://management.core.windows.net/' + '<tenantId>',
'<ApplicationId>',
'<Application Secret>'
I fixed same problem with this.
Thanks, Bhushan
Upvotes: 0
Reputation: 837
It's the difference between common tenant and separate tenant which causes this issue.
Would you please see my answer in another thread Azure Active Directory Authorization "The access token is from the wrong issuer ' ?
Hope this helps.
Upvotes: -1
Reputation: 13918
It seems that there is some problem with your AD application. To authenticate Azure ARM you need a AD with service principal. You can refer to Create Active Directory application and service principal using portal or Authenticating a service principal with Azure Resource Manager to create a new AD application. Use these info in your code and try again.
Upvotes: 0
Reputation: 12452
As the message says you need to go against login.windows.net instead of login.microsoftonline.com:
token_response = adal.acquire_token_with_client_credentials(
'https://login.windows.net/' + '<tenantId>',
'<ApplicationId>',
'<Application Secret>'
Upvotes: 0
Related Questions
- How can I install packages using pip according to the requirements.txt file from a local directory?
- Error trying to get access token for system-assigned managed identity
- Azure Active Directory exception thrown while fetching access token
- Azure ML inference pipeline deployment authorization token error
- azure active directory & postman
- Error: The access token is from the wrong issuer 'https://sts.windows.net/***/'
- Insufficient privileges error when trying to access Azure Graph APIs
- How to create user (work account) on Azure Active Directory using Graph API
- Azure ADAL AcquireToken from different tenantId