MSI Authorization error when trying to send request via Azure Function

Question

Weird Solution: the next day, I tried running my application again without any changes (just with a curious hope), and I no longer received an error. My suspicion is that the MSFT API I was communicating with was running into issues.

——

I have inherited a rather large application that has many moving components. I was, unfortunately, given no overview as to how it works either. So, if anyone can provide insight into what my issue might be I would greatly appreciate it.

All of a sudden, I started receiving this error

One or more errors occurred. (token_type property not found in the response {"ExceptionMessage":"System.Net.WebException: The remote server returned an error: (401) Unauthorized.\r\n   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)\r\n   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpWebRequestWrapper.<GetResponseSyncOrAsync>d__2.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpHelper.<SendPostRequestAndDeserializeJsonResponseAsync>d__0`1.MoveNext()","ErrorCode":"invalid_client","ServiceErrorCodes":["700027"],"InnerException":null,"StatusCode":401,"Message":null,"CorrelationId":"0b7f2697-0425-4b08-9622-d4e81f619968"}) token_type property not found in the response {"ExceptionMessage":"System.Net.WebException: The remote server returned an error: (401) Unauthorized.\r\n   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)\r\n   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpWebRequestWrapper.<GetResponseSyncOrAsync>d__2.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpHelper.<SendPostRequestAndDeserializeJsonResponseAsync>d__0`1.MoveNext()","ErrorCode":"invalid_client","ServiceErrorCodes":["700027"],"InnerException":null,"StatusCode":401,"Message":null,"CorrelationId":"0b7f2697-0425-4b08-9622-d4e81f619968"} 

from this endpoint

http://127.0.0.1:41911/MSI/token/?resource=https://management.core.windows.net/&api-version=2017-09-01

I have a key vault too, that has several secrets that are retrieved throughout this application's flow.

Seems like there is some Managed Service Identity that's running into an authentication issue somewhere? I have tried to locate where this 127.0.0.1 is running from, but I have not been able to locate it. If I have app services and functions, is this local IP for one of those?

I know my question is vague, as I don't even know where to look. I'm looking for either some guidance or a possible solution.

I ran the "Diagnostics" feature for the Azure function that seems to be causing an issue, and I noticed this:

But, I don't know how to fix this, if this is actually the issue.

Thanks.

Answer 1

Based on your description, seems there is something wrong while you getting tokens for Azure management APIs. If you are developing your function on Azure Portal, just try the code below:

#r "Newtonsoft.Json"

using System.Net;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Primitives;
using Newtonsoft.Json;

public static async Task<IActionResult> Run(HttpRequest req, ILogger log)
{
    log.LogInformation("C# HTTP trigger function processed a request.");
    var endpoint = Environment.GetEnvironmentVariable("IDENTITY_ENDPOINT");
    var identity_header = Environment.GetEnvironmentVariable("IDENTITY_HEADER");
    var resource = "https://management.core.windows.net";
    var requestURL = endpoint + "?resource=" + resource + "&api-version=2019-08-01";

    HttpClient httpClient = new HttpClient();
    httpClient.DefaultRequestHeaders.Add("X-IDENTITY-HEADER", identity_header);
    HttpResponseMessage response = await httpClient.GetAsync(requestURL);
    response.EnsureSuccessStatusCode();
    string responseBody = await response.Content.ReadAsStringAsync();

    return new OkObjectResult(responseBody);
}

Result:

Let me know if you have any further questions.