Azure Active Directory Error. The access token is from the wrong issuer
Question
I am trying to call a Azure ARM Rest API to create a resource group. I am passing tenant_id, client_id and client_secret to get the access token which will be later used as authorization header. My code is like below. The application ID is the client ID off the application and application secret is the key which is generated after selecting the time duration.
import adal
import requests
token_response = adal.acquire_token_with_client_credentials(
'https://login.microsoftonline.com/' + '<tenantId>',
'<ApplicationId>',
'<Application Secret>'
)
access_token = token_response.get('accessToken')
endpoint = 'https://management.azure.com/subscriptions/xxxx/resourcegroups/resourcename?api-version=2015-01-01'
headers = {"Authorization": 'Bearer ' + access_token}
json_output = requests.put(endpoint,headers=headers).json()
print json_output
But this is throwing me an error as below
{u'error': {u'message': u"The access token is from the wrong issuer 'https://sts
.windows.net/xxx/'. It must match the tenant 'h
ttps://sts.windows.net/xxx/' associated with th
is subscription. Please use the authority (URL) 'https://login.windows.net/xxx' to get the token. Note, if the subscription is
transferred to another tenant there is no impact to the services, but informatio
n about new tenant could take time to propagate (up to an hour). If you just tra
nsferred your subscription and see this error message, please try back later.",
u'code': u'InvalidAuthenticationTokenTenant'}}
What does this error mean and am I passing the right credentials. If I use the credentials mentioned in the error, I get another error which says application with mentioned client_id not found.
4 answers
solution1
0 2016-02-22 15:59:11
As the message says you need to go against login.windows.net instead of login.microsoftonline.com :
token_response = adal.acquire_token_with_client_credentials(
'https://login.windows.net/' + '<tenantId>',
'<ApplicationId>',
'<Application Secret>'
solution2
0 2016-02-23 05:21:56
It seems that there is some problem with your AD application. To authenticate Azure ARM you need a AD with service principal. You can refer to Create Active Directory application and service principal using portal or Authenticating a service principal with Azure Resource Manager to create a new AD application. Use these info in your code and try again.
solution3
0 2016-05-18 06:50:14
It's the difference between common tenant and separate tenant which causes this issue.
Would you please see my answer in another thread Azure Active Directory Authorization "The access token is from the wrong issuer ' ?
Hope this helps.
solution4
0 2017-10-31 13:46:42
In client credentials use
"https://management.core.windows.net/"
instead of https://login.microsoftonline.com/ in your code.
token_response = adal.acquire_token_with_client_credentials( 'https://management.core.windows.net/' + '<tenantId>', '<ApplicationId>', '<Application Secret>'
I fixed same problem with this.
Thanks, Bhushan
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.