Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AZIdentity/ADAL: Increased Token Request Failures Due to HTTP2 Enablement on Microsoft Entra ID Token Endpoints #22412

Closed
bcho opened this issue Feb 20, 2024 · 1 comment
Closed

AZIdentity/ADAL: Increased Token Request Failures Due to HTTP2 Enablement on Microsoft Entra ID Token Endpoints #22412

bcho opened this issue Feb 20, 2024 · 1 comment
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library.

Comments

@bcho
Copy link
Member

bcho commented Feb 20, 2024

Bug Report

Following the enablement of HTTP2 on Microsoft Entra ID token endpoints (e.g., login.microsoftonline.com) in January 2024, we have observed an uptick in token request failures. This issue parallels the problem described in #21346, attributed to a known issue with the Go HTTP2 client (see Go Issue #59690). Despite updates to the azidentity transport that introduced HTTP 2 ping frame health checks to mitigate connection staleness, the detection window still permits the initiation of new requests over potentially faulty connections. Consequently, clients issuing token requests at frequent intervals may experience increased failures, primarily timeouts, as connections enter a stale or "zombie" state.

The AKS team has verified with the Microsoft Entra ID gateway team that HTTP2 was enabled starting January 2024, though support for HTTP/1.1 remains available.

Potential Workarounds and Mitigations:

  1. Adjusting Ping Frame Health Check Intervals:

AzIdentity has a proper value set, if you are using legacy ADAL SDK, you should either migrate or set proper value. But like mentioned before, this interval cannot fully stop the error due to the Go HTTP2 client implementation.

  1. Disabling HTTP2 in Client Transport:

To avoid these issues, clients can opt to disable HTTP2 entirely by following the guide provided in Go Issue #39302.

Note: These workarounds are suggested as interim solutions and should be implemented with caution.

  • import path of package in question, e.g. .../services/compute/mgmt/2018-06-01/compute

azidentity and ADAL

  • SDK version e.g. master, latest, 18.1.0

All versions since this applies to HTTP2 enabled client.

  • Specify the exact commit if possible; one way to get this is the REVISION
    column output by go list -m <module>, for example go list -m github.com/Azure/azure-sdk-for-go/sdk/azcore.
  • output of go version

Every go version if it's using newer version of x/net/http2.
@github-actions github-actions bot added Azure.Core Client This issue points to a problem in the data-plane of the library. needs-team-triage Workflow: This issue needs the team to triage. labels Feb 20, 2024
@bcho
Copy link
Member Author

bcho commented Feb 20, 2024
edited
Loading

NOTE to maintainers: free feel to close this issue as it's advisory only. The internal ticket id for this issue is 470672737.

@RickWinter RickWinter removed the needs-team-triage Workflow: This issue needs the team to triage. label Mar 4, 2024
@github-project-automation github-project-automation bot moved this from Untriaged to Done in Azure Identity SDK Improvements Mar 4, 2024
@github-actions github-actions bot locked and limited conversation to collaborators Jun 2, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library.
Projects
Azure Identity SDK Improvements
Archived in project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bcho @RickWinter