Refresh token expires daily on WSL Ubuntu installation

[austintolani]

Describe the bug

I use Az CLI inside of Ubuntu 22.04.3 inside of a Windows machine running WSL. After ~12 hours or so, my refresh token will expire and I will have to run az login and authenticate again.

On the same machine, I have Az CLI installed in Windows. With the same Azure account, I am only prompted to re-authenticate every couple of months.

My understanding is that refresh token expiry time is set by organizational policy. What explains the difference in behavior between the installation of Azure CLI on Windows and within Ubuntu is WSL? Is there any configuration change I can make to fix the behavior within the Ubuntu installation?

Related command

az login

Errors

n/a

Issue script & Debug output

n/a

Expected behavior

I expect that the frequency at which I am prompted to login is consistent across installations.

Environment Summary

azure-cli                         2.53.1 *

core                              2.53.1 *
telemetry                          1.1.0

Dependencies:
msal                            1.24.0b2
azure-mgmt-resource             23.1.0b2

Python location '/opt/az/bin/python3'
Extensions directory '/home/austintolani/.azure/cliextensions'

Python (Linux) 3.10.10 (main, Oct 24 2023, 06:10:14) [GCC 11.4.0]

Additional context

No response

[azure-client-tools-bot-prd]

Hi @austintolani,

2.53.1 is not the latest Azure CLI(2.55.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

[yonzhan]

Thank you for opening this issue, we will look into it.

[jiasli]

@austintolani, could you share the error message you get? Also, are you using device code flow in WSL? We got cases reported before that the refresh token retrieved using device code only works for ~12h in Microsoft tenant.

[austintolani]

Hi @jiasli, this is the error message I get:

AADSTS70043: The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on 2023-12-15T18:47:01.3682670Z and the maximum allowed lifetime for this request is 43200. Trace ID: aa7c2530-83e4-4387-8080-67fc52e30800 Correlation ID: 3d344d49-6798-41da-b560-2b6a34b26b3c Timestamp: 2023-12-18 16:00:23Z
Interactive authentication is needed. Please run:
az login --scope https://management.core.windows.net//.default

I was using device code flow in WSL as I was having issues using the browser but was able to fix it using this solution. I will let you know tomorrow if using the browser flow fixes this issue.

[austintolani]

Using the browser authentication flow fixed this issue for me. Ideally, the refresh token should behave the same regardless of authentication flow but I will leave it up to you if that is worth keeping this issue open for. Thanks for your help!

[jiasli]

I was having issues using the browser

@austintolani, could you share more details about the issue you are facing? Currently, there is indeed an open issue for opening a web browser in WSL 2:

• az login cannot open web browser on WSL2 + Ubuntu 22.04 #27879.

Using the browser authentication flow fixed this issue for me.

Yes, auth code flow / browser authentication flow is the recommended login method.

[austintolani]

Sure. When I run az login, I get the following output:

az login
A web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`.
/usr/bin/xdg-open: 882: x-www-browser: not found
/usr/bin/xdg-open: 882: firefox: not found
/usr/bin/xdg-open: 882: iceweasel: not found
/usr/bin/xdg-open: 882: seamonkey: not found
/usr/bin/xdg-open: 882: mozilla: not found
/usr/bin/xdg-open: 882: epiphany: not found
/usr/bin/xdg-open: 882: konqueror: not found
/usr/bin/xdg-open: 882: chromium: not found
/usr/bin/xdg-open: 882: chromium-browser: not found
/usr/bin/xdg-open: 882: google-chrome: not found

And then the w3m browser is opened which I am not familiar with how to use. In previous versions, running az login would automatically open my default browser on Windows.

[ragatgen]

randal [ ~ ]$ az aro create --resource-group $RESOURCEGROUP --name $CLUSTER --vnet aro-vnet --master-subnet master-subnet --worker-subnet worker-subnet
No --pull-secret provided: cluster will not include samples or operators from Red Hat or from certified partners.
Resource aro-vnet is missing role assignment 4d97b98b-1d4f-4787-a291-c67834d212e7 for service principal 50c17c64-bc11-4fdd-a339-0ecd396bf911 (These roles will
be automatically added during cluster creation)

The command failed with an unexpected error. Here is the traceback:
Credential lifetime exceeds the max value allowed as per assigned policy '538f1913-366a-440a-95a0-e195cb55b282'.
Traceback (most recent call last):
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 52, in _send
r = send_raw_request(self._cli_ctx, method, url, resource=self._resource, uri_parameters=param,
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/util.py", line 1007, in send_raw_request
raise HTTPError(reason, r)
azure.cli.core.azclierror.HTTPError: Bad Request({"error":{"code":"CredentialInvalidLifetimeAsPerAppPolicy","message":"Credential lifetime exceeds the max value allowed as per assigned policy '538f1913-366a-440a-95a0-e195cb55b282'.","details":[{"code":"InvalidKeyEndDate","message":"Credential lifetime exceeds the max value allowed as per assigned policy '538f1913-366a-440a-95a0-e195cb55b282'.","target":"EndDate"}],"innerError":{"date":"2024-04-08T15:27:17","request-id":"a253c8fe-9525-4c9f-ae74-0ebe4d77b06d","client-request-id":"a253c8fe-9525-4c9f-ae74-0ebe4d77b06d"}}})

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
File "/usr/lib64/az/lib/python3.9/site-packages/knack/cli.py", line 233, in invoke
cmd_result = self.invocation.execute(args)
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py", line 664, in execute
raise ex
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py", line 731, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py", line 701, in _run_job
result = cmd_copy(params)
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py", line 334, in call
return self.handler(*args, **kwargs)
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
return op(**command_args)
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/aro/custom.py", line 107, in aro_create
client_id, client_secret = aad.create_application(cluster_resource_group or 'aro-' + random_id)
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/aro/_aad.py", line 27, in create_application
password = self.add_password(obj_id)
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/aro/_aad.py", line 56, in add_password
cred = self.client.application_add_password(obj_id, {})
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 131, in application_add_password
result = self._send("POST", "/applications/{id}/addPassword".format(id=id), body=body)
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 55, in _send
raise GraphError(ex.response.json()['error']['message'], ex.response) from ex
azure.cli.command_modules.role._msgrpah._graph_client.GraphError: Credential lifetime exceeds the max value allowed as per assigned policy '538f1913-366a-440a-95a0-e195cb55b282'.
To check existing issues, please visit: https://github.com/Azure/azure-cli/issues

[ragatgen]

I am using the latest cli version