Missing semantic errors for resources that don't exist instead of just long expiries.

[ThomasShih]

Describe the bug

I made the mistake of trying to use a resource id within the resource param:

az account get-access-token --resource <resource id of my postgres flexible server> --scope .default

and it still provided a token back. However the token is invalid. The only thing raising a red flag was the fact that the expiry was for 24 hrs.

Documentation specifies that all tokens should be The token will be valid for at least 5 minutes with the maximum at 60 minutes. Clearly something is going wrong, perhaps this could mean there is an opportuinty to provide a more semantic response?

Related command

az account get-access-token

Errors

No explicit errors

Issue script & Debug output

cli.knack.cli: Command arguments: ['account', 'get-access-token', '--resource', '<incorrectly used resource id>', '--scope', '.default', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x1018dc0e0>, <function OutputProducer.on_global_arguments at 0x10195b240>, <function CLIQuery.on_global_arguments at 0x1019a8d60>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'account': ['azure.cli.command_modules.profile', 'azure.cli.command_modules.resource']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: profile                   0.001         2         8
cli.azure.cli.core: resource                  0.038        51       228
cli.azure.cli.core: Total (2)                 0.039        53       236
cli.azure.cli.core: Loaded 52 groups, 236 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : account get-access-token
cli.azure.cli.core: Command table: account get-access-token
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x1026d0220>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '<log location>'.
az_command_data_logger: command args: account get-access-token --resource {} --scope {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x10270da80>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x102724ea0>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x102724fe0>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x10195b2e0>, <function CLIQuery.handle_query_parameter at 0x1019a8e00>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x102724f40>]
cli.azure.cli.core.auth.persistence: build_persistence: location='/Users/<user>/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /Users/tshih/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/<uuid, not sure if sensitive>/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/<uuid, not sure if sensitive>/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/<uuid, not sure if sensitive>/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/<uuid, not sure if sensitive>/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/<uuid, not sure if sensitive>/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/<uuid, not sure if sensitive>/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/<uuid, not sure if sensitive>/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('.default',), claims=None, kwargs={}
msal.application: Found 2 RTs matching {'environment': 'login.microsoftonline.com', 'home_account_id': '********.<uuid, not sure if sensitive>', 'family_id': '1'}
msal.telemetry: Generate or reuse correlation_id: <uuid, not sure if sensitive>
msal.application: Cache attempts an RT
urllib3.connectionpool: Starting new HTTPS connection (1): login.microsoftonline.com:443
urllib3.connectionpool: https://login.microsoftonline.com:443 "POST /<uuid, not sure if sensitive>/oauth2/v2.0/token HTTP/1.1" 200 5308
msal.token_cache: event={
    "client_id": "<uuid, not sure if sensitive>",
    "data": {
        "claims": "{\"access_token\": {\"xms_cc\": {\"values\": [\"CP1\"]}}}",
        "refresh_token": "********",
        "scope": [
            ".default",
            "openid",
            "offline_access",
            "profile"
        ]
    },
    "environment": "login.microsoftonline.com",
    "grant_type": "refresh_token",
    "params": null,
    "response": {
        "access_token": "********",
        "client_info": "<client info>",
        "expires_in": 86399,
        "ext_expires_in": 86399,
        "foci": "1",
        "id_token": "********",
        "scope": "email openid profile 00000003-0000-0000-c000-000000000000/AuditLog.Read.All 00000003-0000-0000-c000-000000000000/Directory.AccessAsUser.All 00000003-0000-0000-c000-000000000000/Group.ReadWrite.All 00000003-0000-0000-c000-000000000000/User.ReadWrite.All 00000003-0000-0000-c000-000000000000/.default",
        "token_type": "Bearer"
    },
    "scope": [
        "email",
        "openid",
        "profile",
        "00000003-0000-0000-c000-000000000000/AuditLog.Read.All",
        "00000003-0000-0000-c000-000000000000/Directory.AccessAsUser.All",
        "00000003-0000-0000-c000-000000000000/Group.ReadWrite.All",
        "00000003-0000-0000-c000-000000000000/User.ReadWrite.All",
        "00000003-0000-0000-c000-000000000000/.default"
    ],
    "skip_account_creation": true,
    "token_endpoint": "https://login.microsoftonline.com/<uuid, not sure if sensitive>/oauth2/v2.0/token"
}
cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x10270de40>, <function _x509_from_base64_to_hex_transform at 0x10270dee0>]
cli.knack.cli: Event: CommandInvoker.OnFilterResult []
{
  "accessToken": "<original token>",
  "expiresOn": "2024-04-19 07:29:21.000000",
  "expires_on": 1713533361,
  "subscription": "<subscription id>",
  "tenant": "<tenant id>",
  "tokenType": "Bearer"
}
cli.knack.cli: Event: Cli.SuccessfulExecute []
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x1026d04a0>]
az_command_data_logger: exit code: 0
cli.__main__: Command ran in 0.671 seconds (init: 0.052, invoke: 0.619)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3473 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/opt/homebrew/Cellar/azure-cli/2.55.0/libexec/bin/python /opt/homebrew/Cellar/azure-cli/2.55.0/libexec/lib/python3.11/site-packages/azure/cli/telemetry/__init__.py /Users/tshih/.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

Expected behavior

Some error code telling me that something is wrong, like the expiry is clearly too far or something

Environment Summary

azure-cli 2.55.0 *

core 2.55.0 *
telemetry 1.1.0

Dependencies:
msal 1.24.0b2
azure-mgmt-resource 23.1.0b2

Additional context

No response

[azure-client-tools-bot-prd]

Hi @ThomasShih,

2.55.0 is not the latest Azure CLI(2.59.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

[yonzhan]

Thank you for opening this issue, we will look into it.

[ThomasShih]

In similar light, using the token generated leads to a The access token does not have a valid signature or is expired. Please acquire a new token and retry. error. Its clearly not expired, and I don't think the signature is invalid? Perhaps this is also a bug that the error returned is not semantic.