[BUG] Upgrading Azure.Identity from 1.12 to 1.14.2 changes claims and breaks auth with AzureDevOps #51401
Description
Library name and version
Azure.Identity 1.12
Describe the bug
Hello,
I'm trying to upgrade my Azure.Identity reference from 1.12 to 1.14.2 but I'm seeing some issues when authenticating with AzureDevOps. Here is how I authenticate:
var workloadIdentityCredential = new WorkloadIdentityCredential(new WorkloadIdentityCredentialOptions
{
ClientId = clientId,
TenantId = tenantId,
AuthorityHost = authorityHost,
AdditionallyAllowedTenants = { tenantFromAccount }
});
string[] scopes = new string[] { $"{Constants.AzureDevOpsResourceId}/.default" };
VssCredentials credentials;
var tokenRequestContext = new TokenRequestContext(scopes, tenantId: tenantFromAccount);
AccessToken token = await workloadIdentityCredential.GetTokenAsync(tokenRequestContext, cancellationToken);tenantId and tenantFromAccount is being set to tenantIdA but when I print the claims with version 1.12 and version 1.14.2, the property iss shows a different tenant, not the one that I passed, preventing us from authenticating in AzureDevOps.
TLDR:
- When using 1.12, iss shows: https://sts.windows.net/tenantIdA
- When using 1.14.2, iss shows: https://sts.windows.net/tenantIdB
Expected behavior
That using the snippet above with 1.14.2 to generate the correct iss property from claims (tenantIdA)
Actual behavior
When using version 1.14.2, it generates claims with a different tenantId, preventing the token to be valid.
Reproduction Steps
Use the code above with an application that runs in AKS where the application lives in a given tenant and is allowed to connect into AzureDevOps. Migrate to a recent Azure.Identity package and review claims.
Environment
AKS
.NET 8