Azure-cli: az login doesn't work under VPN

I am experiencing the same issue at the moment although running in MacOS 10.13.5

@yugangw-msft any thoughts?

Let me find a repro first.

@trallard @nikolajbrinch, I can't repro in my mac. I have submitted code change to report the real error. Since the upcoming release will take a few more weeks, at the same time if you have python background, could you run the following code and share with me the error?

from six.moves import BaseHTTPServer

class ClientRedirectHandler(BaseHTTPServer.BaseHTTPRequestHandler):
    def do_GET(self):
        pass

web_server = BaseHTTPServer.HTTPServer(('localhost', 8401), ClientRedirectHandler)
print('no repro')

Don't want to pollute the default python env in your mac, you can create a python virtual env, say

python3 -m venv env
. env/bin/activate
pip install six
python test.py  <<--- this file has my code snippet

@yugangw-msft

I think my problem originated from installing Anaconda and making this Python my default one as I get now this error

Traceback (most recent call last):
  File "/anaconda3/lib/python3.6/threading.py", line 916, in _bootstrap_inner
    self.run()
  File "/anaconda3/lib/python3.6/threading.py", line 864, in run
    self._target(*self._args, **self._kwargs)
  File "/Users/tania.allard/opt/homebrew/Cellar/azure-cli/2.0.45/libexec/lib/python3.7/site-packages/azure/cli/core/_profile.py", line 1030, in _get_authorization_code_worker
    if reply_url is None:
UnboundLocalError: local variable 'reply_url' referenced before assignment

So I then used brew link --overwrite python to link to the cellar python version and got the same issue once again

Exception in thread Thread-1:
Traceback (most recent call last):
  File "/Users/tania.allard/opt/homebrew/Cellar/python/3.7.0/Frameworks/Python.framework/Versions/3.7/lib/python3.7/threading.py", line 917, in _bootstrap_inner
    self.run()
  File "/Users/tania.allard/opt/homebrew/Cellar/python/3.7.0/Frameworks/Python.framework/Versions/3.7/lib/python3.7/threading.py", line 865, in run
    self._target(*self._args, **self._kwargs)
  File "/Users/tania.allard/opt/homebrew/Cellar/azure-cli/2.0.45/libexec/lib/python3.7/site-packages/azure/cli/core/_profile.py", line 1030, in _get_authorization_code_worker
    if reply_url is None:
UnboundLocalError: local variable 'reply_url' referenced before assignment

Finally, when running the snippet it returns no repro so I am lost for what might be causing the issue

@trallard, when you ran the snippet, can you confirm the python comes from the same cellar python or some other places?
local variable 'reply_url' referenced before assignment is a bad error which I have fixed in the linked PR
We have tried in macOS (10.12.6 Sierra and 10.13 High-Sierra), CLI work fine with Python 3.7
I suggest try new CLI to be released on 9/23 which should help you report a better error; at the same time try az login --use-device-code to get yourself unblocked. Sorry for the inconvenience.

This is a matter of network setup at my client. I can do everything fine connecting to the client network from VPN. My direct connection (LAN/Wifi) goes through some security stuff that only allows specific MAC adresses, and some other nasty stuff has apparently been configured as well, so that I do not have access to do az login.
This ticket can be closed as this is my clients network setup, and not Azure CLI that is the problem.

This issue cannot unfortunately not be closed as off yet. I'm still not able to login with the same message as above. I've created a local Ubuntu 18.04 LTS in VMWare Fusion (NAT through my mac network adapter) and it works perfect.
Something strange is going on, on macOS with the Azure CLI az login. I doesn't work for me. I've tried reinstalling homebrew, python3 and azure-cli and it still doesn't work.

For me the az login --use-device-code worked so I am going to use that for now
funny enough the regular az login works perfectly on Windows

Yes the --use-device-code works, but regular az login used to work. I can't seem to be able to install old versions of Azure CLI to try if that actually works.

if you can install the edge builds by following the steps instead of waiting for the official release on 9/23, then you can share with me soon the root error.
az login has to work on mac. The authentication mechanism doesn't assume any platform specifics. Our team are all using mac, but we just can't reproduce.

OK, one update. I'm not at the client, tried az login, and it works from my home network on my Mac. Logged into the client network using VPN - bang az login is broken again.
I have debugged Azure CLI using IntelliJ. I tried changing the hardcoded 'localhost' in the _profile.py line 1024 to '0.0.0.0' and it now works. Changing it to '127.0.0.1' also works fine. 'localhost' though, doesn't work, and results in the above exception.

I have then checked my /etc/hosts file, and this is completely empty - which is of course the problem. It has been restored now, and everything works just right.

Why it works when not on VPN at home, I have no idea?

Thanks. Really helps. This SO thread has some explanation. Let me see whether or not I can let CLI detect this case and fallback to the ip-address

If you manage to do so, please state a warning in the log.
I can see that with /etc/hosts missing, localhost is still mapped to 127.0.0.1 (nslookup), while through VPN with no /etc/hosts nslookup gives a timeout. dig though maps it correctly to 127.0.0.1?

BTW: The error is a socket error of: socket.gaierror: [Errno 8] nodename nor servname provided, or not known
And not that the port is taken. This should at least be fixed.

add to S165.

So now there are 3 solutions:

1. Use az login --use-device-code
2. Add 127.0.0.1 localhost to /etc/hosts
3. In the source code, change localhost to 127.0.0.1 or 0.0.0.0 as server_address:
   https://github.com/Azure/azure-cli/blob/34549d2db993cfeab6dad21aa38ba1a4b7fc33e7/src/azure-cli-core/azure/cli/core/_profile.py#L1157

I will investigate if we should make solution 3 the default when I get back to office with Mac access. On Windows it looks good to me.

On My machine, i killed python process and then used az login and it started working.

i used following command to find out who is using 8400 port and found that its python.
Get-Process -Id (Get-NetTCPConnection -LocalPort portNumber).OwningProcess

@shyambhiogade, we have fixed this issue on Windows in https://github.com/Azure/azure-cli/pull/10955. Azure CLI will try the port starting from 8400 and fallback to the next available one. Please make sure the previous login is finished or terminated, then try again.