Azure-docs: Instructions on what to do when a users password is changed

Created on 5 Jul 2018  Â·  6Comments  Â·  Source: MicrosoftDocs/azure-docs

First: Being able to authenticate using AAD is a very nice feature, as we are not comfortable having fully authenticated kubeconfigs floating around on various computers.

Working for a client in an organization where passwords are rolled automatically on a daily basis, I quickly ran into a re-authentication issue, and it should be described in this How-To.

When a password is changed, kubectl will make a handful of token refresh re-tries and eventually end up giving an authentication error (as exspected)
The only way I have found to be able to login again is to remove the tokens from kubeconfig. Then I can re-authenticate with the next kubectl command.
I don't know if there are any other ways to re-authenticate at the moment.
It would be nice :

  1. if a re-authentication flow is started automatically when kubectl gives up on the token refresh.
  2. to be able to force a re-authentication.
  3. be able to log out (as the token is stored locally which poses a security risk)

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

Pri2 container-servicsvc cxp in-progress product-question triaged
Source
picture janlund67
👍1

Most helpful comment

@dbrennan , the easiest workaround is to pull a new set of credentials using az aks get-credentials --name --resource-group [--admin] [--context] [--overwrite-existing]

picture janlunddk on 4 Jul 2020
👍3

All 6 comments

Thanks for the feedback! We are currently investigating and will update you shortly.

mimckitt picture mimckitt on 5 Jul 2018

@janlund67 Seems odd that a password change would cause issues.

@iainfoulds, @neilpeterson either of you have any thoughts on this?

In addition, if you are looking to suggest feature improvements to this I would suggest leaving that feedback directly on the AKS github page or on UserVoice.

mimckitt picture mimckitt on 5 Jul 2018

@MicahMcKittrick-MSFT

Here you see the response when the password has been changed:

E0706 10:11:29.116041   11192 azure.go:126] Failed to acquire a token: refreshing the expired token: refreshing token: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_grant","error_description":"AADSTS50173: The provided grant has expired due to it being revoked. The user might have changed or reset their password. The grant was issued on '2018-07-05T07:13:31.9243104Z' and the TokensValidFrom date for this user is '2018-07-05T19:14:48.0000000Z'\r\nTrace ID: d6ad7409-a863-4301-8b93-090dfa590500\r\nCorrelation ID: 56df9172-1358-4b43-b3d8-c829e8644399\r\nTimestamp: 2018-07-06 08:11:27Z","error_codes":[50173],"timestamp":"2018-07-06 08:11:27Z","trace_id":"d6ad7409-a863-4301-8b93-090dfa590500","correlation_id":"56df9172-1358-4b43-b3d8-c829e8644399"}
E0706 10:11:29.375052   11192 azure.go:126] Failed to acquire a token: refreshing the expired token: refreshing token: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_grant","error_description":"AADSTS50173: The provided grant has expired due to it being revoked. The user might have changed or reset their password. The grant was issued on '2018-07-05T07:13:31.9243104Z' and the TokensValidFrom date for this user is '2018-07-05T19:14:48.0000000Z'\r\nTrace ID: 607bfb30-027f-41f1-af90-6c1ecb860d00\r\nCorrelation ID: 524d661c-912b-499a-9c2b-e0de4492ea13\r\nTimestamp: 2018-07-06 08:11:27Z","error_codes":[50173],"timestamp":"2018-07-06 08:11:27Z","trace_id":"607bfb30-027f-41f1-af90-6c1ecb860d00","correlation_id":"524d661c-912b-499a-9c2b-e0de4492ea13"}
E0706 10:11:29.634040   11192 azure.go:126] Failed to acquire a token: refreshing the expired token: refreshing token: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_grant","error_description":"AADSTS50173: The provided grant has expired due to it being revoked. The user might have changed or reset their password. The grant was issued on '2018-07-05T07:13:31.9243104Z' and the TokensValidFrom date for this user is '2018-07-05T19:14:48.0000000Z'\r\nTrace ID: a8577a78-9531-4b58-a98a-ace81c770500\r\nCorrelation ID: 76d5ed6d-1cb5-4454-8055-a5a33c3c4970\r\nTimestamp: 2018-07-06 08:11:27Z","error_codes":[50173],"timestamp":"2018-07-06 08:11:27Z","trace_id":"a8577a78-9531-4b58-a98a-ace81c770500","correlation_id":"76d5ed6d-1cb5-4454-8055-a5a33c3c4970"}
E0706 10:11:29.883044   11192 azure.go:126] Failed to acquire a token: refreshing the expired token: refreshing token: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_grant","error_description":"AADSTS50173: The provided grant has expired due to it being revoked. The user might have changed or reset their password. The grant was issued on '2018-07-05T07:13:31.9243104Z' and the TokensValidFrom date for this user is '2018-07-05T19:14:48.0000000Z'\r\nTrace ID: 4a9110c9-a880-4b12-8bf5-3cc3d9ac0600\r\nCorrelation ID: 1f5cb0b9-2f9b-4f44-862b-91b0b53e1c67\r\nTimestamp: 2018-07-06 08:11:28Z","error_codes":[50173],"timestamp":"2018-07-06 08:11:28Z","trace_id":"4a9110c9-a880-4b12-8bf5-3cc3d9ac0600","correlation_id":"1f5cb0b9-2f9b-4f44-862b-91b0b53e1c67"}
Unable to connect to the server: acquiring a token for authorization header: refreshing the expired token: refreshing token: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_grant","error_description":"AADSTS50173: The provided grant has expired due to it being revoked. The user might have changed or reset their password. The grant was issued on '2018-07-05T07:13:31.9243104Z' and the TokensValidFrom date for this user is '2018-07-05T19:14:48.0000000Z'\r\nTrace ID: 4a9110c9-a880-4b12-8bf5-3cc3d9ac0600\r\nCorrelation ID: 1f5cb0b9-2f9b-4f44-862b-91b0b53e1c67\r\nTimestamp: 2018-07-06 08:11:28Z","error_codes":[50173],"timestamp":"2018-07-06 08:11:28Z","trace_id":"4a9110c9-a880-4b12-8bf5-3cc3d9ac0600","correlation_id":"1f5cb0b9-2f9b-4f44-862b-91b0b53e1c67"}

And this continues on subsequent kubectl commands. I am not offered a new login, so I have to delete the tokens from kubeconfig.

I will issue the feature requests on the UserVoice :-)

janlund67 picture janlund67 on 6 Jul 2018

Hi, @janlund67. I've reached out to the engineering team on this, but I suspect it's more the behavior in how kubectl stores authentication tokens than specific to the AAD integration. Other authentication modes would likely experience the same behavior until the tokens expire. That said, we could still work to improve that overall experience.

Please do file a UserVoice suggest to help prioritize and track feature requests. I'll also follow back up here if I hear any other workarounds from engineering.

@MicahMcKittrick-MSFT For now, #please-close

iainfoulds picture iainfoulds on 6 Jul 2018

Still hitting this problem 2 years after originally filed :-(

dbrennan picture dbrennan on 2 Jul 2020

@dbrennan , the easiest workaround is to pull a new set of credentials using az aks get-credentials --name --resource-group [--admin] [--context] [--overwrite-existing]

janlunddk picture janlunddk on 4 Jul 2020
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Agazoth picture Agazoth  Â·  3Comments
spottedmahn picture spottedmahn  Â·  3Comments
spottedmahn picture spottedmahn  Â·  3Comments
DeepPuddles picture DeepPuddles  Â·  3Comments
jebeld17 picture jebeld17  Â·  3Comments