Trying to access Key Vault Secrets through Python on Windows 10, but Token is expired

Jord 0 Reputation points
2023-02-09T13:47:45.48+00:00

Recently I've been testing using Azure Key Vault for sensitive information in Python code.

And for most of the team the following code works as intended:

from azure.identity import DefaultAzureCredential fromazure.keyvault.secretsimportSecretClient

VAULT_URL = "" credential = DefaultAzureCredential(additionally_allowed_tenants=['']) client = SecretClient(vault_url=VAULT_URL, credential=credential) secret_db = client.get_scret("") secret_value= secret_db.value

Some members get the following error about expired refresh tokens:

azure.core.exceptions.ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
    EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot.this issue.
    ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.
    SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS700082: The refresh token has expired due to inactivity. The token was issued on * and was inactive for 90.00:00:00.
Trace ID: *
Correlation ID: *
Timestamp: *
Content: {"error":"invalid_grant","error_description":"AADSTS700082: The refresh token has expired due to inactivity. The token was issued on * and was inactive for 90.00:00:00.\r\nTrace ID: *\r\nCorrelation ID: \r\nTimestamp: ","error_codes":[700082],"timestamp":"","trace_id":"","correlation_id":"**","error_uri":"https://login.microsoftonline.com/error?code=700082"}
To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/defaultazurecredential/troubleshoot.

I found more information on these tokens here: https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens, but I still don't know where to see these tokens on each member's profile and how to update them. Any feedback would be appreciated.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,135 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,456 Reputation points Microsoft Employee
    2023-02-13T22:47:45.0233333+00:00

    @Jord

    Thank you for your post and I apologize for the delayed response!

    Error Message:
    AADSTS700082: The refresh token has expired due to inactivity. The token was issued on * and was inactive for 90.00:00:00.

    From your error message, it looks like you're running into a refresh token lifetime issue due to inactivity. This error usually occurs if the user hasn't signed in for 90 days, or if you're using a single page app (SPA) - after 24 hours.

    When it comes to viewing refresh tokens, if you're using the OAuth2 authorization code flow, you should be able to use the https://login.microsoftonline.com/common/oauth2/v2.0/token endpoint and the authorization_code, to view the refresh token and redeem the code for an access token. For more info.User's image

    When it comes to resolve this issue, the user will need to sign in to Azure again to get a new refresh token. This can be done by running the az login command within the Azure CLI, this'll allow the user to sign into Azure and get a new refresh token.

    Additional Link - Refresh the access token

    I hope this helps! If you have any other questions, please let me know.