This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 69%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWS%3C/text%3E%3C/svg%3E)
I'm running into a weird problem where the Azure foundry endpoint returns an unauthorized response the first time per endpoint. The second time, the call works. See screenshot:
So the first time GET /contentunderstanding/analyzers is accessed, it returns 401. The message returns to the service bus to be retried a minute later. The second time it works. Then in the same session, the POST doesn't work and returns a 401. A minute later, the whole thing retries and it works. This happens every time.
Code to acquire the token is in a DelegatingHandler:
private readonly DefaultAzureCredential _credential = new DefaultAzureCredential();
protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
AccessToken accessToken = await _credential.GetTokenAsync(new TokenRequestContext(_scopes), cancellationToken);
request.Headers.Authorization = new AuthenticationHeaderValue("bearer", accessToken.Token);
return await base.SendAsync(request, cancellationToken);
}
_scopes is https://cognitiveservices.azure.com/.default, I also tried https://ai.azure.com/.default but it has the same problem.
This only happens when we run it on the app service. Locally it works like it should and there I'm connected through Azure AD. It's probably related to having the wrong token, but it's strange that the second attempt does work.
Do I have to give the app service more rights to the foundry resource? What am I missing?
A group of Azure services, SDKs, and APIs designed to make apps more intelligent, engaging, and discoverable.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 15%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Thank you for sharing the observation.
It is re-issuing new token for each request and might be rejecting because of lazy initialization.
Locally:
DefaultAzureCredential usually resolves to:
On App Service:
But I think we can cache the token for reuse instead of re-issuing every time.
Also wanted to add that
Normally token is fetched from this URL - https://cognitiveservices.azure.com/.default
token = credential.get_token("https://cognitiveservices.azure.com/.default")
Recommending you test Managed Identity and Service principal authentication too which might provide better result.
Thank you.
Have update above comment with additional observation on token generating URL and alternate authentication.
Thank you.
I'm not using lazy loading to acquire the token. This is the handler I use:
protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken ct) {
AccessToken accessToken = await _credential.GetTokenAsync(new TokenRequestContext(_scopes), ct);
request.Headers.Authorization = new AuthenticationHeaderValue("bearer", accessToken.Token);
return await base.SendAsync(request, ct);
}
A new token is created every time.
I've checked the access of the web app on the foundry resource and it seems that there is none. This will probably the cause of the problem, but then it's strange that every second execution does work...
Either way, I think I need an Azure AI User role for this?
I don't have privileges currently to add this user, but I will have them on Monday. I will come back then with more information.
Please let us know the issue was resolved after using "Azure AI user" role and pin pointing token URL to - https://cognitiveservices.azure.com/.default
Thank you.
Problem is resolved after adding the "Azure AI user" role.
Thank you for confirming.
Please accept this answer, if you found my pointers helpful debugging and resolving the issue.
Thank you
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
I will review with product group team internally after a minimal replication. Thank you for the feedback.