microsoft/artifacts-credprovider

Winrt exception was thrown during GetTokenSilently '(pii)'.

KirillOsenkov opened this issue · 6 comments

We have a sporadic failure in Azure Pipelines CI:

##[error]C:\Program Files\dotnet\sdk\8.0.401\NuGet.targets(174,5): Error : The plugin credential provider could not acquire credentials. Authentication may require manual action. Consider re-running the command with --interactive for `dotnet`, /p:NuGetInteractive="true" for MSBuild or removing the -NonInteractive switch for `NuGet`
Unauthorized https://*.pkgs.visualstudio.com/_packaging/*/nuget/v3/flat2/unity/index.json 325ms
Retrying 'FindPackagesByIdAsync' for source 'https://*.pkgs.visualstudio.com/_packaging/*/nuget/v3/flat2/unity/index.json'.
Response status code does not indicate success: 401 (Unauthorized).

##[error]C:\Program Files\dotnet\sdk\8.0.401\NuGet.targets(174,5): Error :     [CredentialProvider]Unknown Status: Unexpected
Error: 0xffffffff80070520
Context: Winrt exception was thrown during GetTokenSilently '(pii)'.
Tag: 0x2339e502 (error code -2147023584) (internal error code 590996738)

I've seen that error also in #462, but not sure if that one is the same issue.

Is there a way to know what that Winrt exception is all about?

@embetten have you seen this before?

@rayluo any ideas?

similar issue at Azure/azure-cli#25787 but not sure if same

I have not seen this before but @KirillOsenkov I would not expect this cred provider to even go down the silent/ WAM broker MSAL token acquisition path in an ado pipeline. We have checks to ensure it does not..

The ado pipeline credential provider scenario should really just be handing back tokens set in environment variables. (We have env variables for the build session token and variables for external endpoints ).

Are these env variables set correctly, and can you provide further logs from dotnet (-v detailed) in order to understand why/how this error shows up?

but it does look like a known WAM broker limitation #3792

Closing. We were able to unblock by adding the NuGetAuthenticateV1 Task before any dotnet/NuGet operations in the ado pipeline.

The underlying error message is a known WAM broker limitation and was only occurring because the cred provider was trying to silent auth in a build scenario due to a misconfiguration.