Sudden TokenExpired message on using SDK
richardallwoodgithub opened this issue · 7 comments
I have a project that was using the SDK with Azure AD Application and IR resource. It was working for several months until recently where now every request opens the frame for IR but now returns:
I changed some of the settings for subdomain, Secrets etc as a test and when changed the IR times out completely which leaves me to believe the settings I have are correct. The code to get the token is successful and using console.log I can see both it and the subdomain are ok before ImmersiveReader.LaunchAsync fires.
In order to check it wasn't me, my machine, my code etc I grabbed another dev example online: https://github.com/kasuken/ImmersiveReaderCore . I tested with the settings as is first and IR opened ok. I changed the settings to my own TenantID etc and the error returned. I have raised a support ticket with Azure as it was working before and feels like an account issue but if anyone can help I would appreciate it as its used in an application for specialist students.
For reference RE: frontend code, library used is: https://contentstorage.onenote.office.net/onenoteltir/immersivereadersdk/immersive-reader-sdk.1.0.0.js which I see is different to current example for IR tutorial and azure but I tried the one listed there as well and made no difference.
Code for launching:
const data = {
title: $("#ir-title").text(),
chunks: [{
content: $("#ir-content").html(),
mimeType: "text/html"
}]
};
const options = {
"onExit": exitCallback,
"uiZIndex": 2000
};
ImmersiveReader.launchAsync(tkn.token, tkn.subdomain, data, options)
.catch(function (error) {
console.log(error);
alert("Error in launching the Immersive Reader. Please check your internet connection.");
});
I can confirm the areas ir-title and ir-content exist, have content etc
When you launch IR, in the browser Dev Tools you should see a call to GetContentModelForReader failing with 401. Can you please send me the Response message, as well as the Response header apim-request-id?
No response message provided other than failed to load response data.
Response Headers:
ol-allow-origin: *
access-control-expose-headers: Operation-Location,Location,Apim-Request-Id
apim-request-id: 0d9c1ae2-a734-46ce-97fc-543bbd04b160
content-length: 99
content-type: application/json
date: Fri, 11 Nov 2022 08:48:09 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
x-ms-region:
I'm glad you contacted us. We have been seeing your resource in error for several weeks now and we're spinning up the Azure process to send you a notification, hoping we could get in touch with you about this.
The error we're seeing is Principal does not have access to API/Operation.
This means that somehow your AAD app does not have access to the Immersive Reader resource you are using. We did see things working for you up to 10/21 but then there was a break in call activity and when activity resumed between 10/24-25 the calls were in error and have been since. We assumed something might have changed with your subscription somehow.
You should be able to fix this by running our script at https://learn.microsoft.com/en-us/azure/applied-ai-services/immersive-reader/how-to-create-immersive-reader, supplying all the parameter values for the resources you have already created. Or perhaps easier, would be to fix this in the Azure portal directly. You need to add a role assignment for your AAD app to your IR resource.
The key part of the script that does this is this part:
Write-Host "Granting service principal access to the newly created Immersive Reader resource"
$accessResult = az role assignment create --assignee $principalId --scope $resourceId --role "Cognitive Services Immersive Reader User"
if (-not $accessResult) {
throw "Error: Failed to grant service principal access"
}
Write-Host "Service principal access granted successfully"
But you can also do this from the Azure Portal UI by navigating to your IR resource, selecting the Access Control (IAM) blade, and Add a New Role Assignment for the Cognitive Services Immersive Reader User role, and on the Select Members step, add your AAD app identity.
Please let us know if that works or if you need anything else.
Thanks!
No matter what I try when running the function I get this:
throw "Error: AADAppIdentifierUri must be a valid URI"
Have tried existing App registration Uri and a new one such as api://restofuri but no luck
Hm, this would be failing on the one of the first lines in that script:
$unused = ''
if (-not [System.Uri]::TryCreate($AADAppIdentifierUri, [System.UriKind]::Absolute, [ref] $unused)) {
throw "Error: AADAppIdentifierUri must be a valid URI"
}
Did you try running this in Azure Cloud Shell? Perhaps it could have something to do with the version of the Azure CLI that is being used, and running from Cloud Shell would ensure the latest version.
For example, I tried your api://restofuri and it worked, both running the full script and running just this command standalone:
PS /home/ryan> $unused=''
PS /home/ryan> [System.Uri]::TryCreate('api://restofuri', [System.UriKind]::Absolute, [ref] $unused)
True
If you can't get the script to work, I suggest just doing the Role Assignment directly in the Azure Portal UI as described above. I think this would be easier for you overall, since we just need to do that one thing.
I ran the TryCreate part ok, returned true.
Ran the function again and then Create-ImmersiveReaderResource with the newly create AADAppIdentifierUri but still got the valid uri error. I have been using Azure Cloud powershell every time.
I changed the function from MS Learn and removed this section and it did run. The only thing different in the end was the subdomain which when changed in my projects the IR is now working. The only thing I see different is that azure has created a new IR but it appears to be the same one as before. Going to ask Azure support what may have happened to the other one for it to stop working, thank you for your help.