Skip to content

Bug: AzureRedisPasswordlessProperties uses invalid wildcard scope for AZURE_CHINA, causing ManagedIdentityCredential failure #48680

Open
Open
Bug: AzureRedisPasswordlessProperties uses invalid wildcard scope for AZURE_CHINA, causing ManagedIdentityCredential failure#48680
Assignees
moarychan
Labels
ClientThis issue points to a problem in the data-plane of the library.azure-springAll azure-spring related issuescustomer-reportedIssues that are reported by GitHub users external to the Azure organization.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that
@0x9bb1

Description

@0x9bb1
0x9bb1
opened on Apr 3, 2026

Bug Report

Library

spring-cloud-azure-starter-data-redis-lettuce version 7.0.0

Environment

  • Spring Boot: 4.0.4
  • Spring Cloud Azure: 7.0.0
  • Deployment: AKS (Azure China), Workload Identity / Managed Identity
  • Azure Cache for Redis (China, TLS port 6380, Entra ID passwordless auth)

Problem

In AzureRedisPasswordlessProperties, the China-specific Redis token scope is defined as:

```java
private static final String REDIS_SCOPE_AZURE_CHINA =
"https://*.cacheinfra.windows.net.china:10225/appid/.default";
```

This scope contains a literal * wildcard with no runtime substitution logic. When cloud-type: AZURE_CHINA is configured, getDefaultScopes() returns this wildcard string directly and passes it to IMDS as the resource parameter. IMDS cannot process a wildcard URI and returns an error, which the Azure Identity SDK surfaces as:

```
com.azure.identity.CredentialUnavailableException: Managed Identity authentication is not available.
```

Root Cause

getDefaultScopes() has no substitution logic for the *:

```java
private String getDefaultScopes() {
return REDIS_SCOPE_MAP.getOrDefault(getProfile().getCloudType(), REDIS_SCOPE_AZURE);
}
```

The wildcard is returned as-is. Compare with MySQL passwordless which uses a fully-qualified scope (https://ossrdbms-aad.database.chinacloudapi.cn) — MySQL auth succeeds on the same pod with the same identity.

Impact

Azure Cache for Redis passwordless authentication is completely broken for AZURE_CHINA when using the default scope. The error message ("Managed Identity not available") is misleading and points away from the real cause.

Workaround

Explicitly override the scope via configuration:

```yaml
spring:
data:
redis:
azure:
scopes: "https://redis.azure.com/.default"
```

Per Azure infrastructure team, the correct scope for Azure China Redis is https://redis.azure.com/.default (same as global Azure), not the cacheinfra.windows.net.china format.

Expected Behavior

Either:

  1. REDIS_SCOPE_AZURE_CHINA should be corrected to https://redis.azure.com/.default, or
  2. The * wildcard should be replaced at runtime using the configured Redis hostname (spring.data.redis.host)

Reproduction

Configure a Spring Boot 4.x app with:
```yaml
spring:
cloud:
azure:
profile:
cloud-type: AZURE_CHINA
data:
redis:
azure:
passwordless-enabled: true
```
Deploy to AKS (Azure China) with Managed Identity — Redis connection will fail with CredentialUnavailableException.

Metadata

Metadata

Assignees

Labels

ClientThis issue points to a problem in the data-plane of the library.azure-springAll azure-spring related issuescustomer-reportedIssues that are reported by GitHub users external to the Azure organization.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Projects

Spring Cloud Azure

Status

Todo

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions