SQL Server Azure Active Directory Authentication Fails due to lack of dependencies

[ExtraClock]

Which version and edition of Flyway are you using?

11.0.0

If this is not the latest version, can you reproduce the issue with the latest one as well? (Many bugs are fixed in newer releases and upgrading will often resolve the issue)

It is the latest version.

Which client are you using? (Command-line, Java API, Maven plugin, Gradle plugin)

Command-line.

Which database are you using? (Type & version)

Microsoft SQL Server 2022 (RTM-CU16) (KB5048033) - 16.0.4165.4 (X64) Nov 6 2024 19:24:49 Copyright (C) 2022 Microsoft Corporation Developer Edition (64-bit) on Windows Server 2022 Datacenter 10.0 (Build 20348: ) (Hypervisor)

Which operating system are you using?

Windows 11 23H2

What did you do? (Please include the content causing the issue, any relevant configuration settings, the SQL statement(s) that failed (if any), and the command you ran)

Trying to use AAD authentication:

.\flyway.cmd '-url=jdbc:sqlserver://1.2.3.4:1433;databaseName=xxx;encrypt=false;trustServerCertificate=true;authentication=ActiveDirectoryManagedIdentity' '-user=d4bc12b0-5a43-47d5-bb86-f975a0566cf2' info

What did you expect to see?

Successful auth or errors not related to the auth scheme used.

What did you see instead?

Classes couldn't be found due to lack of dependencies included in CLI.

According to the docs (Supported Databases → SQL Server Database → Authentication → Azure Active Directory ) "For command-line users, MSAL4J and Azure Identity are already included, so no extra installation is required."

PS C:\prg\flyway-11.0.0> .\flyway.cmd '-url=jdbc:sqlserver://1.2.3.4:1433;databaseName=xxx;encrypt=false;trustServerCertificate=true;authentication=ActiveDirectoryManagedIdentity' '-user=d4bc12b0-5a43-47d5-bb86-f975a0566cf2' info
WARNING: No locations configured and default location 'sql' not found.
Flyway OSS Edition 11.0.0 by Redgate

See release notes here: https://rd.gt/416ObMi
Exception in thread "main" java.lang.NoClassDefFoundError: com/azure/core/credential/TokenCredential
        at java.base/java.lang.ClassLoader.defineClass1(Native Method)
        at java.base/java.lang.ClassLoader.defineClass(Unknown Source)
        at java.base/java.security.SecureClassLoader.defineClass(Unknown Source)
        at java.base/jdk.internal.loader.BuiltinClassLoader.defineClass(Unknown Source)
        at java.base/jdk.internal.loader.BuiltinClassLoader.findClassOnClassPathOrNull(Unknown Source)
        at java.base/jdk.internal.loader.BuiltinClassLoader.loadClassOrNull(Unknown Source)
        at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(Unknown Source)
        at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(Unknown Source)
        at java.base/java.lang.ClassLoader.loadClass(Unknown Source)
        at com.microsoft.sqlserver.jdbc.SQLServerSecurityUtility.getManagedIdentityCredAuthToken(SQLServerSecurityUtility.java:348)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.getFedAuthToken(SQLServerConnection.java:6035)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.onFedAuthInfo(SQLServerConnection.java:5989)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.processFedAuthInfo(SQLServerConnection.java:5823)
        at com.microsoft.sqlserver.jdbc.TDSTokenHandler.onFedAuthInfo(tdsparser.java:322)
        at com.microsoft.sqlserver.jdbc.TDSParser.parse(tdsparser.java:130)
        at com.microsoft.sqlserver.jdbc.TDSParser.parse(tdsparser.java:42)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:6881)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:5428)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:5360)
        at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7748)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:4410)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:3847)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:3372)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:3197)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1971)
        at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1263)
        at org.flywaydb.core.internal.jdbc.DriverDataSource.getConnectionFromDriver(DriverDataSource.java:275)
        at org.flywaydb.core.internal.jdbc.DriverDataSource.getConnection(DriverDataSource.java:240)
        at org.flywaydb.core.internal.jdbc.JdbcUtils.openConnection(JdbcUtils.java:59)
        at org.flywaydb.core.internal.jdbc.JdbcConnectionFactory.<init>(JdbcConnectionFactory.java:76)
        at org.flywaydb.core.FlywayExecutor.execute(FlywayExecutor.java:137)
        at org.flywaydb.core.Flyway.info(Flyway.java:263)
        at org.flywaydb.commandline.Main.executeOperation(Main.java:328)
        at org.flywaydb.commandline.Main.executeFlyway(Main.java:207)
        at org.flywaydb.commandline.Main.main(Main.java:129)
Caused by: java.lang.ClassNotFoundException: com.azure.core.credential.TokenCredential
        at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(Unknown Source)
        at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(Unknown Source)
        at java.base/java.lang.ClassLoader.loadClass(Unknown Source)
        ... 35 more

[JasonLuo-Redgate]

Hi @ExtraClock ,
Thanks for reporting this issue. The fix has been included in the latest 11.0.1 release.
Could you try that build to check if the issue has been resolved?

[ExtraClock]

Hi @JasonLuo-Redgate !
I tested this artifact: flyway-commandline-11.0.1-windows-x64.zip.
It still fails due to lack of the org.reactivestreams:reactive-streams dependency, since you didn't include it in 11.0.1 for some reason (PR#3978, L197).

Flyway OSS Edition 11.0.1 by Redgate

See release notes here: https://rd.gt/416ObMi
Exception in thread "main" java.lang.NoClassDefFoundError: org/reactivestreams/Publisher
        at com.azure.core.util.logging.ClientLogger.<init>(ClientLogger.java:126)
        at com.azure.core.util.logging.ClientLogger.<init>(ClientLogger.java:115)
        at com.azure.core.util.logging.ClientLogger.<init>(ClientLogger.java:80)
        at com.azure.core.util.logging.ClientLogger.<init>(ClientLogger.java:70)
        at com.azure.identity.CredentialBuilderBase.<clinit>(CredentialBuilderBase.java:32)
        at com.microsoft.sqlserver.jdbc.SQLServerSecurityUtility.getManagedIdentityCredAuthToken(SQLServerSecurityUtility.java:358)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.getFedAuthToken(SQLServerConnection.java:6035)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.onFedAuthInfo(SQLServerConnection.java:5989)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.processFedAuthInfo(SQLServerConnection.java:5823)
        at com.microsoft.sqlserver.jdbc.TDSTokenHandler.onFedAuthInfo(tdsparser.java:322)
        at com.microsoft.sqlserver.jdbc.TDSParser.parse(tdsparser.java:130)
        at com.microsoft.sqlserver.jdbc.TDSParser.parse(tdsparser.java:42)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:6881)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:5428)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:5360)
        at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7748)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:4410)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:3847)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:3372)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:3197)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1971)
        at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1263)
        at org.flywaydb.core.internal.jdbc.DriverDataSource.getConnectionFromDriver(DriverDataSource.java:275)
        at org.flywaydb.core.internal.jdbc.DriverDataSource.getConnection(DriverDataSource.java:240)
        at org.flywaydb.core.internal.jdbc.JdbcUtils.openConnection(JdbcUtils.java:59)
        at org.flywaydb.core.internal.jdbc.JdbcConnectionFactory.<init>(JdbcConnectionFactory.java:76)
        at org.flywaydb.core.FlywayExecutor.execute(FlywayExecutor.java:137)
        at org.flywaydb.core.Flyway.info(Flyway.java:263)
        at org.flywaydb.commandline.Main.executeOperation(Main.java:328)
        at org.flywaydb.commandline.Main.executeFlyway(Main.java:207)
        at org.flywaydb.commandline.Main.main(Main.java:129)
Caused by: java.lang.ClassNotFoundException: org.reactivestreams.Publisher
        at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(Unknown Source)
        at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(Unknown Source)
        at java.base/java.lang.ClassLoader.loadClass(Unknown Source)
        ... 31 more

[lukaskostial]

Hi @JasonLuo-Redgate,

FYI, we are also experiencing the same issue with flyway:latest-azure (sha256:f382f0e9841c0f524cb883258bea35f4edfdbb2ab6b46efb8fcb3d97c1e1f6fa). Is there any ETA for PR to be merged?

Thanks a lot.

[davidkarlsen]

Also see flyway/flyway-docker#171

[ExtraClock]

Also refer to #4006 .

@piers-williams , you commented in the #3987 that it should be fixed in 11.1.1.

It is not fixed, please refer to the logs below - I tested it both with 11.1.1 and 11.2.0.

I guess that you don't have means to test it yourself and it might take us another dozen of attempts to make it work.

I'd be happy to contribute a PR (as I did initially), but you seem to have your internal requirements that this PR can't pass.
If you sched some light on the additional requirement that should be met for the PR to be accepted, I'd be happy to provide a well-tested fix.

A note about general approach. The way flyway is managing its dependencies is doomed to fail every now and then as Azure change their own dependencies. It's just a question of time. A general fix would be: either a) change the way the dependencies are managed (basically trust maven to put everything that's required without any additional filtering) or b) add MSI authentication case to the list of cases that you check automatically in your integration tests.

Here are the test logs:

11.1.1

PS Downloads\flyway-commandline-11.1.1-windows-x64\flyway-11.1.1> ./flyway.cmd '-url=jdbc:sqlserver://...:1433;databaseName=...;encrypt=false;trustServerCertificate=true;authentication=ActiveDirectoryManagedIdentity' '-user=...msi-guid...' info
WARNING: No locations configured and default location 'sql' not found.
A more recent version of Flyway is available. Find out more about Flyway 11.2.0 at https://rd.gt/3rXiSlV

Flyway OSS Edition 11.1.1 by Redgate

See release notes here: https://rd.gt/416ObMi
Exception in thread "main" java.lang.IllegalAccessError: failed to access class com.microsoft.aad.msal4j.ManagedIdentitySourceType from class com.azure.identity.ManagedIdentityCredential (com.microsoft.aad.msal4j.ManagedIdentitySourceType and com.azure.identity.ManagedIdentityCredential are in unnamed module of loader 'app')
        at com.azure.identity.ManagedIdentityCredential.getToken(ManagedIdentityCredential.java:204)
        at com.microsoft.sqlserver.jdbc.SQLServerSecurityUtility.getManagedIdentityCredAuthToken(SQLServerSecurityUtility.java:381)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.getFedAuthToken(SQLServerConnection.java:6035)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.onFedAuthInfo(SQLServerConnection.java:5989)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.processFedAuthInfo(SQLServerConnection.java:5823)
        at com.microsoft.sqlserver.jdbc.TDSTokenHandler.onFedAuthInfo(tdsparser.java:322)
        at com.microsoft.sqlserver.jdbc.TDSParser.parse(tdsparser.java:130)
        at com.microsoft.sqlserver.jdbc.TDSParser.parse(tdsparser.java:42)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:6881)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:5428)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:5360)
        at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7748)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:4410)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:3847)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:3372)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:3197)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1971)
        at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1263)
        at org.flywaydb.core.internal.jdbc.DriverDataSource.getConnectionFromDriver(DriverDataSource.java:275)
        at org.flywaydb.core.internal.jdbc.DriverDataSource.getConnection(DriverDataSource.java:240)
        at org.flywaydb.core.internal.jdbc.JdbcUtils.openConnection(JdbcUtils.java:59)
        at org.flywaydb.core.internal.jdbc.JdbcConnectionFactory.<init>(JdbcConnectionFactory.java:76)
        at org.flywaydb.core.FlywayExecutor.execute(FlywayExecutor.java:137)
        at org.flywaydb.core.Flyway.info(Flyway.java:264)
        at org.flywaydb.commandline.Main.executeOperation(Main.java:328)
        at org.flywaydb.commandline.Main.executeFlyway(Main.java:207)
        at org.flywaydb.commandline.Main.main(Main.java:129)

11.2.0

PS Downloads\flyway-commandline-11.2.0-windows-x64\flyway-11.2.0> ./flyway.cmd '-url=jdbc:sqlserver://...:1433;databaseName=...;encrypt=false;trustServerCertificate=true;authentication=ActiveDirectoryManagedIdentity' '-user=...msi-guid...' info
WARNING: No locations configured and default location 'sql' not found.
Flyway OSS Edition 11.2.0 by Redgate

See release notes here: https://rd.gt/416ObMi
Exception in thread "main" java.lang.IllegalAccessError: failed to access class com.microsoft.aad.msal4j.ManagedIdentitySourceType from class com.azure.identity.ManagedIdentityCredential (com.microsoft.aad.msal4j.ManagedIdentitySourceType and com.azure.identity.ManagedIdentityCredential are in unnamed module of loader 'app')
        at com.azure.identity.ManagedIdentityCredential.getToken(ManagedIdentityCredential.java:204)
        at com.microsoft.sqlserver.jdbc.SQLServerSecurityUtility.getManagedIdentityCredAuthToken(SQLServerSecurityUtility.java:381)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.getFedAuthToken(SQLServerConnection.java:6035)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.onFedAuthInfo(SQLServerConnection.java:5989)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.processFedAuthInfo(SQLServerConnection.java:5823)
        at com.microsoft.sqlserver.jdbc.TDSTokenHandler.onFedAuthInfo(tdsparser.java:322)
        at com.microsoft.sqlserver.jdbc.TDSParser.parse(tdsparser.java:130)
        at com.microsoft.sqlserver.jdbc.TDSParser.parse(tdsparser.java:42)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:6881)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:5428)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:5360)
        at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7748)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:4410)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:3847)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:3372)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:3197)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1971)
        at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1263)
        at org.flywaydb.core.internal.jdbc.DriverDataSource.getConnectionFromDriver(DriverDataSource.java:275)
        at org.flywaydb.core.internal.jdbc.DriverDataSource.getConnection(DriverDataSource.java:240)
        at org.flywaydb.core.internal.jdbc.JdbcUtils.openConnection(JdbcUtils.java:59)
        at org.flywaydb.core.internal.jdbc.JdbcConnectionFactory.<init>(JdbcConnectionFactory.java:76)
        at org.flywaydb.core.FlywayExecutor.execute(FlywayExecutor.java:137)
        at org.flywaydb.core.Flyway.info(Flyway.java:264)
        at org.flywaydb.commandline.Main.executeOperation(Main.java:328)
        at org.flywaydb.commandline.Main.executeFlyway(Main.java:207)
        at org.flywaydb.commandline.Main.main(Main.java:129)