Bug: AzureRedisPasswordlessProperties uses invalid wildcard scope for AZURE_CHINA, causing ManagedIdentityCredential failure

[0x9bb1]

Bug Report

Library

spring-cloud-azure-starter-data-redis-lettuce version 7.0.0

Environment

• Spring Boot: 4.0.4
• Spring Cloud Azure: 7.0.0
• Deployment: AKS (Azure China), Workload Identity / Managed Identity
• Azure Cache for Redis (China, TLS port 6380, Entra ID passwordless auth)

Problem

In AzureRedisPasswordlessProperties, the China-specific Redis token scope is defined as:

private static final String REDIS_SCOPE_AZURE_CHINA =
    "https://*.cacheinfra.windows.net.china:10225/appid/.default";

This scope contains a literal * wildcard with no runtime substitution logic. When cloud-type: AZURE_CHINA is configured, getDefaultScopes() returns this wildcard string directly and passes it to IMDS as the resource parameter. IMDS cannot process a wildcard URI and returns an error, which the Azure Identity SDK surfaces as:

com.azure.identity.CredentialUnavailableException: Managed Identity authentication is not available.

Root Cause

getDefaultScopes() has no substitution logic for the *:

private String getDefaultScopes() {
    return REDIS_SCOPE_MAP.getOrDefault(getProfile().getCloudType(), REDIS_SCOPE_AZURE);
}

The wildcard is returned as-is. Compare with MySQL passwordless which uses a fully-qualified scope (https://ossrdbms-aad.database.chinacloudapi.cn) — MySQL auth succeeds on the same pod with the same identity.

Impact

Azure Cache for Redis passwordless authentication is completely broken for AZURE_CHINA when using the default scope. The error message ("Managed Identity not available") is misleading and points away from the real cause.

Workaround

Explicitly override the scope via configuration:

spring:
  data:
    redis:
      azure:
        scopes: "https://redis.azure.com/.default"

Per Azure infrastructure team, the correct scope for Azure China Redis is https://redis.azure.com/.default (same as global Azure), not the cacheinfra.windows.net.china format.

Expected Behavior

Either:

1. REDIS_SCOPE_AZURE_CHINA should be corrected to https://redis.azure.com/.default, or
2. The * wildcard should be replaced at runtime using the configured Redis hostname (spring.data.redis.host)

Reproduction

Configure a Spring Boot 4.x app with:

spring:
  cloud:
    azure:
      profile:
        cloud-type: AZURE_CHINA
  data:
    redis:
      azure:
        passwordless-enabled: true

Deploy to AKS (Azure China) with Managed Identity — Redis connection will fail with CredentialUnavailableException.

[github-actions]

@moarychan @Netyyyy @rujche @saragluna

[github-actions]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[rujche]

Hi, @0x9bb1 Thanks for reaching out and the detailed description of the issue.

Per Azure infrastructure team, the correct scope for Azure China Redis is https://redis.azure.com/.default (same as global Azure), not the cacheinfra.windows.net.china format.

I want to confirm that https://redis.azure.com/.default work for all Azure clouds (Azure China, Azure US Government). I found this page: https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-azure-active-directory-for-authentication#microsoft-entra-client-workflow But this page didn't say it work for all Azure clouds (Azure China, Azure US Government). I can't find any other official pages to confirm this.

Who is the person that you contact in Azure infrastructure team? Could you please ask him/her to share a link to a official doc that confirm https://redis.azure.com/.default work for all Azure clouds (Azure China, Azure US Government)