Problem
DurableTaskAzureManagedConnectionString.getAdditionallyAllowedTenants() in packages/durabletask-js-azuremanaged/src/connection-string.ts (line 54) splits the comma-separated tenant ID string using value.split(",") without trimming whitespace from individual entries.
When a connection string contains spaces around tenant IDs — a common formatting pattern — the resulting array contains entries with leading/trailing whitespace (e.g., [" tenant2 "]). These untrimmed values are passed directly to WorkloadIdentityCredential in credential-factory.ts (line 45–51), causing Azure Identity authentication failures.
Additionally, trailing commas (e.g., tenant1,tenant2,) produce empty string entries in the array.
Root Cause
The split(",") call on line 54 does not normalize individual entries. While the parseConnectionString() method (line 109–110) trims keys and values at the pair level, the comma-separated sub-values within AdditionallyAllowedTenants are not processed.
Proposed Fix
Add .map(t => t.trim()).filter(t => t !== "") after the split(",") call to:
- Trim whitespace from each tenant ID
- Filter out empty entries from trailing commas
Impact
Severity: Medium — causes silent authentication failures in Workload Identity scenarios.
Affected scenarios: Any user specifying AdditionallyAllowedTenants in a connection string with spaces after commas (e.g., AdditionallyAllowedTenants=tenant1, tenant2, tenant3). This is a natural formatting pattern that works in many similar SDKs but fails silently here.
Problem
DurableTaskAzureManagedConnectionString.getAdditionallyAllowedTenants()inpackages/durabletask-js-azuremanaged/src/connection-string.ts(line 54) splits the comma-separated tenant ID string usingvalue.split(",")without trimming whitespace from individual entries.When a connection string contains spaces around tenant IDs — a common formatting pattern — the resulting array contains entries with leading/trailing whitespace (e.g.,
[" tenant2 "]). These untrimmed values are passed directly toWorkloadIdentityCredentialincredential-factory.ts(line 45–51), causing Azure Identity authentication failures.Additionally, trailing commas (e.g.,
tenant1,tenant2,) produce empty string entries in the array.Root Cause
The
split(",")call on line 54 does not normalize individual entries. While theparseConnectionString()method (line 109–110) trims keys and values at the pair level, the comma-separated sub-values withinAdditionallyAllowedTenantsare not processed.Proposed Fix
Add
.map(t => t.trim()).filter(t => t !== "")after thesplit(",")call to:Impact
Severity: Medium — causes silent authentication failures in Workload Identity scenarios.
Affected scenarios: Any user specifying
AdditionallyAllowedTenantsin a connection string with spaces after commas (e.g.,AdditionallyAllowedTenants=tenant1, tenant2, tenant3). This is a natural formatting pattern that works in many similar SDKs but fails silently here.