[ERROR] () Authorization failed on application startup when using AZURE_USE_AUTHENTICATION=True

[DSOTM-RSA]

This issue is for a: (mark with an x)

- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Manually setup the two App Registrations (Server, and Client). Pass the values of the necessary required environment variables to .env in the App Service. Additionally set the "prompt": "request" loginRequest property in authentication.py. Use azd deploy to push code changes to service. Restart the web app.

Authentication ("Add Identity Provider") is not enabled, as I presume the two-app authentication solution supersedes this inbuilt App Service option.

AZURE_USE_AUTHENTICATION: true AZURE_FORCE_ACCESS_CONTROL: false AZURE_SERVER_APP_ID: Value from Server App Id AZURE_SERVER_APP_SECRET: Value from Server App Secret AZURE_CLIENT_APP_ID: Value from Client App Id AZURE_AUTH_TENANT_ID: Tenant ID, same as AZURE_TENANT_ID AZURE_TENANT_ID: Azure Tenant Id

Any log messages given by the failure

2024-03-12T11:08:47.538958884Z _____
2024-03-12T11:08:47.539010086Z / _ \ __________ _________ ____
2024-03-12T11:08:47.539016086Z / /\ \__ / | _ __ _/ __ \ 2024-03-12T11:08:47.539021086Z / | / /| | /| | /\ / 2024-03-12T11:08:47.539025286Z _|__ /_____ _/ || __ > 2024-03-12T11:08:47.539029886Z / / / 2024-03-12T11:08:47.539033986Z A P P S E R V I C E O N L I N U X 2024-03-12T11:08:47.539038086Z 2024-03-12T11:08:47.539041887Z Documentation: http://aka.ms/webapp-linux 2024-03-12T11:08:47.539045987Z Python 3.11.7 2024-03-12T11:08:47.539049887Z Note: Any data outside '/home' is not persisted 2024-03-12T11:08:48.844062967Z Starting OpenBSD Secure Shell server: sshd. 2024-03-12T11:08:49.059191011Z Site's appCommandLine: python3 -m gunicorn main:app 2024-03-12T11:08:49.061913291Z Launching oryx with: create-script -appPath /home/site/wwwroot -output /opt/startup/startup.sh -virtualEnvName antenv -defaultApp /opt/defaultsite -userStartupCommand 'python3 -m gunicorn main:app' 2024-03-12T11:08:49.177712306Z Found build manifest file at '/home/site/wwwroot/oryx-manifest.toml'. Deserializing it... 2024-03-12T11:08:49.177826910Z Build Operation ID: 55780ade89b15f24 2024-03-12T11:08:49.186311960Z Output is compressed. Extracting it... 2024-03-12T11:08:49.186347761Z Oryx Version: 0.2.20240127.1, Commit: 4b7f2dffcc69c214f9806d67a85ec8926e2393e1, ReleaseTagName: 20240127.1 2024-03-12T11:08:49.214240984Z Extracting '/home/site/wwwroot/output.tar.gz' to directory '/tmp/8dc427754dc5c77'... 2024-03-12T11:09:16.075693702Z App path is set to '/tmp/8dc427754dc5c77' 2024-03-12T11:09:16.080167543Z Writing output script to '/opt/startup/startup.sh' 2024-03-12T11:09:16.232341951Z Using packages from virtual environment antenv located at /tmp/8dc427754dc5c77/antenv. 2024-03-12T11:09:16.232385052Z Updated PYTHONPATH to '/opt/startup/app_logs:/tmp/8dc427754dc5c77/antenv/lib/python3.11/site-packages' 2024-03-12T11:09:17.709985685Z [2024-03-12 11:09:17 +0000] [70] [INFO] Starting gunicorn 21.2.0 2024-03-12T11:09:17.711870149Z [2024-03-12 11:09:17 +0000] [70] [INFO] Listening at: http://0.0.0.0:8000 (70) 2024-03-12T11:09:17.718468871Z [2024-03-12 11:09:17 +0000] [70] [INFO] Using worker: uvicorn.workers.UvicornWorker 2024-03-12T11:09:17.731471910Z [2024-03-12 11:09:17 +0000] [72] [INFO] Booting worker with pid: 72 2024-03-12T11:09:17.798010454Z [2024-03-12 11:09:17 +0000] [73] [INFO] Booting worker with pid: 73 2024-03-12T11:09:17.922319348Z [2024-03-12 11:09:17 +0000] [74] [INFO] Booting worker with pid: 74 2024-03-12T11:10:11.159352446Z [2024-03-12 11:10:11 +0000] [72] [INFO] Started server process [72] 2024-03-12T11:10:11.161102605Z [2024-03-12 11:10:11 +0000] [72] [INFO] Waiting for application startup. 2024-03-12T11:10:11.197762533Z [2024-03-12 11:10:11 +0000] [74] [INFO] Started server process [74] 2024-03-12T11:10:11.197828535Z [2024-03-12 11:10:11 +0000] [74] [INFO] Waiting for application startup. 2024-03-12T11:10:11.209201016Z [2024-03-12 11:10:11 +0000] [73] [INFO] Started server process [73] 2024-03-12T11:10:11.218005311Z [2024-03-12 11:10:11 +0000] [73] [INFO] Waiting for application startup. 2024-03-12T11:10:19.576461028Z [2024-03-12 11:10:19 +0000] [72] [ERROR] () Authorization failed. 2024-03-12T11:10:19.576508930Z Code: 2024-03-12T11:10:19.576516130Z Message: Authorization failed. 2024-03-12T11:10:19.585822232Z [2024-03-12 11:10:19 +0000] [72] [ERROR] Application startup failed. Exiting. 2024-03-12T11:10:19.604500939Z [2024-03-12 11:10:19 +0000] [73] [ERROR] () Authorization failed. 2024-03-12T11:10:19.604536440Z Code: 2024-03-12T11:10:19.604551740Z Message: Authorization failed. 2024-03-12T11:10:19.607009520Z [2024-03-12 11:10:19 +0000] [73] [ERROR] Application startup failed. Exiting. 2024-03-12T11:10:19.645547171Z [2024-03-12 11:10:19 +0000] [72] [INFO] Worker exiting (pid: 72) 2024-03-12T11:10:20.001624632Z [2024-03-12 11:10:19 +0000] [74] [ERROR] () Authorization failed. 2024-03-12T11:10:20.001657233Z Code: 2024-03-12T11:10:20.130909730Z Message: Authorization failed. 2024-03-12T11:10:20.130939331Z [2024-03-12 11:10:19 +0000] [74] [ERROR] Application startup failed. Exiting. 2024-03-12T11:10:20.130945331Z [2024-03-12 11:10:19 +0000] [73] [INFO] Worker exiting (pid: 73) 2024-03-12T11:10:20.130950031Z [2024-03-12 11:10:19 +0000] [74] [INFO] Worker exiting (pid: 74) 2024-03-12T11:10:34.165606784Z [2024-03-12 11:10:34 +0000] [70] [ERROR] Worker (pid:74) exited with code 3 2024-03-12T11:10:34.196832445Z [2024-03-12 11:10:34 +0000] [70] [ERROR] Worker (pid:72) exited with code 3 2024-03-12T11:10:34.196855546Z [2024-03-12 11:10:34 +0000] [70] [ERROR] Worker (pid:73) exited with code 3 2024-03-12T11:10:34.196861446Z object address : 0x74bb48d58280 2024-03-12T11:10:34.196866346Z object refcount : 2 2024-03-12T11:10:34.196870646Z object type : 0x6415322c4ed0 2024-03-12T11:10:34.196875047Z object type name: HaltServer 2024-03-12T11:10:34.224224676Z object repr : HaltServer('Worker failed to boot.', 3) 2024-03-12T11:10:34.224279178Z lost sys.stderr

Expected/desired behavior

After configuring the two App Registrations and setting all required environment variables to enable Authentication functionality - expected behaviour be able to start the application successfully in the App Service and be presented with a login screen. Optional Document Access Control is not configured/set.

OS and Version?

Windows 10, running in VSCode Container (Linux)

azd version?

azd version 1.6.1 (commit eba2c978b5443fdb002c95add4011d9e63c2e76f)

Versions

Azure Resource as standard, deployed from template. Public Network Access enabled with restrictions to allow certain IP addresses.

Mention any other details that might be useful

The app runs normally in the App Service when AZURE_USE_AUTHENTICATION: false. When I run it locally using the above adjusted configuration, I can build the app successfully and see the "Login" button on the Chat page and begin the authentication process.

[pamelafox]

Can you check Azure Monitor to get a better traceback for that error?

https://github.com/Azure-Samples/azure-search-openai-demo/blob/main/docs/appservice.md#checking-azure-monitor-for-errors

[DSOTM-RSA]

The two failure events which seem to persist initially an GET./auth/.refresh, and persistently over the last few attempts SearchIndexClient.get_index() --> GET/msi/token/ --> EXCEPTION HttpResponse Error.

Traceback (most recent call last): File "/tmp/8dc427754dc5c77/antenv/lib/python3.11/site-packages/opentelemetry/trace/__init__.py", line 573, in use_span yield span File "/tmp/8dc427754dc5c77/antenv/lib/python3.11/site-packages/azure/core/tracing/decorator_async.py", line 88, in wrapper_use_tracer return await func(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/tmp/8dc427754dc5c77/antenv/lib/python3.11/site-packages/azure/search/documents/indexes/aio/_search_index_client.py", line 147, in get_index result = await self._client.indexes.get(name, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/tmp/8dc427754dc5c77/antenv/lib/python3.11/site-packages/azure/core/tracing/decorator_async.py", line 88, in wrapper_use_tracer return await func(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/tmp/8dc427754dc5c77/antenv/lib/python3.11/site-packages/azure/search/documents/indexes/_generated/aio/operations/_indexes_operations.py", line 658, in get raise HttpResponseError(response=response, model=error) azure.core.exceptions.HttpResponseError: () Authorization failed. Code: Message: Authorization failed.

The Exception itself;

Traceback (most recent call last): File "/tmp/8dc427754dc5c77/antenv/lib/python3.11/site-packages/quart/app.py", line 1671, in startup await self.ensure_async(func)() File "/tmp/8dc427754dc5c77/app.py", line 291, in setup_clients search_index=(await search_index_client.get_index(AZURE_SEARCH_INDEX)) if AZURE_USE_AUTHENTICATION else None, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/tmp/8dc427754dc5c77/antenv/lib/python3.11/site-packages/azure/core/tracing/decorator_async.py", line 88, in wrapper_use_tracer return await func(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/tmp/8dc427754dc5c77/antenv/lib/python3.11/site-packages/azure/search/documents/indexes/aio/_search_index_client.py", line 147, in get_index result = await self._client.indexes.get(name, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/tmp/8dc427754dc5c77/antenv/lib/python3.11/site-packages/azure/core/tracing/decorator_async.py", line 88, in wrapper_use_tracer return await func(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/tmp/8dc427754dc5c77/antenv/lib/python3.11/site-packages/azure/search/documents/indexes/_generated/aio/operations/_indexes_operations.py", line 658, in get raise HttpResponseError(response=response, model=error) azure.core.exceptions.HttpResponseError: () Authorization failed. Code: Message: Authorization failed.

I also see I have following (new?!) environment variable in the App Service Configuration, but it is unset (empty).

SEARCH_SECRET_NAME

AZURE_SEARCH_SERVICE and AZURE_SEARCH_INDEX are set appropriately.

[pamelafox]

Okay, so there is an issue with your permissions for the search service for some reason. Can you follow the steps from this comment to inspect your roles? https://github.com/Azure-Samples/azure-search-openai-demo/issues/1398#issuecomment-1989190755

SEARCH_SECRET_NAME can be empty as long as the search roles are setup correctly, which they usually are.

[DSOTM-RSA]

I unfortunately already have all of those permissons on my AI Search Service.

If I would like to pursue the Automatic Authentication/Login Setup as a workaround, do I need any further permissions than "Cloud Application Developer" as the docs suggest?

[pamelafox]

Can you also check the roles for the app service app? Here's mine:

cc @mattgotteiner as he may have a more immediate idea for the issue.

[vrajroutu]

@DSOTM-RSA It appears that you may be employing a manual process for generating App Registrations for Service and Client Authentication. This approach might lead to the error mentioned above. To mitigate this, I recommend executing azd up and verifying that you possess owner permissions for both the Service and Client App Registrations and add them in .env file before running azd up

[mattgotteiner]

If it's only when you're running on the deployed app, I'm wondering if the app principal has the right roles on the search service. The Authorization failed error message stack trace you point out here (SearchIndexClient.get_index()) would require Search Reader role.

https://learn.microsoft.com/en-us/azure/search/search-security-rbac?tabs=config-svc-portal%2Croles-portal%2Ctest-portal%2Ccustom-role-portal%2Cdisable-keys-portal#built-in-roles-used-in-search

The purpose of this check is to validate your index has the ACL fields

[DSOTM-RSA]

@pamelafox Thanks! This worked - we have the app service running again.

However, we are landing directly onto the app without the necessary routing onto the Login page using AZURE_USE_AUTHENTICATION=True and the "prompt": "request" loginRequest property in authentication.py both uncommented/commented. Is there anything I need to change in the backend/core code to get over this hump?

Other than that I can think than perhaps azd up with the .env set to the existing app registrations @vrajroutu mentioned may help?

[DSOTM-RSA]

I tried an az up with AZURE_USE_AUTHETICATION=true, client and app ids/secrets are set plus all the standard environment variable. I do have Owner permissions on both the registered applications. But receive the following error:

`AZURE_USE_AUTHENTICATION is set, proceeding with authentication setup... Creating Python virtual environment "scripts/.venv"... Installing dependencies from "requirements.txt" into virtual environment (in quiet mode)... Setting up authentication... Checking if application aa99a7bf-7d3e-47e2-bca9-243f3f9d9479 exists Application already exists, not creating new one Traceback (most recent call last): File "/workspaces/self-deploy/./scripts/auth_init.py", line 209, in asyncio.run(main()) File "/usr/local/lib/python3.11/asyncio/runners.py", line 190, in run return runner.run(main) ^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/asyncio/runners.py", line 118, in run return self._loop.run_until_complete(task) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/asyncio/base_events.py", line 654, in run_until_complete return future.result() ^^^^^^^^^^^^^^^ File "/workspaces/self-deploy/./scripts/auth_init.py", line 184, in main server_object_id, server_app_id, _ = await create_or_update_application_with_secret( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/workspaces/self-deploy/./scripts/auth_init.py", line 64, in create_or_update_application_with_secret await update_application(auth_headers, object_id, app_payload) File "/workspaces/self-deploy/scripts/auth_common.py", line 32, in update_application raise Exception(response_json) Exception: {'error': {'code': 'Authorization_RequestDenied', 'message': 'Insufficient privileges to complete the operation.', 'innerError': {'date': '2024-03-13T13:49:27', 'request-id': '282b17ea-001f-4705-a44d-d2536ce4c294', 'client-request-id': '282b17ea-001f-4705-a44d-d2536ce4c294'}}}

ERROR: failed running pre hooks: 'preprovision' hook failed with exit code: '1', Path: './scripts/auth_init.sh'. : exit code: 1

ERROR: error executing step command 'provision': failed running pre hooks: 'preprovision' hook failed with exit code: '1', Path: './scripts/auth_init.sh'. : exit code: 1`

Could you advise here @vrajroutu . As I am working in a client's Tenant (as a guest), I don't have absolute liberty to check all possible restrictions or policies that may overide/block typical operations. Could you suggest some places which I could pass to the admin to check/set as needed?

Thank you

[pamelafox]

I got that error once before as well, and I had to get the "Application administrator" role assigned to me: https://learn.microsoft.com/azure/active-directory/roles/permissions-reference#cloud-application-administrator

[DSOTM-RSA]

I'm afraid that additonal permission hasn't helped either. We will be reaching out to MSFT technical support. I'll update here should the core issue eventually be diagnosed.

[DSOTM-RSA]

@vrajroutu and @pamelafox

Being added as a member in the Tenant and initiating a completely fresh deployment of the application registrations (not referencing the existing ones) via azd up solved it. Thanks

[DSOTM-RSA]

Resolved.