Azure
AuthV2 / EasyAuth - ignores `identityProviders` settings in API request
API Version: web/2021-02-01 (via azure-sdk-for-go v63.1.0)
Hi 👋
When sending an AuthV2 configuration via UpdateAuthSettingsV2 the identityProviders block is silently ignored (despite a 200 OK) and the response is returned empty for that block, resulting in the Site being enabled for v2 but no provider's being configured. The same payload via the portal / ARM request works. However, the az-cli appears to be working around this issue with a raw ARM request here: https://github.com/Azure/azure-cli-extensions/blob/main/src/authV2/azext_authV2/custom.py#L53-L55
2022/05/03 07:04:03 [DEBUG] AzureRM Request:
PUT /subscriptions/REDACTED/resourceGroups/acctestRG-220503070247832236/providers/Microsoft.Web/sites/acctestLWA-220503070247832236/config/authsettingsV2?api-version=2021-02-01 HTTP/1.1
Host: management.azure.com
User-Agent: Go/go1.18 (amd64-darwin) go-autorest/v14.2.1 Azure-SDK-For-Go/v63.1.0 web/2021-02-01 HashiCorp Terraform/1.1.5 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azurerm/acc pid-222c6c49-1b0a-5959-a213-6608f9eb8820
Content-Length: 920
Content-Type: application/json; charset=utf-8
X-Ms-Authorization-Auxiliary:
X-Ms-Correlation-Request-Id: ad96c673-4285-900e-fc23-a4d733647877
Accept-Encoding: gzip
{"properties":{"platform":{"enabled":true,"runtimeVersion":"~1"},"globalValidation":{"requireAuthentication":true,"unauthenticatedClientAction":"Return401","redirectToProvider":"apple"},"identityProviders":{"apple":{"properties":{"enabled":true,"registration":{"clientId":"testAppleID","clientSecretSettingName":"APPLE_PROVIDER_AUTHENTICATION_SECRET"},"login":{}}},"azureActiveDirectory":{"enabled":true},"facebook":{"enabled":true},"gitHub":{"properties":{"enabled":true}},"google":{"properties":{"enabled":true}},"legacyMicrosoftAccount":{"properties":{"enabled":true}},"twitter":{"properties":{"enabled":true}}},"login":{"tokenStore":{"enabled":false,"tokenRefreshExtensionHours":72},"preserveUrlFragmentsForLogins":false,"cookieExpiration":{"convention":"FixedTime","timeToExpiration":"08:00:00"},"nonce":{"validateNonce":true,"nonceExpirationInterval":"00:05:00"}},"httpSettings":{"routes":{"apiPrefix":"/.auth"}}}}
2022/05/03 07:04:04 [DEBUG] AzureRM Response for https://management.azure.com/subscriptions/REDACTED/resourceGroups/acctestRG-220503070247832236/providers/Microsoft.Web/sites/acctestLWA-220503070247832236/config/authsettingsV2?api-version=2021-02-01:
HTTP/2.0 200 OK
Cache-Control: no-cache
Content-Type: application/json
Date: Tue, 03 May 2022 06:04:04 GMT
Etag: "1D85EB39735B7EB"
Expires: -1
Pragma: no-cache
Server: Microsoft-IIS/10.0
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Accept-Encoding
X-Aspnet-Version: 4.0.30319
X-Content-Type-Options: nosniff
X-Ms-Correlation-Request-Id: ad96c673-4285-900e-fc23-a4d733647877
X-Ms-Ratelimit-Remaining-Subscription-Writes: 1197
X-Ms-Request-Id: 0881c83c-714e-42a5-8f67-d5ed3e20684f
X-Ms-Routing-Request-Id: NORTHEUROPE:20220503T060404Z:938ce9dd-b2d5-49ed-84b5-920808f3a3e2
X-Powered-By: ASP.NET
{"id":"/subscriptions/REDACTED/resourceGroups/acctestRG-220503070247832236/providers/Microsoft.Web/sites/acctestLWA-220503070247832236/config/authsettingsV2","name":"authsettingsV2","type":"Microsoft.Web/sites/config","location":"West Europe","tags":{},"properties":{"platform":{"enabled":true,"runtimeVersion":"~1"},"globalValidation":{"requireAuthentication":true,"unauthenticatedClientAction":"Return401","redirectToProvider":"apple"},"identityProviders":{"azureActiveDirectory":{"enabled":true,"registration":{},"login":{"disableWWWAuthenticate":false},"validation":{"jwtClaimChecks":{},"defaultAuthorizationPolicy":{"allowedPrincipals":{}}}},"facebook":{"enabled":true,"registration":{},"login":{}},"gitHub":{"enabled":true,"registration":{},"login":{}},"google":{"enabled":true,"registration":{},"login":{},"validation":{}},"twitter":{"enabled":true,"registration":{}},"legacyMicrosoftAccount":{"enabled":true,"registration":{},"login":{},"validation":{}},"apple":{"enabled":true,"registration":{},"login":{}}},"login":{"routes":{},"tokenStore":{"enabled":false,"tokenRefreshExtensionHours":72.0,"fileSystem":{},"azureBlobStorage":{}},"preserveUrlFragmentsForLogins":false,"cookieExpiration":{"convention":"FixedTime","timeToExpiration":"08:00:00"},"nonce":{"validateNonce":true,"nonceExpirationInterval":"00:05:00"}},"httpSettings":{"requireHttps":true,"routes":{"apiPrefix":"/.auth"},"forwardProxy":{"convention":"NoProxy"}}}}
Additional Info:
The *_PROVIDER_AUTHENTICATION_SECRET App Settings are configured, and marked as "Sticky" prior to sending this request.
All property values used have been tested as working via the Portal.
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzureAppServiceCLI, @antcp.
Issue Details
API Version: web/2021-02-01 (via azure-sdk-for-go v63.1.0)
Hi 👋
When sending an AuthV2 configuration via UpdateAuthSettingsV2 the identityProviders block is silently ignored (despite a 200 OK) and the response is returned empty for that block, resulting in the Site being enabled for v2 but no provider's being configured. The same payload via the portal / ARM request works. However, the az-cli appears to be working around this issue with a raw ARM request here: https://github.com/Azure/azure-cli-extensions/blob/main/src/authV2/azext_authV2/custom.py#L53-L55
2022/05/03 07:04:03 [DEBUG] AzureRM Request:
PUT /subscriptions/REDACTED/resourceGroups/acctestRG-220503070247832236/providers/Microsoft.Web/sites/acctestLWA-220503070247832236/config/authsettingsV2?api-version=2021-02-01 HTTP/1.1
Host: management.azure.com
User-Agent: Go/go1.18 (amd64-darwin) go-autorest/v14.2.1 Azure-SDK-For-Go/v63.1.0 web/2021-02-01 HashiCorp Terraform/1.1.5 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azurerm/acc pid-222c6c49-1b0a-5959-a213-6608f9eb8820
Content-Length: 920
Content-Type: application/json; charset=utf-8
X-Ms-Authorization-Auxiliary:
X-Ms-Correlation-Request-Id: ad96c673-4285-900e-fc23-a4d733647877
Accept-Encoding: gzip
{"properties":{"platform":{"enabled":true,"runtimeVersion":"~1"},"globalValidation":{"requireAuthentication":true,"unauthenticatedClientAction":"Return401","redirectToProvider":"apple"},"identityProviders":{"apple":{"properties":{"enabled":true,"registration":{"clientId":"testAppleID","clientSecretSettingName":"APPLE_PROVIDER_AUTHENTICATION_SECRET"},"login":{}}},"azureActiveDirectory":{"enabled":true},"facebook":{"enabled":true},"gitHub":{"properties":{"enabled":true}},"google":{"properties":{"enabled":true}},"legacyMicrosoftAccount":{"properties":{"enabled":true}},"twitter":{"properties":{"enabled":true}}},"login":{"tokenStore":{"enabled":false,"tokenRefreshExtensionHours":72},"preserveUrlFragmentsForLogins":false,"cookieExpiration":{"convention":"FixedTime","timeToExpiration":"08:00:00"},"nonce":{"validateNonce":true,"nonceExpirationInterval":"00:05:00"}},"httpSettings":{"routes":{"apiPrefix":"/.auth"}}}}
2022/05/03 07:04:04 [DEBUG] AzureRM Response for https://management.azure.com/subscriptions/REDACTED/resourceGroups/acctestRG-220503070247832236/providers/Microsoft.Web/sites/acctestLWA-220503070247832236/config/authsettingsV2?api-version=2021-02-01:
HTTP/2.0 200 OK
Cache-Control: no-cache
Content-Type: application/json
Date: Tue, 03 May 2022 06:04:04 GMT
Etag: "1D85EB39735B7EB"
Expires: -1
Pragma: no-cache
Server: Microsoft-IIS/10.0
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Accept-Encoding
X-Aspnet-Version: 4.0.30319
X-Content-Type-Options: nosniff
X-Ms-Correlation-Request-Id: ad96c673-4285-900e-fc23-a4d733647877
X-Ms-Ratelimit-Remaining-Subscription-Writes: 1197
X-Ms-Request-Id: 0881c83c-714e-42a5-8f67-d5ed3e20684f
X-Ms-Routing-Request-Id: NORTHEUROPE:20220503T060404Z:938ce9dd-b2d5-49ed-84b5-920808f3a3e2
X-Powered-By: ASP.NET
{"id":"/subscriptions/REDACTED/resourceGroups/acctestRG-220503070247832236/providers/Microsoft.Web/sites/acctestLWA-220503070247832236/config/authsettingsV2","name":"authsettingsV2","type":"Microsoft.Web/sites/config","location":"West Europe","tags":{},"properties":{"platform":{"enabled":true,"runtimeVersion":"~1"},"globalValidation":{"requireAuthentication":true,"unauthenticatedClientAction":"Return401","redirectToProvider":"apple"},"identityProviders":{"azureActiveDirectory":{"enabled":true,"registration":{},"login":{"disableWWWAuthenticate":false},"validation":{"jwtClaimChecks":{},"defaultAuthorizationPolicy":{"allowedPrincipals":{}}}},"facebook":{"enabled":true,"registration":{},"login":{}},"gitHub":{"enabled":true,"registration":{},"login":{}},"google":{"enabled":true,"registration":{},"login":{},"validation":{}},"twitter":{"enabled":true,"registration":{}},"legacyMicrosoftAccount":{"enabled":true,"registration":{},"login":{},"validation":{}},"apple":{"enabled":true,"registration":{},"login":{}}},"login":{"routes":{},"tokenStore":{"enabled":false,"tokenRefreshExtensionHours":72.0,"fileSystem":{},"azureBlobStorage":{}},"preserveUrlFragmentsForLogins":false,"cookieExpiration":{"convention":"FixedTime","timeToExpiration":"08:00:00"},"nonce":{"validateNonce":true,"nonceExpirationInterval":"00:05:00"}},"httpSettings":{"requireHttps":true,"routes":{"apiPrefix":"/.auth"},"forwardProxy":{"convention":"NoProxy"}}}}
Additional Info:
The *_PROVIDER_AUTHENTICATION_SECRET App Settings are configured, and marked as "Sticky" prior to sending this request.
All property values used have been tested as working via the Portal.
| Author: | jackofallops |
|---|---|
| Assignees: | - |
| Labels: |
|
| Milestone: | - |
@wuxu92 I see that the Service attention label has been added on this. I am tagging them again here to see if they can prioritize this.
@AzureAppServiceCLI @antcp Could you please look into this issue and provide an update ?
@AzureAppServiceCLI @AzureRestAPISpecReview @antcp @navba-MSFT still no updates?
Hi @jackofallops, could you try running this command again to see if it's currently still not working? We tried reproducing the problem (with an app service with authentication enabled and apple identity provider set up) using the Azure SDK for Go and it seems to be updating the apple registration fields correctly.
Hi @annzho - I've tried a few times, and the same problem is still present, upon sending the Apple settings the response to the put in AppsClient.UpdateAuthSettingsV2 is still empty, as in the sample PUT and response in the description above.
Hi @jackofallops, thanks for following up. We'd like to investigate further, would it be possible for you to follow the instructions below (Option 2) to create a new GUID so we can take a look in our logs? https://github.com/Azure/azure-functions-host/wiki/Sharing-Your-Function-App-name-privately
Hi @annzho - I can see that the structs for the auth blocks in the GO SDK are different in 2021-03-01 and it looks like these may be workable so I'm going to try bumping the version in use and take another look. The problem is still present in 2021-02-01, this version simply does not work, I suspect due to a marshalling/unmarshalling issue because of the unexpected properties level, not present in the later versions.
Hi @jackofallops, sounds good, was going to suggest that too. Please update the thread once you've tried the new version out. Thanks!
Hi @jackofallops, any updates on using the new version?
Hi @annzho - Apologies for the delay in reply. I've successfully used the newer API version to implement support for AuthV2 in the AzureRM Terraform provider. This older version of the API spec should probably be fixed still though since it's non-workable as is?
Hi @jackofallops, thanks for updating! Great that the newer version works, we'll take updating the older version into consideration as well.
Hi @jackofallops, just wanted to confirm if there's anything else blocking you? Is the current state good to move forward with Terraform support for Auth V2?
Hi @annzho - As I mentioned previously, AuthV2 support has been added to terraform-provider-azurerm. There's a few teething troubles, but it is largely working now afaik.
Thanks.