umami
umami copied to clipboard
Published
19 hours ago
•
umami-software
umami-software
Tracker script's omit credentials does not work with Microsoft Entra application proxy authentication
Describe the Bug
https://github.com/umami-software/umami/pull/3176 added credentials: omit at https://github.com/umami-software/umami/pull/3176/files#diff-d8bd372df1c0eb7de6e935b8ad4012a040200d2aa1ae9819719fc6cdeadc4d88R217
However, this clashes with MS Entra application proxy, where cookies which names starts with AzureAppProxy* is essential.
What happened
- Client sends umami request to some predefined umami server (without additional auth) without credentials
- Microsoft Entra application proxy (infrastructure outside of our application's control) detects missing
AzureAppProxyPreauthSessionCookie_<guid>_1.4from request cookie, redirects request tohttps://login.microsoftonline.com/xxxintending for user to login to MS account on client browser before redirecting back to app. - Request fails due to CORS.
https://login.microsoftonline.comwould not have had our application's host listed underAccess-Control-Allow-Origin
What we've tried
Overriding the tracker script.js in Inspect Element to use credentials: 'include' fixes the issue. The reason being MS Entra app proxy is able to identify the user and the client is never redirected to another external URL.
Basic MS Entra App Proxy flowchart
User visits https://myapp.com/ <-------------- Redirects user back to original application url
| ^
| [user logs in to Microsoft account]
v |
MS Entra App Proxy ---[MS auth cookie missing]---> redirects user to Microsoft Online login url
|
[MS auth cookie exists]
v
Our application server for further handling
Database
PostgreSQL
Relevant log output
Which Umami version are you using? (if relevant)
2.18.1
Which browser are you using? (if relevant)
No response
How are you deploying your application? (if relevant)
K8S behind MS Entra Application Proxy
