Open annzho opened 2 years ago
fowl2
commented
2 years ago 404 Not Found option for unauthenticated requests: default behavior for unauthenticated requests now includes returning HTTP 404, which can be set on the portal or through ARM templates
What's the motivation behind this? Shouldn't these return 401?
Hamster-Huey
commented
2 years ago 404 Not Found option for unauthenticated requests: default behavior for unauthenticated requests now includes returning HTTP 404, which can be set on the portal or through ARM templates
What's the motivation behind this? Shouldn't these return 401?
UnauthenticatedClientAction is an enum config that allows customers using this feature to choose how they want their app to respond to unauthenticated requests.
The default value is a 302 Redirect, which will redirect the client to the login url to prompt interactive login with their configured auth provider.
We already provide 401 as an option, more commonly used for API applications that primarily use bearer token auth.
We added 404 as another option, as it is an unauthenticated behavior adopted by some services in order to protect information from leaking. In reality, this behavior was already implemented, but as alluded to in the "Bug Fixes" section, setting "Return 403" would actually result in return404 (therewas a discrepancy in the UX vs implementation). 1.4.13 fixes this so that Return 403 actually returns 403, while adding Return404 as originally intended.
Discussion issue for App Service Authentication/Authorization Middleware Version 1.4.13