[Discussion] App Service Authentication/Authorization Middleware Version 1.5.1

[heppersonmicrosoft]

Discussion issue for App Service Authentication/Authorization/CORS Middleware Version 1.5.1

[bhaweshksingh]

Facing issues in the middleware for azure app service.

2022-11-08T08:43:50.952470638Z [41m[30mfail[39m[22m[49m: Microsoft.AspNetCore.Server.Kestrel[13]

2022-11-08T08:43:50.952591539Z       Connection id "0HMM1CLD8L0S4", Request id "0HMM1CLD8L0S4:00000002": An unhandled exception was thrown by the application.

2022-11-08T08:43:50.952599139Z System.PlatformNotSupportedException: Windows Cryptography Next Generation (CNG) is not supported on this platform.

2022-11-08T08:43:50.952603039Z    at System.Security.Cryptography.RSACng..ctor()

2022-11-08T08:43:50.952606639Z    at Microsoft.Azure.AppService.Middleware.JsonWebKey.GetSecurityKeys() in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/JsonWebKey.cs:line 100

2022-11-08T08:43:50.952610339Z    at Microsoft.Azure.AppService.Middleware.Modules.OpenIdConnectConfig.RefreshOpenIdConnectKeys() in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/Config/IdentityProviders/OpenIdConnectConfig.cs:line 80

2022-11-08T08:43:50.952614039Z    at Microsoft.Azure.AppService.Middleware.Modules.OpenIdConnectConfig.GetOpenIdConnectKeys(Boolean forceRefresh) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/Config/IdentityProviders/OpenIdConnectConfig.cs:line 99

2022-11-08T08:43:50.952617639Z    at Microsoft.Azure.AppService.Middleware.OpenIdConnectProvider.GetTokenValidationParameters(Boolean forceRefresh) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/IdentityProviders/OpenIdConnectProvider.cs:line 476

2022-11-08T08:43:50.952621239Z    at Microsoft.Azure.AppService.Middleware.OpenIdConnectProvider.<TryAuthenticateRequest>b__32_0(Boolean forceRefresh) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/IdentityProviders/OpenIdConnectProvider.cs:line 416

2022-11-08T08:43:50.952626040Z    at Microsoft.Azure.AppService.Middleware.BearerTokenAuthenticationHelper.TryAuthenticateFromBearerToken(String siteName, HttpContextBase context, String headerName, String providerAlias, Boolean useLegacyClaims, Func`2 getTokenValidationParametersFunc, AuthenticatedPrincipal& user, Exception& tokenValidationException, Boolean clearDefaultClaimsMapping) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/BearerTokenAuthenticationHelper.cs:line 64

2022-11-08T08:43:50.952631840Z    at Microsoft.Azure.AppService.Middleware.OpenIdConnectProvider.TryAuthenticateRequest(HttpContextBase context, AuthenticatedPrincipal& user, Exception& tokenValidationException) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/IdentityProviders/OpenIdConnectProvider.cs:line 410

2022-11-08T08:43:50.952636140Z    at Microsoft.Azure.AppService.Middleware.EasyAuthModule.AuthenticateAsync(HttpContextBase context) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/EasyAuthModule.cs:line 874

2022-11-08T08:43:50.952639640Z    at Microsoft.Azure.AppService.Middleware.EasyAuthModule.OnAuthenticateRequestAsync(HttpContextBase context) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/EasyAuthModule.cs:line 274

2022-11-08T08:43:50.952643140Z    at Microsoft.Azure.AppService.Middleware.NetCore.AppServiceMiddleware.InvokeAsync(HttpContext context) in /EasyAuth/Microsoft.Azure.AppService.Middleware.NetCore/AppServiceMiddleware.cs:line 112

2022-11-08T08:43:50.952654440Z    at Microsoft.Azure.AppService.MiddlewareShim.AutoHealing.AutoHealingMiddleware.Invoke(HttpContext context) in /EasyAuth/Middleware.Host/AutoHealing/AutoHealingMiddleware.cs:line 55

2022-11-08T08:43:50.952657940Z    at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)

Since this is the latest release. Could you help rectifying it.

Env: Azure App service runnning a linux container on B1 plan

Application: Docker container running a linux executable

Authentication configured: Configured authentication via Azure ADB2C App registration

[hugos99]

Hi I am not facing issues on version 1.5.1, for me it's the last stable version. But I am facing major problems on version 1.6.2 which is the latest version that my apps are receiving and it's causing the error that @bhaweshksingh is reporting.

Other users are facing this problem on stackoverflow

[bhaweshksingh]

@HugoS99 Looking at stackoverflow link, were you able to find any other workaround to downgrade to version 1.5.1 for the easyauth middleware in appservice.

Setting the "WEBSITE_CUSTOM_MIDDLEWARE_VERSION" environment variable to value "stage2" this changed the version of easyauth from 1.6.2 to 1.5.1

The above workaround doesn't work for me.

[hugos99]

@bhaweshksingh no I was unable to find another workaround, what that workaround was effectively doing was settings the version on 1.5.1 instead of 1.6.2 but that no longer works (most likely it worked because that old image was present on the VM but it was eventually updated and the VM can't pull other versions)

[rubicondimitri]

Facing issues in the middleware for azure app service.

2022-11-08T08:43:50.952470638Z [41m[30mfail[39m[22m[49m: Microsoft.AspNetCore.Server.Kestrel[13]

2022-11-08T08:43:50.952591539Z       Connection id "0HMM1CLD8L0S4", Request id "0HMM1CLD8L0S4:00000002": An unhandled exception was thrown by the application.

2022-11-08T08:43:50.952599139Z System.PlatformNotSupportedException: Windows Cryptography Next Generation (CNG) is not supported on this platform.

2022-11-08T08:43:50.952603039Z    at System.Security.Cryptography.RSACng..ctor()

2022-11-08T08:43:50.952606639Z    at Microsoft.Azure.AppService.Middleware.JsonWebKey.GetSecurityKeys() in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/JsonWebKey.cs:line 100

2022-11-08T08:43:50.952610339Z    at Microsoft.Azure.AppService.Middleware.Modules.OpenIdConnectConfig.RefreshOpenIdConnectKeys() in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/Config/IdentityProviders/OpenIdConnectConfig.cs:line 80

2022-11-08T08:43:50.952614039Z    at Microsoft.Azure.AppService.Middleware.Modules.OpenIdConnectConfig.GetOpenIdConnectKeys(Boolean forceRefresh) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/Config/IdentityProviders/OpenIdConnectConfig.cs:line 99

2022-11-08T08:43:50.952617639Z    at Microsoft.Azure.AppService.Middleware.OpenIdConnectProvider.GetTokenValidationParameters(Boolean forceRefresh) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/IdentityProviders/OpenIdConnectProvider.cs:line 476

2022-11-08T08:43:50.952621239Z    at Microsoft.Azure.AppService.Middleware.OpenIdConnectProvider.<TryAuthenticateRequest>b__32_0(Boolean forceRefresh) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/IdentityProviders/OpenIdConnectProvider.cs:line 416

2022-11-08T08:43:50.952626040Z    at Microsoft.Azure.AppService.Middleware.BearerTokenAuthenticationHelper.TryAuthenticateFromBearerToken(String siteName, HttpContextBase context, String headerName, String providerAlias, Boolean useLegacyClaims, Func`2 getTokenValidationParametersFunc, AuthenticatedPrincipal& user, Exception& tokenValidationException, Boolean clearDefaultClaimsMapping) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/BearerTokenAuthenticationHelper.cs:line 64

2022-11-08T08:43:50.952631840Z    at Microsoft.Azure.AppService.Middleware.OpenIdConnectProvider.TryAuthenticateRequest(HttpContextBase context, AuthenticatedPrincipal& user, Exception& tokenValidationException) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/IdentityProviders/OpenIdConnectProvider.cs:line 410

2022-11-08T08:43:50.952636140Z    at Microsoft.Azure.AppService.Middleware.EasyAuthModule.AuthenticateAsync(HttpContextBase context) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/EasyAuthModule.cs:line 874

2022-11-08T08:43:50.952639640Z    at Microsoft.Azure.AppService.Middleware.EasyAuthModule.OnAuthenticateRequestAsync(HttpContextBase context) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/EasyAuthModule.cs:line 274

2022-11-08T08:43:50.952643140Z    at Microsoft.Azure.AppService.Middleware.NetCore.AppServiceMiddleware.InvokeAsync(HttpContext context) in /EasyAuth/Microsoft.Azure.AppService.Middleware.NetCore/AppServiceMiddleware.cs:line 112

2022-11-08T08:43:50.952654440Z    at Microsoft.Azure.AppService.MiddlewareShim.AutoHealing.AutoHealingMiddleware.Invoke(HttpContext context) in /EasyAuth/Middleware.Host/AutoHealing/AutoHealingMiddleware.cs:line 55

2022-11-08T08:43:50.952657940Z    at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)

i have exactly the same setup :

Azure App service runnning a linux container on B1 plan Application: Docker container running a linux executable Authentication configured: Configured authentication via Azure ADB2C App registration

I tried it all :

rebuild the app in an other app service plan : did not work downgrading the version of the middleware of app service : did not work Reconfigure the Auth part : did not work

I'm waiting for Microsoft support to analyze the issue that we have. They should come back to me today of tomorrow (I hope!!!) Out test environment is dead, hopefully the production environment is still working : call it luck!

[lorenzodejong]

We're running into the same issues. Around 6 hours ago our production environment was running into 500 errors from the EasyAuth authentication layer. Other environments were still running during that time, since 2 hours our test environment also got affected. We were quite unlucky with the environment order in which the issues started occurring, i hope the best for you @rubicondimitri (however prepare for the worst).

We tested the following as well:

• Setting the auth runtime version explicitly back to 1.5.1 using az webapp auth update --name <resource-name> --resource-group <resource-group> --runtime-version 1.5.1 (running az extension add --name authV2 beforehand)
• Setting the WEBSITE_CUSTOM_MIDDLEWARE_VERSION configuration setting to stage2

These changes, including the suggestions mentioned above, did not change anything for our setup. We contacted Azure support as well and hope they resolve these issues quickly on their end, preferably using a rollback.

[brad-dawson]

Also running into this issue with an App Service hosted with Ubuntu latest using the easy auth with a custom OneLogin provider. Here is my trace:

2022-11-08T15:54:32.026117357Z fail: Microsoft.AspNetCore.Server.Kestrel[13]

2022-11-08T15:54:32.026164657Z       ... An unhandled exception was thrown by the application.

2022-11-08T15:54:32.032132517Z System.PlatformNotSupportedException: Windows Cryptography Next Generation (CNG) is not supported on this platform.

2022-11-08T15:54:32.033581131Z    at System.Security.Cryptography.RSACng..ctor()

2022-11-08T15:54:32.033592731Z    at Microsoft.Azure.AppService.Middleware.JsonWebKey.GetSecurityKeys() in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/JsonWebKey.cs:line 100

2022-11-08T15:54:32.033596931Z    at Microsoft.Azure.AppService.Middleware.Modules.OpenIdConnectConfig.RefreshOpenIdConnectKeys() in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/Config/IdentityProviders/OpenIdConnectConfig.cs:line 80

2022-11-08T15:54:32.033603431Z    at Microsoft.Azure.AppService.Middleware.Modules.OpenIdConnectConfig.GetOpenIdConnectKeys(Boolean forceRefresh) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/Config/IdentityProviders/OpenIdConnectConfig.cs:line 99

2022-11-08T15:54:32.033619031Z    at Microsoft.Azure.AppService.Middleware.OpenIdConnectProvider.GetTokenValidationParameters(Boolean forceRefresh) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/IdentityProviders/OpenIdConnectProvider.cs:line 476

2022-11-08T15:54:32.033624231Z    at Microsoft.Azure.AppService.Middleware.OpenIdConnectProvider.TryValidateIdToken(String idToken, HttpContextBase context, AuthenticatedPrincipal& user, Exception& tokenValidationException) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/IdentityProviders/OpenIdConnectProvider.cs:line 430

2022-11-08T15:54:32.033628431Z    at Microsoft.Azure.AppService.Middleware.OpenIdConnectProvider.HandleServerDirectedLoginAsync(HttpContextBase context) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/IdentityProviders/OpenIdConnectProvider.cs:line 336

2022-11-08T15:54:32.033632031Z    at Microsoft.Azure.AppService.Middleware.IdentityProviderBase.OnCompleteServerDirectedLoginAsync(HttpContextBase context) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/IdentityProviders/IdentityProviderBase.cs:line 655

2022-11-08T15:54:32.033635732Z    at Microsoft.Azure.AppService.Middleware.IdentityProviderBase.TryHandleProtocolRequestAsync(HttpContextBase context) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/IdentityProviders/IdentityProviderBase.cs:line 185

2022-11-08T15:54:32.033639332Z    at Microsoft.Azure.AppService.Middleware.EasyAuthModule.OnBeginRequestAsync(HttpContextBase context) in /EasyAuth/Microsoft.Azure.AppService.Middleware.Modules/EasyAuthModule.cs:line 220

2022-11-08T15:54:32.033643132Z    at Microsoft.Azure.AppService.Middleware.NetCore.AppServiceMiddleware.InvokeAsync(HttpContext context) in /EasyAuth/Microsoft.Azure.AppService.Middleware.NetCore/AppServiceMiddleware.cs:line 102

2022-11-08T15:54:32.033646532Z    at Microsoft.Azure.AppService.MiddlewareShim.AutoHealing.AutoHealingMiddleware.Invoke(HttpContext context) in /EasyAuth/Middleware.Host/AutoHealing/AutoHealingMiddleware.cs:line 55

2022-11-08T15:54:32.033650332Z    at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)

Edit: Was able to resolve after shutting down the app service, deleted all IDPs and disabled authentication. Re-setup authentication and IDPs and its working again.

[heppersonmicrosoft]

App Service Authentication/Authorization team has identified the bug in version 1.6.2 and has now reverted all linux instances back to version 1.5.1. Please try restarting app to pick up version 1.5.1