search

Azure / azure-functions-signalrservice-extension

Azure Functions bindings for SignalR Service. Project moved to https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/signalr/Microsoft.Azure.WebJobs.Extensions.SignalRService .
MIT License
96 stars 48 forks source link

Managed identity upstream issues #294

Open cwatson-sidub opened 1 month ago

cwatson-sidub commented 1 month ago

Might not be the right spot, but this is the closest I could find.

I have a fully functioning serverless SignalR / Azure Function (isolated) chatroom sample set up when I use the Azure key approach (i.e., in upstream settings, I use the suffix /runtime/webhooks/signalr?code=).

However, when I enable managed identity for upstream authorization, I consistently receive 403 errors when the SignalR service is reaching out to the function app's "/runtime/webhooks/signalr" path. I've read all available documentation online.

It seems the code / logic under this path is very hard to find / troubleshoot...

Y-Sindo commented 1 month ago

Hi, I believe the Azure Functions Team might have more expertise on this. Could you provide the repro steps for your issue, especially on how your function app is configured?

cwatson-sidub commented 1 month ago

I'll do that - I was trying to find the code that introduces the /runtime/webhooks/signalr path, so I might analyze it / try and figure things out. I figured that it was part of this repository but couldn't find it.

Regarding reproduction - if you deploy any serverless SignalR / isolated function sample, confirm it functions using the "runtime/webhooks/signalr?code=" approach. Once that is functional, follow the steps here (https://learn.microsoft.com/en-us/azure/azure-signalr/howto-use-managed-identity#enable-managed-identity-authentication-in-upstream-settings) to enable managed identity for upstream communication.

For testing, I've placed an API management layer between my SignalR and function app for upstream communications; this has allowed me to retrieve much greater detail in terms of the actual requests going through and I'm able to log the request / response and the authentication header value. Using this value, I've confirmed that the token works successfully when hitting my "HealthCheck" function endpoint (i.e., "/api/HealthCheck") however the token does not work when trying to access the SignalR webhook endpoint "/runtime/webhooks/signalr" and a 403 forbidden error is thrown.

Update - I've submitted a report here as well https://github.com/Azure/Azure-Functions/issues/2531.