search

Azure / static-web-apps

Azure Static Web Apps. For bugs and feature requests, please create an issue in this repo. For community discussions, latest updates, kindly refer to the Discussions Tab. To know what's new in Static Web Apps, visit https://aka.ms/swa/ThisMonth
https://aka.ms/swa
MIT License
327 stars 56 forks source link

Adding custom identity provider breaks auth with app deployed from Azure Devops #759

Closed remirobichet closed 2 years ago

remirobichet commented 2 years ago

Describe the bug

Adding a custom identity provider breaks all the auth system (all /.auth/* endpoints seems broken). I don't know what cause this bug. Maybe deploying custom identity provider with Azure Devops is broken ? Or I missunderstand something in the config file ?

To Reproduce

First, i've implemented a basic swa with pre-configured providers, deployment OK and app OK. Here was my staticwebapp.config.json :

{
    "routes": [
        {
            "route": "/api/*",
            "allowedRoles": [
                "authenticated"
            ]
        }
    ],
    "navigationFallback": {
        "rewrite": "index.html",
        "exclude": ["/images/*.{png,jpg,gif}", "/css/*"]
    }
}

Then i've tried to add some custom identity provider (google in my case), deployment still OK but all /.auth/* endpoints went KO (even /.auth/me). Here is the new staticwebapp.config.json :

{
    "routes": [
        {
            "route": "/about",
            "allowedRoles": [
                "authenticated"
            ]
        },
        {
            "route": "/api/*",
            "allowedRoles": [
                "authenticated"
            ]
        }
    ],
    "navigationFallback": {
        "rewrite": "index.html",
        "exclude": ["/images/*.{png,jpg,gif}", "/css/*"]
    },
    "auth": {
        "identityProviders": {
            "google": {
                "registration": {
                    "clientIdSettingName": "MY_CLIENT_ID",
                    "clientSecretSettingName": "MY_SECRET_ID"
                }
            }
        }
    }
}

Additional context

I'm vuejs as frontend framework. I'm deploying using Azure Devops (i followed this tutorial : https://docs.microsoft.com/en-us/azure/static-web-apps/publish-devops) My static web app have been created with Standard hosting plan.

remirobichet commented 2 years ago

I tried to deploy the exact same app with Github actions (following this tutorial : https://docs.microsoft.com/fr-fr/azure/static-web-apps/getting-started?tabs=vue). Turns out deployment is OK and /.auth/* endpoints too 🤨

With further search, i tried to compare pipeline from Github and Azure Devops. I innitialy thought it was coming from the detected nodejs version from Oryx build, AD =12.xx and GH =14.xx ; i added the engine specification in package.json but it didn't anything on the app.

"engines" : { 
    "node" : "14.x" 
  }

I'm still investigating.

remirobichet commented 2 years ago

I've manage to partially fix the issue by replacing registrations secrets (I had written the values of the keys directly in staticwebapp.config.json instead of using the environment variables 😵). At this point both app works (deployed from GH and rom AD), but there is still a problem with auth. On the app deployed with AD, connection with other provider is broken while in the app deployed with GH they are available.

I switched my testing repository to public --> https://github.com/remirobichet/swa-edtake It contains both pipeline for AD and GH.

Here are the links to deployed apps :

The issue is not blocking me atm but maybe you can take a look on the difference between AzureStaticWebApp@0 task from AD and Azure/static-web-apps-deploy@v1 from GH ?

tscrip commented 2 years ago

I am seeing the same issue with a Blazor Web Assembly app.

mkarmark commented 2 years ago

@tscrip Do you also mind sharing your sitename or default hostname with us so that we can look at the logs for your site?

tscrip commented 2 years ago

Here you go @mkarmark I originally posted the link a few days ago, but I need use this for something else. If you want to recreate this, clone the repo below and make the changes I listed below.

Repo: https://github.com/FBoucher/AzureStaticWebApp-CSharp-SimpleDemo Add a staticwebapp.conf.json that looks like this:

{
  "navigationFallback": {
    "rewrite": "/index.html",
    "exclude": [ "/images/*.{png,jpg,gif}", "/css/*" ]
  },
  "routes": [
    {
      "route": "/.auth/login/twitter",
      "statusCode": 404
    },
    {
      "route": "/.auth/login/facebook",
      "statusCode": 404
    },
    {
      "route": "/.auth/login/github",
      "statusCode": 404
    },
    {
      "route": "/login",
      "rewrite": "/.auth/login/aad"
    }
  ],
  "auth": {
    "identityProviders": {
      "azureActiveDirectory": {
        "registration": {
          "clientSecretSettingName": "<REDACTED>",
          "clientIdSettingName": "<REDACTED>",
          "openIdIssuer": "https://login.microsoftonline.com/<REDACTED>/v2.0"
        }
      }
    }
  }
}

Note... I have also tried deploying from GitHub Actions and Azure DevOps Pipeline and neither works. If you go to the /.auth/me route, you can see what I am talking about. It looks like all the /.auth/* routes are gone.

tscrip commented 2 years ago

Any update @mkarmark?

tscrip commented 2 years ago

Bump

remirobichet commented 2 years ago

Had to delete azure SWA