search

AzureAD / microsoft-identity-web

Helps creating protected web apps and web APIs with Microsoft identity platform and Azure AD B2C
MIT License
672 stars 208 forks source link

[Feature Request] support for Azure Container Apps with Easy Auth #2274

Open johnnyreilly opened 1 year ago

johnnyreilly commented 1 year ago

Is your feature request related to a problem? Please describe.

Easy Auth is a great way to authenticate your users. However, when used in the context of Azure Container Apps, .NET applications do not, by default, recognise that Easy Auth is in place. What I mean by this, is that you might be authenticated but .NET will still act as if you aren't. builder.Services.AddAuthentication() and app.UseAuthentication() doesn't change that.

Whilst support for Easy Auth with Azure App Service was added in v1.2: https://github.com/AzureAD/microsoft-identity-web/wiki/1.2.0#integration-with-azure-app-services-authentication-of-web-apps-running-with-microsoftidentityweb - the same support does not exist for Azure Container Apps which works upon different environment variables and request headers.

I've implemented my own custom approach here: https://johnnyreilly.com/azure-container-apps-easy-auth-and-dotnet-authentication

It'd be awesome if this was just generally available to the world though.

Describe the solution you'd like

In the same way that support for Azure App Service is built into Microsoft.Identity.Web, it would be awesome if the same support was available for Azure Container Apps. So imagine being able to write:

builder.Services.AddMicrosoftIdentityWebAppAuthentication(Configuration);

And have everything magically just work.

Describe alternatives you've considered

Building my own solution, which I have done - see above.

Additional context

See blog post.

jonsing commented 8 months ago

+1 - this would be very nice!

joergjo commented 8 months ago

+1

The environment variables checked by AppServicesAuthenticationInformation.IsAppServicesAadAuthenticationEnabled can be worked around (just set them for the Container App manually), but the authentication handler tries to obtain the claims from X-MS-TOKEN-AAD-ID-TOKEN (which isn't available in Container Apps) instead of X-MS-CLIENT-PRINCIPAL. The latter approach would work for both Container Apps and App Services/Functions.

MatteoCalabro-TomTom commented 3 months ago

+1

The environment variables checked by AppServicesAuthenticationInformation.IsAppServicesAadAuthenticationEnabled can be worked around (just set them for the Container App manually), but the authentication handler tries to obtain the claims from X-MS-TOKEN-AAD-ID-TOKEN (which isn't available in Container Apps) instead of X-MS-CLIENT-PRINCIPAL. The latter approach would work for both Container Apps and App Services/Functions.

X-MS-CLIENT-PRINCIPAL isn't a valid token either. It has claims from the access token and the ID token but neither the structure. It would be awesome to have standard OIDC w/ JWT support as available in App Service.

joergjo commented 3 months ago

I didn't say X-MS-CLIENT-PRINCIPAL is a token, just a set of claims. Having Easy Auth forward the original token isn't required IMHO.