Open johnnyreilly opened 1 year ago
+1 - this would be very nice!
+1
The environment variables checked by AppServicesAuthenticationInformation.IsAppServicesAadAuthenticationEnabled
can be worked around (just set them for the Container App manually), but the authentication handler tries to obtain the claims from X-MS-TOKEN-AAD-ID-TOKEN
(which isn't available in Container Apps) instead of X-MS-CLIENT-PRINCIPAL
. The latter approach would work for both Container Apps and App Services/Functions.
+1
The environment variables checked by AppServicesAuthenticationInformation.IsAppServicesAadAuthenticationEnabled can be worked around (just set them for the Container App manually), but the authentication handler tries to obtain the claims from X-MS-TOKEN-AAD-ID-TOKEN (which isn't available in Container Apps) instead of X-MS-CLIENT-PRINCIPAL. The latter approach would work for both Container Apps and App Services/Functions.
X-MS-CLIENT-PRINCIPAL
isn't a valid token either. It has claims from the access token and the ID token but neither the structure. It would be awesome to have standard OIDC w/ JWT support as available in App Service.
I didn't say X-MS-CLIENT-PRINCIPAL
is a token, just a set of claims. Having Easy Auth forward the original token isn't required IMHO.
Is your feature request related to a problem? Please describe.
Easy Auth is a great way to authenticate your users. However, when used in the context of Azure Container Apps, .NET applications do not, by default, recognise that Easy Auth is in place. What I mean by this, is that you might be authenticated but .NET will still act as if you aren't. builder.Services.AddAuthentication() and app.UseAuthentication() doesn't change that.
Whilst support for Easy Auth with Azure App Service was added in v1.2: https://github.com/AzureAD/microsoft-identity-web/wiki/1.2.0#integration-with-azure-app-services-authentication-of-web-apps-running-with-microsoftidentityweb - the same support does not exist for Azure Container Apps which works upon different environment variables and request headers.
I've implemented my own custom approach here: https://johnnyreilly.com/azure-container-apps-easy-auth-and-dotnet-authentication
It'd be awesome if this was just generally available to the world though.
Describe the solution you'd like
In the same way that support for Azure App Service is built into
Microsoft.Identity.Web
, it would be awesome if the same support was available for Azure Container Apps. So imagine being able to write:And have everything magically just work.
Describe alternatives you've considered
Building my own solution, which I have done - see above.
Additional context
See blog post.