Closed John-HLC closed 1 year ago
DerekHerman-MSFT
commented
2 years ago Thanks for the feedback! We are currently investigating and will update you shortly. In the future please open feedback items directly from the documentation page at the bottom. This allows us to automatically route the issue to the correct team.
John-HLC
commented
2 years ago A few more possibly relevant details in case it helps
1) On Blazor WASM Client only side, I did try with and without the auth section in staticwebapp.config.json. Those settings are set on the StaticWebApp Configuration production environment in the Azure portal to match AAD_CLIENT_ID and AAD_CLIENT_SECRET setting name and values.
Although both the BYO-Azure Function app and Blazor WASM Client only App have a Client ID and ClientSecrets in my AD App registrations. Not sure which set of ID/secrets should be used - did try both.
2) On Blazor WASM Client only side, in the WebAssemblyHostBuilder.Services i am adding the following for MSALAuthentication. The AccountClaimsPrincipalFacotry just adds the Microsoft Graph User Photo, and splits out each role to it's own claim so Blazor can handle the AuthorizeView control in blazor to show/hide html based on user in role.
SnehaAgrawal-MSFT
commented
2 years ago @John-HLC Thanks for the feedback! I have assigned the issue to the content author to review further and update the document as appropriate.
mkarmark
commented
2 years ago Hi! Do you mind sharing your app name so we can investigate what is going on on our side? If you don't feel comfortable posting about it here, feel free to open a support ticket and we can help you there!
John-HLC
commented
2 years ago Sure thing.
Aside from a few Test Pages and Classes, I do not have any real app logic in there. I am maintaining a live app on this with another project structure elsewhere. These two projects are to try and connect all the dots/technologies before I start adding in real logic. So yes I can share.
2 projects
HLCApp-Website
HLCAppFunctions
================================
On the function side i have a test function to try and get the ClaimsPrincipal and display user info. function name = "TestClaimsFunctionAccess" You can Search all for "TestClaimsFunctionAccess" on both Website and Function App to see the call being made.
===============================
Note: I have tried several different things so multiple ways may be in there and/or commented out. Please let me know (direct me) if I can help speed things for you or zero in on anything specific.
John-HLC
commented
2 years ago @mkarmark - just realized you may have meant static web app name in azure... not GitHub project names. Static Web App Name = HLCAppWebDEV
simonaco
commented
2 years ago @John-HLC static web app name would be the default hostname, something like icy-coast-05fba4810 . Thanks for sharing the details.
John-HLC
commented
2 years ago @simonaco - thanks.. here it is: https://red-smoke-017c67310.azurestaticapps.net
mkarmark
commented
2 years ago Hi @John-HLC, we only pass over the client principal information to customers on authenticated requests. Per our logs I can see that your static web app has made lots of requests to your function app but I do not see a single login request in the last 60 days. Can you please try logging in first and then hitting the function path and seeing if your function app received the client principal?
John-HLC
commented
2 years ago @mkarmark - I just did this on the top of the hour (1:00 PM Central Time) a maybe 20 min ago in case it helps you check the logs for a specific log in attempt. But Your description is what i am seeing as well.
I logged in using AD from Blazor WASM (Client side only). Note at this point - the function is not hit/touched upon login as Blazor Client Side Only goes directly from the Browser to Azure-AD directly... The function is not touched as part of the log in process. in case it makes a difference, or you were expecting to see it like that. But that is how BlazorWASM Client only works.
So i logged in and the Blazor-WASM Client side only gets back form AD a user with claims principal and user in roles I'm expecting to see. All is good after login. The test page I hit spits out the Claims info in logging (BlazorWASM has) as you can see in the image below. I'm not sure what every single GUID is for.. so i red-lined them out in the image.
thank you for your attention and any help you may be able to provide.
Even though the end of my helper logging says Blazor Environment = Development, I'm using this branch as a "dev" environment even though it's a production "Standard" Static web app - just for clarification if needed.
John-HLC
commented
2 years ago Hi @John-HLC, we only pass over the client principal information to customers on authenticated requests. Per our logs I can see that your static web app has made lots of requests to your function app but I do not see a single login request in the last 60 days. Can you please try logging in first and then hitting the function path and seeing if your function app received the client principal?
@mkarmark This is still a huge problem. I just got frustrated and moved on to doing other devleopment, but now this is kind of the last thing holding me back on multiple projects. Somehow needs to get isolated and fixed, and I'm willing to try my best to help you help us :), any way possible !!! I mean it.. Can I add you to my private project? Can I pay for some time for someone to take a look at it. I am willing to fly anywhere and meet in a local conference room, anything.... StaticWeb apps is soooooo good and this is just one achilles heel killing me.
Your comment above is the exact point of disconnect.
In a SaticWebApp(Blazor WASM no server) + BYO function + AD., after following all instructions, the StaticWebApp is not logging into the BYO function. But.. there is nothing else I can do (according to documentation listed) to force the Static web app to log into the function. Something is missing in the documentation.
That is 'managed' by the Static web app + BYO function workflow.
Again just for quick refernce...
I think you are correct... the app never logs into the function, but those directions are missing how to accomplish that. the user is logged into the Static Web app, is there some missing step to have the Satic web app log into the function? In previous communications and previous people trying to help in other issues I created, they keep defaulting to the NON-BringYourOwn funciton methods of logging into the app. just a note.
So today, even though user is logged in with AD, when user goes to call the api.. the API doesnt know the user and considers him not logged in -- returns 401 Error.
John-HLC
commented
2 years ago @mkarmark i added you to both github projects BlazrWASM staic web app and the BYO function, in case you want to look at the source code for both. Both projects have 1 issue in the issues with your name in the subject so you can respond there if needed. and i can put more instructions there.
joergen98
commented
2 years ago Hi @John-HLC
I am experiencing the same issue, and was wondering if you found a solution to this problem?
John-HLC
commented
1 year ago @joergen98 , @mkarmark To be quite honest, I just passed claims/user info from WASM side to Function as part of the HTTP Post body for a the past year, and waited for others to explain the issue further because I was getting no where, and had no hair left to pull or time to pull it. Being somewhat of a new Azure offering, I assumed others would be having issues with Azure Static Web Apps + Blazor SWA + BYO Functions + Claims Principal. Today I'm finding more threads with similar issues. @joergen98 - sorry did not see your comment till now, but maybe check this out.:
https://github.com/Azure/static-web-apps/issues/751 Seems like @mkarmark might have gotten somewhere with that user/issue, or others.
Now that the problem is more defined I'm circling back to try again now that's its been a full year. @joergen98 - did you find an answer? If not I'll see if i can make it work now.
thomasgauvin
commented
1 year ago I've been made aware of this thread, this had been previously reported as well and we've clarified in the docs that the claims attribute is not accessible in the API functions https://learn.microsoft.com/en-us/azure/static-web-apps/user-information?tabs=javascript#api-functions. I know this is something that would enable use cases like the ones mentioned in this thread, so we'll be considering this as a new feature. It's currently in our 'to-assess' backlog
craigshoemaker
commented
1 year ago is now noted in the docs
Is this possible - i can't get it to work?
Trying to setup: StaticWebApp + Blazor WASM(Client Side Only) + Bring own Azure Function, and then access the user information on the BYO-Azure Function.
Problem I'm having: User Information (Claims Principal) is always null/blank.
Today - documentation shows how StaticWebApp Edge nodes send out a header that can be unpacked on the API side to get user information. But this may not work if bringing your own BYO-Azure Function + Blazor WASM Client side only. BlazorWASM Client Only has to create and config your own HTTP client to make HTTP calls, that header is not there on the outgoing call. It is also not there when deserializing on the BYO-Azure Function sdie.
I'm trying to implement this: Accessing User Information section of the documentation. But from what I can tell there is no "x-ms-client-principal" header in the request from my BlazorWASM(Client only) http call to my BYO-Azure Function.
Or it's unclear how to connect the dots to make this work.
But.. without it.. I'm kind of stuck with a fully open API that cannot be locked down, because the API cannot tell if the user is authenticated. And trying to add a route rule (user in roles).. will not work because the user info is not there, so it's locked down for everyone (even already logged in users who are authenticated).
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.