ACA with Micrsoft Entra ID authentication and HTTP2/gRPC

BastienPerdriau commented 1 month ago

This issue is a: (mark with an x)

[x] bug report
[ ] documentation issue or request
[ ] regression (a behavior that used to work and stopped in a new release)

Issue description

Azure Container Apps seems not to consider the Bearer Access Token when Microsoft authentication is enabled if Ingress Transport is set to HTTP/2 (because we use a Docker with gRPC).

Steps to reproduce

Setup a ACA with:
- Ingress enabled with Transport set to HTTP/2
- Setup a gRPC docker image (like https://hub.docker.com/r/ironsoftwareofficial/ironpdfengine)
Call the gRPC API using a client app => It works
Setup Authentication using Microsoft Identity Provider
Call the gRPC API using the client app => it doesn't work
Get an access token against MS IDP (either using Managed Identity, Service Principal or using local identities with CLI or VS) and pass it to request header (e.g. using GrpcChannel in C#)
Call the gRPC API using the client app => it still doesn't work

Expected behavior [What you expected to happen.]

I expect the gRPC call to work using the Authorization header with the Bearer access token.

Actual behavior [What actually happened.]

I have a Grpc error with status Unavailable.

### Tasks

BastienPerdriau commented 3 weeks ago

Hi @anthonychu

Sorry to ping you directly, as I noticed you tagged this issue. Do you or anyone in your team know if this issue could be a bug of ACA or a misconfiguration on my side?

Regards,

anthonychu commented 3 weeks ago

This is a bug and we’re working on a fix.

deepmehrotra commented 1 week ago

Hi @anthonychu We are also stuck with same issue , is there any timeline for this bug fix ?

anthonychu commented 1 week ago

Sorry it looks like we’re actually still investigating this. No ETA to share at this time.

microsoft / azure-container-apps