search

staticwebdev / roles-function

https://docs.microsoft.com/azure/static-web-apps/assign-roles-microsoft-graph
8 stars 11 forks source link

GetRoles hosted in azure app container #8

Open ariggi-epam opened 1 year ago

ariggi-epam commented 1 year ago

Hi, I am hosting the back end in azure app container. I'm trying to host there the get roles api too. Is that possible? I tried with both v1 and v2 versions config for the azure active directory (see below) but i always get an empty request body. I'm receiving an empty req.body. Do you know if it is possible? Is it related to this? https://github.com/Azure/static-web-apps/issues/988

"auth": {
        "rolesSource": "/api/getroles",
        "identityProviders": {
          "azureActiveDirectory": {
            "registration": {
              "openIdIssuer": "https://login.microsoftonline.com/<tenantid>/v2.0",
              "clientIdSettingName": "AZURE_CLIENT_ID",
              "clientSecretSettingName": "AZURE_CLIENT_SECRET"
            },
            "login": {
              "loginParameters": [
                "scope=openid profile email https://graph.microsoft.com/User.Read"
              ]
            }
          }
        }
      }

and 

"auth": {
        "rolesSource": "/api/getroles",
        "identityProviders": {
            "azureActiveDirectory": {
                "userDetailsClaim": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
                "registration": {
                    "openIdIssuer": "https://login.microsoftonline.com/<tenantid>",
                    "clientIdSettingName": "AZURE_CLIENT_ID",
                    "clientSecretSettingName": "AZURE_CLIENT_SECRET"
                },
                "login": {
                    "loginParameters": [
                        "resource=https://graph.microsoft.com"
                    ]
                }
            }
        }
    },
ariggi-epam commented 1 year ago

I always get a request with and empty body and the following headers host: 'album-api....centralus.azurecontainerapps.io', traceparent: '00-bf53bb2eb02a33c27a2798dabed3e9df-..-00', 'x-ms-auth-token': 'Bearer eyJ..', 'x-forwarded-for': '20.84.233.8', 'x-envoy-external-address': '20.84.233.8', 'x-request-id': 'bc8a1083-444c-4569-8c74-..', 'x-envoy-expected-rq-timeout-ms': '1800000', 'x-k8se-app-name': 'album-api--...', 'x-k8se-app-namespace': 'k8se-apps', 'x-k8se-protocol': 'http1', 'x-k8se-app-kind': 'web', 'x-ms-containerapp-name': 'album-api', 'x-ms-containerapp-revision-name': 'album-api--...', 'x-arr-ssl': 'true', 'x-forwarded-proto': 'https', 'x-ms-client-principal-id': 'anonymous', 'x-ms-client-principal-idp': 'azureStaticWebApps', 'content-type': 'application/json; charset=utf-8', 'content-length': '3495'

The jwt has the api (the container app), instead of ms graph. I can't use it to call ms graph to obtain the aad groups. Do you have any suggestions?

ariggi-epam commented 1 year ago

Sorry, I meant the jwt has the api as audiences, instead of ms graph. this is the content { "prn": "bnVsbA==", "sub": "anonymous", "iss": "https://nice-plant.....centralus.2.azurestaticapps.net/.auth", "aud": "https://album-api......centralus.azurecontainerapps.io", "nbf": 1669163333, "exp": 1669163633, "iat": 1669163333 }