Azure Linux Web App doesn't have callback route? #20989
Comments
|
So I tried a dumb workaround,
it didn't work: I managed to enter an email and a password and pass MFA (it didn't ask me to consent for graph API lookup, so presume that stuck). The the redirect URI didn't exist.. I got the following in my browser: So, I went back to 1. and changed the link again to So.. not sure if this is helpful. Probably just bad code on my side, missing parameter or something? |
|
I think (2) is closer to correct than (1). In (1), you didn't have the redirect URL registered in Azure AD. In (2), since it was registered, AD redirected you back to your app using that URL, but for some reason, that callback route doesn't seem to work. This is where I have been stuck and the documentation on easyauth or authn/authz (whatever they call the auth module) is very unclear. |
|
@ncook-hxgn Did you apply this: https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad#-option-2-use-an-existing-registration-created-separately? I saw you were using the Service Principal details to fill in the application details, which wont work/I wouldn't advise. Try to create a separate application accordingly to provided instructions on the link, that should probably solve most of your problems. |
|
@aristosvo I'm not sure I follow what you're saying - I think you're referring to my workaround? @mikeam565 I agree, the docs aren't always very helpful. I had to look at the PR for v3.45 to make sense of the structure of the doc file for azurerm_linux_web_app. There's no headings in it and the links in the docs don't work as I think was intended either. I digress. I went back to the old data "external" "env" {
program = ["sh", "-c", "jq -n 'env | {ARM_TENANT_ID,ARM_SUBSCRIPTION_ID,ARM_CLIENT_ID,ARM_CLIENT_SECRET}'"]
}
# Define a Resource Group for an Azure App
resource "azurerm_resource_group" "example_rg" {
name = "${var.app_name}-rg"
location = "West Europe"
}
# Define an Azure App Service Plan for Linux
# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service_plan
resource "azurerm_service_plan" "example_service_plan" {
name = "${var.app_name}-serviceplan"
location = azurerm_resource_group.example_rg.location
resource_group_name = azurerm_resource_group.example_rg.name
os_type = "Linux"
sku_name = "B1"
}
# Define an Azure Web App
# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/azurerm_linux_web_app
resource "azurerm_linux_web_app" "example_wa" {
name = "${var.app_name}"
resource_group_name = azurerm_resource_group.example_rg.name
location = azurerm_service_plan.example_service_plan.location
service_plan_id = azurerm_service_plan.example_service_plan.id
# Enable a System Managed Identity for the Azure Web App
identity {
type = "SystemAssigned"
}
# iisnode
site_config {
application_stack {
node_version = "16-lts"
}
}
# Configure the Azure Web app with your AAD Auth Provider (see web.config)
auth_settings {
enabled = true
issuer = "https://sts.windows.net/${data.external.env.result["ARM_TENANT_ID"]}"
default_provider = "AzureActiveDirectory"
token_refresh_extension_hours = 24
token_store_enabled = true
unauthenticated_client_action = "RedirectToLoginPage"
active_directory {
client_id = data.external.env.result["ARM_CLIENT_ID"]
client_secret = data.external.env.result["ARM_CLIENT_SECRET"]
}
}
}
# Output the Azure Web App URL
output "webapp_url" {
value = "https://${azurerm_linux_web_app.example_wa.default_hostname}"
}It set the redirect URI as the AAD Auth provider expects (and thus, as I tried in my workaround): Something is wrong with |
|
For context, I am personally having this issue with the custom_oidc_v2 setting. Same issue. Redirect uris registered with my OP, I can get auth to work in curl commands using our client id and secret, but the easy auth/authz/authn module that this auth_settings_v2 corresponds to 500 errors on redirect to callback (and shows no trace of the error in the logs either). |
|
@mikeam565 I see, OK I'm glad it's not just me 😄 |
|
@ncook-hxgn It's definitely not... I'm about to just implement auth myself, it's ridiculously easy with just minor modifications to code... You'd just think that a module called "easy auth" would be ... easy. |
|
I tried 3.49, and the problem might be fixed but I can't tell because Using the following terraform code (unchanged from before really) # Run the script to get the environment variables of interest.
# This is a data source, so it will run at plan time.
data "external" "env" {
program = ["sh", "-c", "jq -n 'env | {ARM_TENANT_ID,ARM_SUBSCRIPTION_ID,ARM_CLIENT_ID,ARM_CLIENT_SECRET}'"]
}
# Define a Resource Group for an Azure App
resource "azurerm_resource_group" "example_rg" {
name = "${var.app_name}-rg"
location = "West Europe"
}
# Define an Azure App Service Plan for Linux
# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service_plan
resource "azurerm_service_plan" "example_service_plan" {
name = "${var.app_name}-serviceplan"
location = azurerm_resource_group.example_rg.location
resource_group_name = azurerm_resource_group.example_rg.name
os_type = "Linux"
sku_name = "B1"
}
# Define an Azure Web App
# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/azurerm_linux_web_app
resource "azurerm_linux_web_app" "example_wa" {
name = "${var.app_name}"
resource_group_name = azurerm_resource_group.example_rg.name
location = azurerm_service_plan.example_service_plan.location
service_plan_id = azurerm_service_plan.example_service_plan.id
# Enable a System Managed Identity for the Azure Web App
identity {
type = "SystemAssigned"
}
# iisnode
site_config {
application_stack {
node_version = "16-lts"
}
}
# Configure the Azure Web app with your AAD Auth Provider (see web.config)
#auth_settings {
# enabled = true
# issuer = "https://sts.windows.net/${data.external.env.result["ARM_TENANT_ID"]}"
# default_provider = "AzureActiveDirectory"
# token_refresh_extension_hours = 24
# token_store_enabled = true
# unauthenticated_client_action = "RedirectToLoginPage"
#
# active_directory {
# client_id = data.external.env.result["ARM_CLIENT_ID"]
# client_secret = data.external.env.result["ARM_CLIENT_SECRET"]
# }
#}
# Configure the Azure Web app with your AAD Auth Provider (see web.config)
auth_settings_v2 {
auth_enabled = true
require_authentication = true
default_provider = "AzureActiveDirectory"
unauthenticated_action = "RedirectToLoginPage"
# our default_provider:
active_directory_v2 {
tenant_auth_endpoint = "https://login.microsoftonline.com/${data.external.env.result["ARM_TENANT_ID"]}/v2.0"
client_secret_setting_name = "MICROSOFT_PROVIDER_AUTHENTICATION_SECRET" # should be used instead of ARM_CLIENT_SECRET
client_id = data.external.env.result["ARM_CLIENT_ID"]
# client_secret = data.external.env.result["ARM_CLIENT_SECRET"]
allowed_groups = var.app_allowed_groups
}
# use a store for tokens (az blob storage backed)
login {
token_store_enabled = true
}
}
}
# Output the Azure Web App URL
output "webapp_url" {
value = "https://${azurerm_linux_web_app.example_wa.default_hostname}"
}This is the output I got: |
|
Hopefully fixed in #21113 /next release!!🤞 |
|
|
@mikeam565 - FYI, I'm not sure if it's related to what you experienced with custom_oidc_v2, but I just noticed that if I don't set "default_provider" in terraform, then the "Redirect to" setting is left blank and I get a warning in azure portal:
Setting default_provider = "{name of custom oidc method}" fixes this error. It may be unrelated to what you saw. |
|
@aristosvo still broken in v3.51.0 I'm afraid.. |
|
@aristosvo so I tried 3.52 and didn't get a crash this time, but I still get an error in my browser when browsing to my web app url.
Circumstantially, the role assignment I do in the IRL code that birthed the repro code in the OP has stopped working. Not sure if because new azurerm provider or because a service principle has changed whilst I was away.. I will dig deeper.. (it's probably the latter tbh) |
|
@ncook-hxgn Seems like the AD Application configuration is lacking the proper config for ID Token. Let me know if anything with regard to the Terraform part has to be adapted or seems to be not functioning👍🏽 |
@aristosvo that's encouraging, something I can maybe fix :) The managed identity of the deployed Web App, or the App Registration (service principle) that I pass to the terraform tasks in my pipeline (that ultimately runs this code), or some global policy..?
When I deployed my app with |
OK I think I understand this a little better now. I created a new service connection / service principal / AD Application specifically to run terraform in our pipelines, as I don't want to share my Did I really configure the callback uri on my service principal/authentication/AD Application manually, when I deployed with (I was sure terraform had done that, hence raising this originally..? Is it the expectation that I should need to do this with v2, too?) Looking into it on my side, hoping to come back and confirm the fixes once I understand what's different with my new AD Application.. |
Is there an existing issue for this?
Community Note
Terraform Version
1.40.0
AzureRM Provider Version
3.47.0
Affected Resource(s)/Data Source(s)
azurerm_linux_web_app
Terraform Configuration Files
Debug Output/Panic Output
None, but expected some maybe?Expected Behaviour
There should be a sensible callback url defined here in the portal in App Services > Example > Authentication > Identity Provider > Microsoft (click the link for the App Registration)
Actual Behaviour
Because there isn't the correct redirect URI in the app registration created by
active_directory_v2, the Authentication provider doesn't work.When I visit my deployed site, I consent to the app looking me up on Graph, and after that I am redirected to e.g.
https://example.azurewebsites.net/.auth/login/aad/callback.This results in the following screen:
The redirect URL it is trying to send me to is correct (that is, I have ported this solution from
auth_settings.active_directory, which worked, and that was the redirect URI. Now, I need theallowed_groupsfeature, so I'm upgrading toauth_settings_v2.active_directory_v2)Steps to Reproduce
terraform applywith the code above and a suitable terraform.tfvars file (see providedvariables.tf)Important Factoids
No response
References
No response
The text was updated successfully, but these errors were encountered: