DFM_ALLOWED_APP_ROLES problem in standalone version

Question

DFM_ALLOWED_APP_ROLES problem in standalone version

Erry91 opened this issue 2 years ago · comments

Hi,

I am pretty sure I am missing something and this is not a bug, so if possible I would tag it as question.
I have an azure function resource that hosts the DurableFunctionsMonitor in the standalone version. I am trying to configure app roles and have one group of users that can only "read" and for example me with the permissions to start/restart etc.

For this I have followed the Wiki for the configuration and arrived with this setup:

And I have assigned to me the role "Writer":

Then I added the app settings to my azure function resource:

However, when I do this, as soon as the app restarts and I open a new clean session, login and get to the "home" page I receive a 401 error. This does not happen when I only configure allowed users by their emails with the app settings DFM_ALLOWED_USER_NAMES. However only using DFM_ALLOWED_USER_NAMES wouldn't accomplish what I am trying to achieve since any user would have full access in the durable functions monitor.

One thing that I am failing at as well is retrieving the access token to have a look at it.

Any ideas on what am I doing wrong?

Thank you very much in advance.

Enrico

Konstantin Lepeshenkov · Answer 1 · Mon Dec 05 2022 21:01:57 GMT+0800 (China Standard Time)

Hi @Erry91 , the first thing to clarify is:
which auth flow your DfMon is using, server-directed or client-directed ?

The quickest way to check that on a running instance is to press F12 in your browser, go to Network tab and check any API call the client is making. If that API call contains Authorization header - then it is client-directed, otherwise it is server-directed.

Enrico · Answer 2 · Mon Dec 05 2022 22:14:30 GMT+0800 (China Standard Time)

Hi @scale-tone and thank you for your reply. I would say I am in the server-directed situation. An example of API call is this, where I don't think I see any Authorization header in the request.

Konstantin Lepeshenkov · Answer 3 · Mon Dec 05 2022 22:54:09 GMT+0800 (China Standard Time)

@Erry91 , please, try to cleanup cookies:

or simply relogin.

This should make the Roles claim to appear in the ClaimsPrincipal and thus resolve the issue.

Enrico · Answer 4 · Mon Dec 05 2022 23:15:07 GMT+0800 (China Standard Time)

I tried that, both clearing cookies and relogin from incognito or another browser. The page still replies with 401 as soon as I enable the app setting DFM_ALLOWED_APP_ROLES

Konstantin Lepeshenkov · Answer 5 · Tue Dec 06 2022 00:56:41 GMT+0800 (China Standard Time)

OK, from what I can see on your screenshots, you have your App Role's value set to DurableMonitorWriter.
While in DFM_ALLOWED_APP_ROLES setting you specify Writer (which is role's Display Name).
You need to specify DurableMonitorWriter there instead.
Please, try doing that.

Enrico · Answer 6 · Tue Dec 06 2022 04:56:06 GMT+0800 (China Standard Time)

Oh my, I was using the Display Name and not the actual Value then. Thank you so much for spotting that for me! I was sure it was something silly but I couldn't nail it down...

Konstantin Lepeshenkov · Answer 7 · Thu Dec 08 2022 02:54:19 GMT+0800 (China Standard Time)

(assuming it all works now) can I close this one, @Erry91 ?

Enrico · Answer 8 · Thu Dec 08 2022 17:15:27 GMT+0800 (China Standard Time)

Yes, @scale-tone thank you again. We can close it.