Consumption Plan doesn't expose Env variable `WEBSITE_AUTH_OPENID_ISSUER`
petr-stupka opened this issue · comments
Hi, I just come across this issue when I configured AAD Auth on Azure Function running on Consumption Plan
The login URL looks like https://login.microsoftonline.com/common/oauth2/v2.0/auth ... and it is trying to find the App Registration in my home tenant. However I'm using resources, SPN from different tenant than my home tenant.
The login URL should looks like https://login.microsoftonline.com/<specific tenant>/oauth2/v2.0/auth ...
The Env variable WEBSITE_AUTH_OPENID_ISSUER should replace common with the resource tenantId, however because this variable is not exposed, it fallback to common
Not sure about the solution. Either use variable AZURE_TENANT_ID which is configured with SPN credentials used for the Function Code or define new variable just for this purpose?
Thanks!
Hi @petr-stupka , can you please clarify: is the issue anyhow related to DfMon?
Is it DfMon instance that you're deploying and configuring? Or is it just some common Azure Function?
@scale-tone I'm sorry, I completely forgot to put the technical details in.
Yes it is related to DfMon, Injected mode (installed as a NuGet package) in dotnet 6.0 Durable Functions.
In the meantime I got it working by using Windows Consumption Plan. Before I been using Linux Consumption Plan
I believe Linux Consumption plan doesn't expose WEBSITE_AUTH_OPENID_ISSUER env variable and therefore the authentication fallback to common tenantId took place.
The reason why common doesn't work for me is that DfMon in my function is searching in my account "Home" tenant. However my resources and the Function Authentication SPN are in separate DEV tenant, where account from "Home" tenant are guest only. So it is necessary to specify the tenant if I making authentication to "Dev" tenant resources.
The DfMon code behind
// Trying to get tenantId from WEBSITE_AUTH_OPENID_ISSUER environment variable
string tenantId = "common";
string openIdIssuer = Environment.GetEnvironmentVariable(EnvVariableNames.WEBSITE_AUTH_OPENID_ISSUER);
if (!string.IsNullOrEmpty(openIdIssuer))
{
var match = GuidRegex.Match(openIdIssuer);
if (match.Success)
{
tenantId = match.Groups[1].Value;
}
}As I said I found solution for me, so you can close the issue and thank you for your support.
Btw, pretty nice tool this DfMon 💯 Complete different world than Azure Table so thank you again!
Thanks for reporting this, @petr-stupka ! This indeed appears to be an issue.
Indeed, WEBSITE_AUTH_OPENID_ISSUER variable is set on Windows, but is missing on Linux consumption plan. Not sure why, but would need to find a workaround for this.
But is there any particular reason why you prefer client-directed flow over server-directed for your instance? Honestly, client-directed mode was intended more for running DfMon outside Azure (e.g. in K8s), in which case you would be able (and required) to set this setting explicitly.
Turns out it is a breaking change in the platform, that's being rolled out.
Older auth-related settings being dropped and replaced with WEBSITE_AUTH_V2_CONFIG_JSON.
So this had to be addressed anyway. Thanks again for reporting, @petr-stupka , that was right on time! The fix is coming.
Fixed in v6.1. Pls, validate.
Hi @scale-tone
- With update to 6.1 it works on Linux (and Windows) Function (Consumption plan)
client-directedvsserver-directedflow - it was a misconfiguration caused by troubleshooting because ofserver-directedbeen working for function url, however once../apibeen used, then DfMon tried to authenticate again and failed as mentioned previously. So now i'm usingserver-directedand works as expected.
Many thanks!