Forbidden (401 - Missing Cookies) when making requests to APIs in SCM
colin-higgins opened this issue · comments
Missing cookies server side.
Repro steps.
- Create Azure App Service Web App
- Add manual site extension with scmApplicationHost.xdt
- Add aspnetcore3.1 sub application to SCM site
- Make call to SCM Kudu API from sub application with propagated cookies
- FedAuth* and LoginNonce* cookies are missing
- Receive 401 Forbidden response
I manually output the cookies and headers from the server side and notice most of the cookies are missing in Request.Cookies
while they are present in Chrome/Edge/Firefox.
Cookies in chrome developer tools
Headers as examined from the server side HttpContext:
Project structures.
Create template netcore3.1 app
Return headers to browser as string
Publish app to folder withscmApplicationHost.xdt
Point virtual directory to relative folder in C:\Home\SiteExtensions\MySiteExtension
Add this content with your app information to the scmApplicationHost.xdt
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.applicationHost>
<sites>
<site name="%XDT_SCMSITENAME%" xdt:Locator="Match(name)">
<application path="/sub-app-test" xdt:Locator="Match(path)" xdt:Transform="Remove" />
<application path="/sub-app-test" applicationPool="%XDT_APPPOOLNAME%" xdt:Transform="Insert">
<virtualDirectory path="/" physicalPath="%XDT_EXTENSIONPATH%\sub-app-directory" />
</application>
</site>
</sites>
</system.applicationHost>
</configuration>
The log/error given by the failure.
401 Forbidden when making requests to SCM app or deployed template app.
Those are reserved cookies and only meaningful to the App Service Loadbalancer. They are not passed to the application.
How am I able to make requests to the domain which my sub-application is hosted on in SCM?
Even requests to my own application 401 without those cookies.
why do you think 401 was caused by the cookies? SCM site make calls to its self all the times to many path without issue. Are you calling back from SCM site or from different origin? The the later - session cookies will not valid due to CORS.
I am calling back to the SCM site via the same domain, only a relative path difference.
I am also calling back to a Controller/Action in my same app and receiving a 401 before the application is ever hit.
Hitting an endpoint in my web API from the browser, it is authenticated... calling to an endpoint in my web API from within web API, I receive a 401.
Is there guidance on making requests to SCM API from within SCM?
My browser requests are authenticated, how am I supposed to authenticate any requests off of that initial request?
For example... If I want to make a button that downloads several different log files and also download process information, to simplify troubleshooting..
If I have a sub application, that is hit via this URL:
my-azure-app-service.scm.azurewebsites.net/MySubApp/Diagnostics
And then that action calls these URLs:
my-azure-app-service.scm.azurewebsites.net/api/processes/-1
my-azure-app-service.scm.azurewebsites.net/api/vfs/LogFiles/eventlog.xml
my-azure-app-service.scm.azurewebsites.net/api/zip/LogFiles/special-log-directory
How do I call to those URLs without a 401?
Could you even make a AJAX call to your own app (MySubApp)? I would start with that first. BTW, Kudu Debug Console or other extensions (such as /dev editor) do make AJAX calls to the SCM all the times (you can see from F12 -> Network). Not sure why it would be any difference in your scenarios.
Hi
If the problem persists and is related to running it on Azure App Service, please open a support incident in Azure:
https://learn.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request
This way we can better track and assist you on this case
Thanks,
Joaquin Vano
Azure App Service