When using the auth_settings, this is creating my app service settings within the Authentication (Classic) tab. Is there any new way to use terraform to update the Authentication tab?
It seems not supported yet as of azurerm version 2.67.0
One of complain I have is that the application cannot be tested locally, this is the case with Authentication Classic which uses built in authentication of app service(easy auth).
The newer Authentication seems configure the app registration for the popular oauth2 identity providers, but still keep some of client settings on Azure, where it should be kept at web.config.
For this reason I would not use this setting for now, just manually configure the app registration and make configuration in web.config/appsettings.json, and use an authentication library of my pick(MASL that is)
Related
I have a Node.js application that need to read its configuration from Azure App.config.
When I go through the following example:
https://learn.microsoft.com/en-us/javascript/api/overview/azure/app-configuration-readme?view=azure-node-latest
I read:
AppConfigurationClient can authenticate using a service principal or
using a connection string.
How can I have AppConfigurationClient authenticate using MSI (Managed Service Identity) ?
You will need to use the #azure/identity package for javascript. More details can be found at
https://learn.microsoft.com/en-us/javascript/api/overview/azure/identity-readme
For managed identity, you will need to create a ManagedIdentityCredential and pass it to the App Configuration client. An example can be found at
https://github.com/Azure/azure-sdk-for-js/blob/#azure/identity_2.0.4/sdk/identity/identity/samples/AzureIdentityExamples.md#authenticating-in-azure-with-managed-identity
You may also like to check out DefaultAzureCredential. It can fall back to different credentials (including managed identity) in different environments. Examples can be found at
https://github.com/Azure/azure-sdk-for-js/blob/#azure/identity_2.0.4/sdk/identity/identity/samples/AzureIdentityExamples.md#authenticating-with-defaultazurecredential
The newest versions of MassTransit started using Azure.Identity package as a replacement for Microsoft.Azure.SericeBus.
I use Hybrid Identity to authenticate on premise service with the Azure Service Bus. It works well with TokenProvider.CreateManagedIdentityTokenProvider in Microsoft.Azure.SericeBus. However, after the switch to Azure.Identity package neither DefaultAzureCredential nor ManagedIdentityCredential work. I get an error saying that "Service request failed: 401 (Unathorized). Manage,EntityRead required for this operation".
I suspect that the new Azure.Identity package only works with Azure hosted apps and not with my on prem hosted service. But since it worked fine with the old package I am trying to figure out if I can make it work.
Any ideas if it is possible to use Hybrid Identity for accessing ASB from on prem service with recent MassTransit package >7.3.0?
I'm the author the of the original MassTransit change that brought the Service Bus SDK to v7.
There are differences in the underlying auth libraries.
TokenProvider.CreateManagedIdentityTokenProvider uses the AzureServiceTokenProvider under the hood. There's two possible paths when setting up the underlying token providers:
If AzureServicesAuthConnectionString is set as an environment variable, it will be used to configure the auth settings.
Else, there's a prioritized list of non-interactive providers (Msi, VS, Azure CLI, WindowsAuth (when using the full framework))
If AzureServicesAuthConnectionString environment variable is not set, DefaultAzureCredential appears to be nearly identical for the underlying token providers. If it is set, it may be a difference in the parsing of the environment variable. The DefaultAzureCredential uses an EnvironmentCredential as a credential, but it expects separate variables for tenant ID, client ID, etc (see docs for specifics).
Unfortunately, I'm not familiar with Hybrid Identity so these comments are solely based on my understanding of the Azure libraries.
In a AzureAD authenticated app hosted in Azure i get the access token in the api controller like this
public override void OnActionExecuting(ActionExecutingContext context)
{
base.OnActionExecuting(context);
_client.DefaultRequestHeaders.Accept.Clear();
var tokenHeader = Request.Headers["X-MS-TOKEN-ADD-ACCESS-TOKEN"];
_client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokenHeader );
}
Since Azure AD app service injects the token it works only when hosted in Azure.
How can i make it work in my development environment? This of course generates an exception.
Im following this tutorial:
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-auth-aad#enable-authentication-and-authorization-for-back-end-app
Both backend and frontend are secured with AzureAD authentication.
The frontend app has had permission set to the backend app in AzureAD section in the portal.
In the code, there is nothing configured in appsettings.json.
According to your describe, you're using Easy Auth for your web App service. You know, Easy auth is for Azure Web App service, it's managed by Azure. So, I'm afraid of that you cannot use Easy Auth authentication for your app from your local machine.
For more detials about Easy Auth for Azure Web App service, you can refer to this documentation.
If you run the application locally on your development system, Easy
Auth will not be available and you will not have the access tokens,
etc. that you may need in your application. In order to debug those
features of your application, you will need to deploy to an Azure Web
App. An alternative approach is to do the login and authentication
workflow in the application code, but then you are no longer
leveraging Easy Auth.
However, there is a method to do Local Debugging of .NET Core Web App with Easy Auth.Here is a blog which introducts an approach to that. This blog may be helpful to give a thought for your scenario.
I've configured my UWP app to authenticate using a MobileServiceClient. This appears to be working fine. The ClaimsPrincipal object is authenticated when executing remotely. However, I'm unable to retrieve the ClaimsPrincipal from my Azure Function when debugging locally.
I believe this is because I need to configure my local server with a matching SigningKey, ValidAudiences, and ValidIssuers settings; as described in this article covering Mobile App Services.
But I'm working with Azure Functions and not a Mobile App Service, and configuration appears to work differently.
How can I configure my local server to correctly interpret the credentials passed from my mobile app?
I believe the reason it works remotely and not locally is because the Azure Functions local tooling does not currently support the Authentication / Authorization identity features. Until it does you'll need to find a way to mock the ClaimsPrincipal for local development/testing.
UPDATE: Same answer for Sept. 2020. We've done some work to get closer to this goal, but still not quite there yet.
I'm trying to implement Azure KeyVault in my Azure Functions app following this article: https://medium.com/statuscode/getting-key-vault-secrets-in-azure-functions-37620fd20a0b
In the article, the function app is set to use Managed Service Identity (MSI) so that we don't have to use a secret to get a token in order to connect to Azure KeyVault. Because that would kind of defeat the purpose of using Azure KeyVault.
As I understand it, an Azure app can be registered to use MSI so that other Azure resources recognize it directly, thus simplifying the connection process by eliminating the need to get a token, etc.
However, as I debug my Azure functions app, I'm unable to connect to Azure KeyVault to retrieve the necessary secrets.
I feel maybe that's happening because the functions app is running locally during debug and not on Azure.
Would this be the reason why I'm unable to connect to KeyVault?
Yes unfortunately MSI will only get a token when running inside of the Azure Functions service. I did update my sample about a week ago with a new #if region I use to pull secret from local variables if in DEBUG mode.
https://github.com/jeffhollan/functions-csharp-keyvault-eventhub/blob/master/ScaleTestV1_NoHost/Http.cs
There is a better solution available now for this problem of using Managed Service Identity during local development in debug mode (at least for .NET applications and functions).
You can use Microsoft.Azure.Services.AppAuthentication package.
Relevant Code Sample.. (from references below)
using Microsoft.Azure.Services.AppAuthentication;
using Microsoft.Azure.KeyVault;
// ...
var azureServiceTokenProvider = new AzureServiceTokenProvider();
string accessToken = await azureServiceTokenProvider.GetAccessTokenAsync("https://vault.azure.net");
// OR
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
How to use managed identities for App Service and Azure Functions
Microsoft.Azure.Services.AppAuthentication Reference
The Microsoft.Azure.Services.AppAuthentication for .NET library
simplifies this problem. It uses the developer's credentials to
authenticate during local development. When the solution is later
deployed to Azure, the library automatically switches to application
credentials.
For further details about, how AzureServiceTokenProvider fetches tokens using Visual Studio, Azure CLI or Azure AD Integrated Authentication.. Read here
As an addendum of Rohit Saigal answer please notice following:
Locally development within Visual Studio using Azure Key Vault service depends on
"Azure Services Authentication Extension" https://marketplace.visualstudio.com/items?itemName=chrismann.MicrosoftVisualStudioAsalExtension#overview
which is integrated into Visual Studio since version 15.6 onward and don't need to be installed separately.
Check Visual Studio/Tools/Options/Azure Services Authentication to see which account you use to auth within Azure services, and set appropriate.