Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue w/ authorization on system endpoints #2531

Open
cwatson-sidub opened this issue Aug 3, 2024 · 3 comments
Open

Issue w/ authorization on system endpoints #2531

cwatson-sidub opened this issue Aug 3, 2024 · 3 comments
Labels
bug

Comments

@cwatson-sidub
Copy link

cwatson-sidub commented Aug 3, 2024
edited
Loading

I am experiencing authorization issues when using authorization to access system endpoints (i.e., endpoints under /runtime/ or /admin/).

The specific use case is related to serverless SignalR upstream settings which is documented here (https://learn.microsoft.com/en-us/azure/azure-signalr/howto-use-managed-identity#enable-managed-identity-authentication-in-upstream-settings). This document describes configuring the upstream settings to utilize managed identity for communication with the isolated Azure Function.

Regarding reproduction - if you deploy any serverless SignalR / isolated function sample, confirm it functions using the "runtime/webhooks/signalr?code=<API_KEY>" approach. Once that is functional, follow the steps to enable managed identity for upstream communication.

For testing, I've placed an API management layer between my SignalR and function app for upstream communications; this has allowed me to retrieve much greater detail in terms of the actual requests going through and I'm able to log the request / response and the authentication header value. Using this value, I've confirmed that the token works successfully when hitting my "HealthCheck" function endpoint (i.e., "/api/HealthCheck") however the token does not work when trying to access the SignalR webhook endpoint "/runtime/webhooks/signalr" and a 403 forbidden error is thrown.

This issue is also submitted here as I'm unsure if its a functions issue or extensions issue: Azure/azure-functions-signalrservice-extension#294.

Additional note - within the Azure Functions authentication settings, I've configured it loosely; I've allowed access from any application and any identity, ensured the issuer / tenant align with the token, and ensured the audience aligns between the token / Signalr upstream settings.
@cwatson-sidub cwatson-sidub mentioned this issue Aug 3, 2024
Open
@cwatson-sidub
Copy link
Author

Still need a review on this please.

@trydis
Copy link

trydis commented Aug 21, 2024

Did you use the signalr_extension system key? You'll get 403 if using a regular host key.

@cwatson-sidub
Copy link
Author

Did you use the signalr_extension system key? You'll get 403 if using a regular host key.

The linked documentation describes how to configure using managed identity for upstream connectivity, in lieu of using function keys.

The problem with these function / extension keys is they are not generated until the code is deployed. That means I cannot configure the infrastructure in my Marketplace deployment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@trydis @cwatson-sidub