-
Notifications
You must be signed in to change notification settings - Fork 196
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue w/ authorization on system endpoints #2531
Comments
Still need a review on this please. |
Did you use the |
The linked documentation describes how to configure using managed identity for upstream connectivity, in lieu of using function keys. The problem with these function / extension keys is they are not generated until the code is deployed. That means I cannot configure the infrastructure in my Marketplace deployment. |
I am experiencing authorization issues when using authorization to access system endpoints (i.e., endpoints under /runtime/ or /admin/).
The specific use case is related to serverless SignalR upstream settings which is documented here (https://learn.microsoft.com/en-us/azure/azure-signalr/howto-use-managed-identity#enable-managed-identity-authentication-in-upstream-settings). This document describes configuring the upstream settings to utilize managed identity for communication with the isolated Azure Function.
Regarding reproduction - if you deploy any serverless SignalR / isolated function sample, confirm it functions using the "runtime/webhooks/signalr?code=<API_KEY>" approach. Once that is functional, follow the steps to enable managed identity for upstream communication.
For testing, I've placed an API management layer between my SignalR and function app for upstream communications; this has allowed me to retrieve much greater detail in terms of the actual requests going through and I'm able to log the request / response and the authentication header value. Using this value, I've confirmed that the token works successfully when hitting my "HealthCheck" function endpoint (i.e., "/api/HealthCheck") however the token does not work when trying to access the SignalR webhook endpoint "/runtime/webhooks/signalr" and a 403 forbidden error is thrown.
This issue is also submitted here as I'm unsure if its a functions issue or extensions issue: Azure/azure-functions-signalrservice-extension#294.
Additional note - within the Azure Functions authentication settings, I've configured it loosely; I've allowed access from any application and any identity, ensured the issuer / tenant align with the token, and ensured the audience aligns between the token / Signalr upstream settings.
The text was updated successfully, but these errors were encountered: