Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Managed identity upstream issues #294

Open
cwatson-sidub opened this issue Aug 2, 2024 · 2 comments
Open

Managed identity upstream issues #294

cwatson-sidub opened this issue Aug 2, 2024 · 2 comments

Comments

@cwatson-sidub
Copy link

Might not be the right spot, but this is the closest I could find.

I have a fully functioning serverless SignalR / Azure Function (isolated) chatroom sample set up when I use the Azure key approach (i.e., in upstream settings, I use the suffix /runtime/webhooks/signalr?code=<api_key>).

However, when I enable managed identity for upstream authorization, I consistently receive 403 errors when the SignalR service is reaching out to the function app's "/runtime/webhooks/signalr" path. I've read all available documentation online.

It seems the code / logic under this path is very hard to find / troubleshoot...
@Y-Sindo
Copy link
Member

Y-Sindo commented Aug 2, 2024
edited
Loading

Hi, I believe the Azure Functions Team might have more expertise on this. Could you provide the repro steps for your issue, especially on how your function app is configured?

@cwatson-sidub
Copy link
Author

cwatson-sidub commented Aug 3, 2024
edited
Loading

I'll do that - I was trying to find the code that introduces the /runtime/webhooks/signalr path, so I might analyze it / try and figure things out. I figured that it was part of this repository but couldn't find it.

Regarding reproduction - if you deploy any serverless SignalR / isolated function sample, confirm it functions using the "runtime/webhooks/signalr?code=<API_KEY>" approach. Once that is functional, follow the steps here (https://learn.microsoft.com/en-us/azure/azure-signalr/howto-use-managed-identity#enable-managed-identity-authentication-in-upstream-settings) to enable managed identity for upstream communication.

For testing, I've placed an API management layer between my SignalR and function app for upstream communications; this has allowed me to retrieve much greater detail in terms of the actual requests going through and I'm able to log the request / response and the authentication header value. Using this value, I've confirmed that the token works successfully when hitting my "HealthCheck" function endpoint (i.e., "/api/HealthCheck") however the token does not work when trying to access the SignalR webhook endpoint "/runtime/webhooks/signalr" and a 403 forbidden error is thrown.

Update - I've submitted a report here as well Azure/Azure-Functions#2531.

@cwatson-sidub cwatson-sidub mentioned this issue Aug 3, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Y-Sindo @cwatson-sidub