Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ACA deployment does not configure built-in auth #2181

Open
jeannotdamoiseaux opened this issue Nov 21, 2024 · 8 comments
Open

ACA deployment does not configure built-in auth #2181

jeannotdamoiseaux opened this issue Nov 21, 2024 · 8 comments
Assignees

Comments

@jeannotdamoiseaux
Copy link
Contributor

jeannotdamoiseaux commented Nov 21, 2024

This issue is for a: (mark with an x)

- [ X ] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

The authentication setup process completes without any visible errors, but the login screen does not appear before the application opens.

This functionality was working correctly for me in previous versions or deployments.

Minimal steps to reproduce

  1. Set the environment variables:
    azd env set AZURE_USE_AUTHENTICATION true
    azd env set AZURE_AUTH_TENANT_ID <YOUR-TENANT-ID>
    azd env set AZURE_ENFORCE_ACCESS_CONTROL true
    
  2. Run the deployment command:
    azd up
    

Any log messages given by the failure

Checking if authentication should be setup...
AZURE_USE_AUTHENTICATION is set, proceeding with authentication setup...
Creating Python virtual environment "app/backend/.venv"...
Installing dependencies from "requirements.txt" into virtual environment (in quiet mode)...
Setting up authentication for tenant
Checking if application exists
Application already exists, not creating new one
Setting up server application permissions...
Checking if application exists
Application already exists, not creating new one
Setting up server known client applications...
Authentication setup complete.

Expected/desired behavior

Show login screen before opening the application.

OS and Version?

GitHub Codespace

azd version?

azd version 1.11.0

Instead the following information is shown in the chat input bar:
image

@jeannotdamoiseaux
Copy link
Contributor Author

It seems to me that the application's behavior has changed, requiring users to log in via the "Login" button located at the top-right corner. Is that correct? If so, I’m not sure this change improves the user experience.

@pamelafox
Copy link
Collaborator

The new default deployment environment is ACA, which we didnt configure "built-in auth" for. We could set that up for ACA, though I was thinking of removing it entirely, since it's somewhat redundant with our use of the MSAL SDKs for authentication.
Do you prefer the behavior where it doesn't even show you the app and forces login?
The ACA behavior mimics how it has always worked locally, by the way.

cc @mattgotteiner

@pamelafox pamelafox added the auth label Nov 21, 2024
@pamelafox pamelafox changed the title Microsoft Entra: Automatic Authentication Setup Fails Silently ACA deployment does not configure built-in auth Nov 21, 2024
@jeannotdamoiseaux
Copy link
Contributor Author

The new default deployment environment is ACA, which we didnt configure "built-in auth" for. We could set that up for ACA, though I was thinking of removing it entirely, since it's somewhat redundant with our use of the MSAL SDKs for authentication. Do you prefer the behavior where it doesn't even show you the app and forces login? The ACA behavior mimics how it has always worked locally, by the way.

cc @mattgotteiner

This solution doesn’t quite work for my project for two main reasons. First, the application is currently accessible to everyone, even users who aren’t logged in, which we can’t allow. Second, our users shouldn’t have to search for the login button—they should be able to log in through the familiar Microsoft login screen to keep things secure and user-friendly. For now, I’ll switch back to using an App Service.

@pamelafox
Copy link
Collaborator

Got it. I can add the ACA built-in auth configuration. I'll work on that shortly.

@pamelafox pamelafox self-assigned this Nov 21, 2024
@jeannotdamoiseaux
Copy link
Contributor Author

jeannotdamoiseaux commented Nov 22, 2024

When I use the command:

azd env set DEPLOYMENT_TARGET appservice

I encounter the following error during deployment:

Deploying services (azd deploy)

  (x) Failed: Deploying service backend

ERROR: error executing step command 'deploy --all': failed deploying service 'backend': validating target resource: resource 'app-backend-poapuqez675su' with type 'Microsoft.Web/sites' does not match expected resource type 'Microsoft.App/containerApps'

It seems like there's a mismatch between the deployed resource type (Microsoft.Web/sites) and the expected resource type (Microsoft.App/containerApps) for the backend service. To troubleshoot, I’ve already taken the following steps:

  1. Used azd down to remove the existing resources.
  2. Used azd env new to create a fresh environment and resource group.

Despite this, the issue persists. Any insights on how to resolve this?

@pamelafox
Copy link
Collaborator

Did you do step 1, the commenting out in azure.yaml?
https://github.com/Azure-Samples/azure-search-openai-demo/blob/main/docs/azure_app_service.md
Unfortunately we cant control that with just env vars yet.

@jeannotdamoiseaux
Copy link
Contributor Author

Did you do step 1, the commenting out in azure.yaml? https://github.com/Azure-Samples/azure-search-openai-demo/blob/main/docs/azure_app_service.md Unfortunately we cant control that with just env vars yet.

You’re right—I missed that step. I assumed the earlier steps were the same as before. Thanks for pointing it out!

@pamelafox
Copy link
Collaborator

@jeannotdamoiseaux If you're curious, my branch for ACA built-in auth is here:
https://github.com/Azure-Samples/azure-search-openai-demo/compare/main...pamelafox:azure-search-openai-demo:aca-builtinauth?expand=1

We've run into an issue with the token store configuration as it requires a blob storage account URL using a storage account SAS URL, which isn't a security best practice, so we're in discussion with ACA team to see if there are other options.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants