Here are the steps showing how to enable managed identity authentication in event handler settings https://learn.microsoft.com/en-us/azure/azure-web-pubsub/howto-use-managed-identity#enable-managed-identity-authentication-in-event-handler-settings
Adding Entra ID authentication to a web app that utilizes Web PubSub in Azure
I'm trying to simply add Microsoft Entra ID for authentication to an Azure web app. I have a javascript chat-app using Web PubSub that worked perfectly using this example:
https://github.com/Azure/azure-webpubsub/tree/main/samples/javascript/chatapp/nativeapi
I followed the instructions here using the work-force configuration...
The instruction description says "No SDKs, specific languages, or changes to application code are required." I used the defaults and now the app will connect to chat server, but then the connection is terminated with the first message. I make up that Web PubSub needs to be authenticated to my web app, but I'm unsure how to get this done. Is that the problem? How do I resolve in the simplest method, preferably with no code changes?
Thank you,
Peter
Azure Web PubSub
Azure App Service
-
ajkuma • 27,871 Reputation points • Microsoft Employee
2024-05-03T12:49:17.69+00:00 @Peter Daniels , Thanks for posting your question. While I'm checking more on your scenario, based on my understanding of your issue description:
Authentication is necessary to access a Web PubSub resource when using Microsoft Entra ID. This authentication involves two steps:
- First, Azure authenticates the security principal and issues an OAuth 2.0 token.
- Second, the token is added to the request to the Web PubSub resource. The Web PubSub service uses the token to check if the service principal has the access to the resource.
While the Azure App Service authentication/authorization feature does not require any changes to your application code, adding authentication to your Web PubSub service might require some code changes. Kindly checkout these reference docs:
- Tutorial: Add authentication and permissions to your application when using Azure Web PubSub
- Authorize access to Web PubSub resources using Microsoft Entra ID
Kindly let us know, I'll follow-up with you further.
If the answer helped (pointed, you in the right direction) > please click Accept Answer - it will help users to find the answers quickly.
-
Peter Daniels • 40 Reputation points
2024-05-03T13:57:12.2466667+00:00 Thank you for responding. The scenario is actually the Azure web app under app services that needs the authentication not Web PubSub. The web app uses Web PubSub to manage the websocket for the chatting. The Web PubSub does not require authentication. Somehow the socket will not stay open once reported as connected by the web app. This all works fine before attempting to authenticate access to the Azure app services web app using Microsoft Entra ID.
-
Peter Daniels • 40 Reputation points
2024-05-03T14:18:12.99+00:00 Thank you Ajkuma for your response. It is not the Web PubSub that needs authentication it is the Azure app services web app (chat app). The web app then uses the Web PubSub to process message flow. With Microsoft Entra ID added to authenticate the web app the websocket connection, managed by Web PubSub does not 'stay' connected and closes. The Web PubSub is calling an eventhandler in the web app 'server.js' file. I was thinking that because Web PubSub is communicating with the web app that it would somehow require a token it does not have because of the Microsoft Entra ID requirement for the web app. I have tried turnning on Identity for the Web PubSub and entering its principal ID into the web app registration option, but to no avail.
-
ajkuma • 27,871 Reputation points • Microsoft Employee
2024-05-03T17:57:16.7533333+00:00 Thanks for the follow-up and additional clarity. I'm checking on this and will get back to you soon.
-
Peter Daniels • 40 Reputation points
2024-05-07T04:18:07.7+00:00 Thank you. I am looking forward to hearing from you.
-
ajkuma • 27,871 Reputation points • Microsoft Employee
2024-05-07T18:37:19.2166667+00:00 Based on sample my tests, you need to follow the steps outlined in this doc to configure the Web PubSub resource. Upon completion, an authorization header will be attached in the request from Azure Web PubSub Service (AWPS) to the WebApp. This header ought to be a JWT token, signed by Microsoft Entra, representing a managed identity, which could be either system-assigned or user-assigned. Your code executing within the WebApp should verify this token.
Kindly let us know how it goes, I'll follow-up privately to seek more info about your Azure resources. -
ajkuma • 27,871 Reputation points • Microsoft Employee
2024-05-09T12:36:19.6866667+00:00 @Peter Daniels , Just checking in to see if you had got a chance to see the previous response. If the answer helped (pointed you in the right direction) > please click Accept Answer Or please share the requested/more info to help you better.
-
Peter Daniels • 40 Reputation points
2024-05-09T13:34:25.1533333+00:00 I will be working on it today and tomorrow and will post feedback.
-
ajkuma • 27,871 Reputation points • Microsoft Employee
2024-05-10T04:19:47.6066667+00:00 Peter, Great to hear! Looking forward to receiving your feedback. If you have any questions or need further clarification while working on it, feel free to reach out.
Sign in to comment
1 answer
Sort by: Most helpful
-
Liangying Wei • 681 Reputation points • Microsoft Employee
2024-05-08T06:04:02.43+00:00 -
Peter Daniels • 40 Reputation points
2024-05-10T19:49:11.3733333+00:00 Ajkuma,
This is the exact process that I followed that got me to my originally stated problem...and I am having the same issue.
Help me understand the need for steps 7 and 8...
"7. Go to Azure SignalR Service and follow the steps to add a system-assigned identity or user-assigned identity.
- In Azure SignalR Service, go to Upstream settings, and then select Use Managed Identity and Select from existing Applications. Select the application that you created previously."
They seem vestigial (or redundant) unless I need to use SignalIR for some reason I don't understand. Since I'm using Web PubSub is there a need for steps 7 and 8?
Also, you say my code should verify the token and allow access. I'm not sure what that would look like. Do you have an example I could follow? I thought the Identity and Microsoft Entra ID was handling the authentication to the app and back and forth between Web PubSub since they are both managed identities in Microsoft Entra ID.
-
ajkuma • 27,871 Reputation points • Microsoft Employee
2024-05-13T12:12:03.7333333+00:00 Apologies for the delayed response from over the weekend.
Thanks for the follow-up and sharing additional details. We will get back on this shortly.
-
Liangying Wei • 681 Reputation points • Microsoft Employee
2024-05-14T01:56:50.22+00:00 Oops there is a typo here, all SignalR service in this document should be replaced with Web PubSub service... (the doc writer copied the steps from SignalR docs as they are quite similar and forgot the update..)
-
ajkuma • 27,871 Reputation points • Microsoft Employee
2024-05-14T11:53:15.3933333+00:00 Peter Daniels, Apologies for any confusion. As Liangying Wei mentioned, I have raised a PR and the doc will be updated soon.
Kindly let us know how it goes. We appreciate your feedback and collaboration thorough this.
-
Peter Daniels • 40 Reputation points
2024-05-14T12:31:04.33+00:00 ajkuma,
from my previous comment...
"Also, you say my code should verify the token and allow access. I'm not sure what that would look like. Do you have an example I could follow? I thought the Identity and Microsoft Entra ID was handling the authentication to the app and back and forth between Web PubSub since they are both managed identities in Microsoft Entra ID."
Can you provide an example (if code is required) how to fix this problem? I'm still not sure why it stopped working when I added login authentication for my web app.
Peter
-
Liangying Wei • 681 Reputation points • Microsoft Employee
2024-05-16T09:05:23.1733333+00:00 Hi Peter, if you are using WebApp, the tokens are validated by the workforce configuration and you don't need to verify the token by yourself. Have you specified the "Use Managed Identity" and "specify the token audience to your application" in setting the event handler Authentication? Are you still facing the same problem?
-
ajkuma • 27,871 Reputation points • Microsoft Employee
2024-05-16T09:22:44.31+00:00 Apologies for any confusion, I was trying to understand your exact setup/scenario. Thanks for your collaboration.
The doc steps as outlined by Liangying would help accomplish your scenario, just summarizing the workflow here. Please let us know, I’ll follow-up with you further.
Managed Identity: Azure Web PubSub Service can support only one managed identity, which can be either a system-assigned identity or a user-assigned identity.
· System-assigned Identity: To set up a system-assigned identity, you need to create an Azure Web PubSub Service instance and then enable the feature.
· User-assigned Identity: To create an Azure Web PubSub Service instance with a user-assigned identity, you need to create the identity and then add its resource identifier to your service.
Client Events Scenarios: Azure Web PubSub Service is a fully managed service, so you can’t use a managed identity to get tokens manually. Instead, when Azure Web PubSub Service sends events to an event handler, it will use the managed identity to obtain an access token.
Event Handler Settings: You may enable managed identity authentication in event handler settings by adding a system-assigned identity or user-assigned identity.
-
Peter Daniels • 40 Reputation points
2024-05-16T15:02:28.0866667+00:00 I believe I have tried all these things several times. I will reset all managed identities and authentication settings and start from a clean slate. I will report my results tomorrow. Is there someone who could look at my specific application just in case I'm missing some minor detail?
-
ajkuma • 27,871 Reputation points • Microsoft Employee
2024-05-17T06:51:34.0133333+00:00 Thanks for the update. Kindly let us know how it goes. If you would like to connect, you may file a support ticket for a closer, immediate and focused assistance: create an Azure support request. / We will follow-up additional with you.
Sign in to comment -