Home / server / Questions / 1064039
Accepted
Falcon Momot
Asked: 2021-05-19 17:43:48 +0800 CST

Can't use Azure resource editor to update additionalLoginParams on an app service that was migrated to auth version 2

  • 772

I was trying to get a bearer token from the headers Easy Auth injects into requests to my Azure App Service to provide users who want to make API calls to my application, but the token from the token store that's provided in X-MS-TOKEN-AAD-ACCESS-TOKEN is not valid. It is in some kind of internal or encrypted format and starts with PAQABAAAAAAD-- and not ey like a JWT. The X-MS-TOKEN-AAD-ID-TOKEN is valid, but it doesn't get renewed when I visit /.auth/refresh.

I tried following the instructions at http://jsandersblog.azurewebsites.net/2020/01/17/easy-auth-using-x-ms-token-aad-access-token-as-a-bearer-token/ to get a real bearer token, but Resource Explorer gives me this:

Cannot execute the request for site ... because the site is running on auth version v2

What to do?

azure-active-directory azure-app-services

1 Answers

  1. Best Answer

    Notice that the version of the API that Resource Manager wants to PUT the request to is old:

    subscriptions/<subscription_id>/resourceGroups/<group_name>/providers/Microsoft.Web/sites/<site_name>/config/authsettings?api-version=2018-02-01

    They provided a new one, though it's hard to find this out.

    I don't know what's taking them so long to update their tools. But you will now have to make the change using the CLI (if you don't have it, go get it at https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-windows?tabs=azure-cli).

    Do:

    az login
az rest --method GET --url "https://management.azure.com/subscriptions/<subscription_id>/resourceGroups/<group_name>/providers/Microsoft.Web/sites/<site_name>/config/authsettingsv2/list?api-version=2020-09-01"

    Yes, they updated to GET instead of POST to get your config. Note the "authsettingsv2" in the URL. That's the new section that none of the tools support.

    Copy the config into an editor, and make what changes you want. The schema is here: https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites/config-authsettingsv2?tabs=json

    If you're trying to follow the additionalLoginParams setting advice to get a correct AAD bearer token, you should modify parameters.azureActiveDirectory.login and add loginParameters, like so:

      "azureActiveDirectory": {
    "enabled": true,
    "isAutoProvisioned": true,
    "login": {
      "disableWWWAuthenticate": false,
      "loginParameters": [
        "resource=<clientId from the velow registration block>"
      ]
    }, ...

    Save it as authsettingsv2.json in your working directory or whatever and PUT it away:

    az rest --method PUT --url "https://management.azure.com/subscriptions/<subscription_id>/resourceGroups/<group_name>/providers/Microsoft.Web/sites/<site_name>/config/authsettingsv2?api-version=2020-09-01" --body @./authsettingsv2.json

    Clear your cookies and go back to your app service. You will have a usable bearer token.

    • 0