Issue with azure ad authentication

[mshafiqmk]

I have setup app using azure static web app and azure sql and i am using azure ad for authentication , locally it works fine with dab cli but when i deploy app to azure then i am getting error

 {
    "error": {
        "code": "AuthorizationCheckFailed",
        "message": "Authorization Failure: Access Not Allowed.",
        "status": 403
    }
}

[seantleonard]

Hi @mshafiqmk ,

When using DAB with Static Web Apps (Database Connections feature), DAB configuration (for Static Web Apps, this file may be named staticwebapp.database.config.json) and DAB's config should use the following authentication config per this doc snippet:

"authentication": {
    "provider": "StaticWebApps"
}

From Static Web Apps, you can then configure authentication providers like Azure AD. Step by step found here: https://learn.microsoft.com/azure/static-web-apps/authentication-authorization

---

For convenience, these were the steps I had used to create my own working SWA+DAB environment.

The following changes should be made in your Static Web Apps config file staticwebapp.config.json (not DAB's config file). That file is located in your GitHub repo for your SWA project, most likely under the /src folder.

1. Modify the auth section to include Azure AD, and add your tenant ID where noted between the < >. Note: the environment variables AZURE_CLIENT_ID and AZURE_CLIENT_SECRET must be set within the Azure Portal under your SWA apps config page.

"auth": {
        "identityProviders": {
            "azureActiveDirectory": {
                "registration": {
                    "openIdIssuer": "https://login.microsoftonline.com/<TENANT_ID_REPLACE_THIS>/v2.0",
                    "clientIdSettingName": "AZURE_CLIENT_ID",
                    "clientSecretSettingName": "AZURE_CLIENT_SECRET"
                }
            }
        }
    }

2. Confirm your staticwebapp.config.json​ file has an entry for the route /data-api. You may have something that looks like the following, if not, you'll need to add it.

     {
       "route": "/data-api/*",
       "allowedRoles": ["anonymous","authenticated"]
     }

3. You'll need to update the 'allowed' roles to match the roles you utilize in your DAB configuration.

      {
        "route": "/data-api/*",
        "allowedRoles": ["anonymous","authenticated", "samplerole"]
      }

Example config file (For reference only):

{
    "routes": [
        {
            "route": "/authenticated/*",
            "allowedRoles": [
                "authenticated"
            ]
        },
        {
            "route": "/data-api/*",
            "allowedRoles": [
                "anonymous",
                "authenticated"
            ]
        }
    ],
    "auth": {
        "identityProviders": {
            "azureActiveDirectory": {
                "registration": {
                    "openIdIssuer": "https://login.microsoftonline.com/<TENANT_ID_REPLACE_THIS>/v2.0",
                    "clientIdSettingName": "AZURE_CLIENT_ID",
                    "clientSecretSettingName": "AZURE_CLIENT_SECRET"
                }
            }
        }
    }
}

[Aniruddh25]

Hi @mshafiqmk, I'm sorry you had trouble deploying it through SWA but glad you were able to do so using Azure Container Apps.

Like @seantleonard mentioned, even if you would like to use AzureAD https://learn.microsoft.com/en-us/azure/data-api-builder/authentication-azure-ad when deploying via SWA, the authentication section of your dab configuration should be:

"authentication": {
    "provider": "StaticWebApps"
}

After following this and other configuration steps 1-3 as described here: https://learn.microsoft.com/azure/static-web-apps/authentication-authorization and mentioned by @seantleonard above, did you happen to test it locally via SWA CLI: https://azure.github.io/static-web-apps-cli/docs/use/install?
That might help you reproduce locally and get some logs.
Tagging @thomasgauvin from SWA to help further if needed.

Thanks for your efforts and feedback!

Regards
Aniruddh

[mshafiqmk]

@Aniruddh25 isn't "provider": "StaticWebApps" is to use authentication of static web app ? I don't want to use SWA authentication for api , because the api might use by some other clients like mobile app etc so in that cause using azure ad authentication will make more sense instead of using static web app as provider.

[thomasgauvin]

@mshafiqmk the SWA hosted database connections requires Static Web Apps as the provider. The Static Web Apps provider is like an adapter for various authentication providers, such as GitHub, Google, Azure AD, etc. So, you will need to keep provider: "StaticWebApps" in your database connections configuration, and then adding Azure AD as the authentication provider for your Static Web Apps provider. Then, locally, you can use the SWA CLI to emulate Static Web Apps' authentication provider

[mshafiqmk]

@thomasgauvin it is still very complicated and the docs need to have more details about it or unless there is nice and easy demo related to it.

Since i figure it out now through azure container apps , I don't want to spent more time on it at the moments , I am happy with what data builder provide me thorough azure container apps.

But I think it still good to have some demo about it through static webapp full authentication through azure ad so that it is easy for other to use these features.

[thomasgauvin]

Thanks for the feedback @mshafiqmk, I'm noting the feedback for specific docs for Azure AD integration with SWA

[CalvinQuark]

I am encountering this issue using the free tier of Azure Static Web Apps. The solution identified in this thread by @seantleonard evidently applies only to the Standard tier of Static Web Apps which supports custom authentication utilizing the auth section in the staticwebapp.config.json file. Moreover, unlike @mshafiqmk, I am also experiencing this issue when using either the SWA CLI or the DAB CLI.

Is authenticated, role-based access to the database supported when using the free tier of Static Web Apps? If so, what is the equivalent solution for the free tier?

[seantleonard]

Hi @CalvinQuark,

To add context for others, the SWA documentation describing your observed behavior is listed in https://learn.microsoft.com/azure/static-web-apps/authentication-authorization#prerequisites and custom providers are only supported in the standard SWA plan.

Restrict sign-in to a specific Microsoft Entra tenant by configuring a custom Microsoft Entra provider. The pre-configured Microsoft Entra provider allows any Microsoft account to sign in.

To get this to work on the free tier, you'll have to utilize the Static Web App's built-in invitation system to restrict users and assign them roles:

Assign users custom roles using the built-in invitations system

More details about restricting which roles can access certain areas of your application, please reference: https://learn.microsoft.com/en-us/azure/static-web-apps/configuration#define-routes
The allowedRoles property of a route has the following description:

Defines an array of role names required to access a route.
Valid characters include a-z, A-Z, 0-9, and _.
The built-in role, anonymous, applies to all users.
The built-in role, authenticated, applies to any logged-in user.
Users must belong to at least one role.
Roles are matched on an OR basis.
If a user is in any of the listed roles, then access is granted.
Individual users are associated to roles through invitations.

Due to the bullet point "The built-in role, authenticated, applies to any logged-in user." and because the Free tier does not restrict which EntraID/AzureAD tenant can sign in, you will need to explicitly invite users, assign roles to those users, and then add role restrictions to routes in your app that you want to protect.

[CalvinQuark]

Thanks very much for this feedback. As it happens, my issue was quite simple. I had inadvertently deleted the trailing E in the X-MS-API-ROLE header.

[jonatansthlmstratlab]

I am encountering the same issue. When I am using the SWA CLI emulator locally I can only authenticate my request by using this authentication to my dab.config.json file.:

"authentication": {
        "provider": "AzureAd",
        "jwt": {
          "audience": <APP_ID>,
          "issuer": "https://login.microsoftonline.com/<TENANT_ID>v2.0"
        }
      }

If I instead change it to

"authentication": {
        "provider": "StaticWebApps"
      }

it is not able to authenticate my request.

When I am trying to follow the accepted answer from @seantleonard by adding the routing to my staticwebapp.config.json file I am not able to authenticate either in the emulator or in my preview environment.

I have setup my authentication following this guide: https://learn.microsoft.com/en-us/azure/data-api-builder/authentication-azure-ad

If I set the role to anonymous it is working both in my SWA CLI and in my SWA preview environment.

This is how my staticwebapp.config.json looks like:

{
    "routes": [
        {
            "route": "/authenticated/*",
            "allowedRoles": [
                "authenticated",
                "Sample.Role",
                "SampleRole"
            ]
        },
        {
            "route": "/data-api/*",
            "allowedRoles": [
                "authenticated",
                "Sample.Role",
                "SampleRole"
            ]
        },
        {
            "route": "/rest/*",
            "allowedRoles": [
                "authenticated",
                "Sample.Role",
                "SampleRole"
            ]
        }
    ],
    "auth": {
        "identityProviders": {
            "azureActiveDirectory": {
                "registration": {
                    "openIdIssuer": "https://login.microsoftonline.com/<Tenant_id>/v2.0",
                    "clientIdSettingName": "AZURE_CLIENT_ID",
                    "clientSecretSettingName": "AZURE_CLIENT_SECRET"
                }
            }
        }
    }
}

And this is my dab.config.json:

{
  "$schema": "https://github.com/Azure/data-api-builder/releases/latest/download/dab.draft.schema.json",
  "data-source": {
    "database-type": "mssql",
    "connection-string": "@env('connection-string')",
    "options": {
      "set-session-context": false
    }
  },
  "runtime": {
    "rest": {
      "enabled": true,
      "path": "/rest",
      "request-body-strict": true
    },
    "graphql": {
      "enabled": false,
      "path": "/graphql",
      "allow-introspection": true
    },
    "host": {
      "cors": {
        "origins": [
          "https://yellow-sea-0cdd5f803-8.westeurope.4.azurestaticapps.net",
          "http://localhost:5000"],
        "allow-credentials": false
      },
      "authentication": {
        "provider": "StaticWebApps"
      },
      "mode": "production"
    }
  },
  "entities": {
    "Companies": {
      "source": {
        "object": "dw.Companies",
        "key-fields": ["Company_ID"],
        "type": "table"
      },
      "graphql": false,
      "permissions": [
        {
          "actions": ["read"],
          "role": "authenticated"
        },
        {
          "actions": ["read"],
          "role": "Sample.Role"
        },
        {
          "actions": ["read"],
          "role": "SampleRole"
        }
      ]
    }
  }
}

All the different roles in both the dab.config.json and swa.config.json is for testing purposes.

I am also considering to change the hosting to Container Apps/Instances instead but would prefer to have it working through SWA.

[seantleonard]

We'll troubleshoot from #2063 and then report back here with any conclusions made.