Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

python-flask container example not compatible with AAD express settings #17

Closed
anders-kiaer opened this issue Feb 26, 2019 · 13 comments
Closed

python-flask container example not compatible with AAD express settings #17

anders-kiaer opened this issue Feb 26, 2019 · 13 comments
Assignees
@JoshuaPartlow

Comments

@anders-kiaer
Copy link

Thanks for the python-sample-vscode-flask-tutorial. Successfully followed the tutorial, and also deployment of the resulting container (following e.g. Deploy Python using Docker containers).

Observed behaviour:

The example Azure web app for containers works as expected when AAD with express settings is not enabled in the app. When AAD express is turned on, the app is correctly redirecting to login (https://login.microsoftonline.com) when not authenticated, but when redirected back after successful login, the app returns HTTP ERROR 500.

Expected behaviour:

The Azure python-sample-vscode-flask-tutorial container example works with express settings in App service AAD enabled, or the README.md contains references/information regarding changes needed for express web app AD service settings to work.

How to reproduce:

  • Download this example repository.
  • Upload and build corresponding container using Azure Container Registry.
  • Create an "Azure Web app for Containers", and link it to the container. Add the WEBSITES_PORT=5000 application settings as described in the Dockerfile.
  • The app works as expected at this step.
  • Turn on basic Azure App Service Authentication / Authorization (e.g. using Azure AD) using Express settings.
  • Unauthenticated users are now still as expected redirected to login for authentication, however on redirect back to the app the server now returns HTTP ERROR 500.
@kraigb
Copy link
Contributor

kraigb commented Feb 28, 2019

Thanks for the report; it's good to know about the behavior, which we'll have to look into.

@kraigb
Copy link
Contributor

kraigb commented Apr 2, 2019

@JoshuaPartlow One for you to look into with the Flask tutorial.

@HansKallekleiv
Copy link

Is there any update on this issue? I'm getting the same results as @anders-kiaer, except for the last part.
In my case turning on authentication (using Azure AD) does not appear to do anything at all.

We want to host quite a few web apps on Azure, but the lack of AD authentication is preventing us from doing so.

@qubitron
Copy link

I have gotten this working using Azure Web Apps (without containers), @HansKallekleiv initially it didn't appear to be working until I set the following setting:
image

I also needed to open the site in an InPrivate session to see the login screen, I think my main browser may have been logged into active directory already.

@anders-kiaer I will take a look at the web apps for containers flavor next.

@HansKallekleiv
Copy link

Thanks for looking into this @qubitron
I'm also using containers, and have tried adding that action without success.
Using anonymous session does not help.

These screenshots might be relevant:
1

2

There is a warning/information that

To enable Authentication / Authorization, please ensure all your custom domains have corresponding SSL bindings, your .NET version is configured to “4.5” or higher and manage pipeline mode is set to “Integrated” ,

but I'm not sure that is relevant? There are no custom domains atleast.

@qubitron
Copy link

I was able to reproduce the issue in containers, and our team has found a workaround,

There is known issue with easyauth (middleware) where in some cases, the request header length gets larger than 4096 and the request fails. The mitigation is to set this app setting WEBSITE_AUTH_DISABLE_IDENTITY_FLOW to true, can you try that and let us know if it works?

More information on this setting is here.

@anders-kiaer
Copy link
Author

@qubitron Thanks! 🙇 The provided workaround WEBSITE_AUTH_DISABLE_IDENTITY_FLOW = true worked, tried it some weeks ago for the first time. Tried again now - and now it appears to work also without that application setting. Perhaps the underlying issue has been fixed? 🎉👷

A follow up question regarding Azure web app service + the 🐳 Docker flavor:

For Single Container (screenshot below) authentication now works out of the box. However, selecting the Docker Compose functionality and a minimal configuration setup (using the same image as when doing Single container), authentication suddenly is bypassed (i.e. you go directly to the app).

version: '3'
services:
  web:
    image: someregistry.azurecr.io/someimage:latest
    ports:
      - 80:5000

Tried both with and without the ports setting. Are you able to reproduce? Is there something that should be changed/added in the 🐳 Docker compose configuration snippet above?

image

cc: @HansKallekleiv

@VladyslavHnatchenko
Copy link

Hi all! Sorry @anders-kiaer, @qubitron please can you explain where you add WEBSITE_AUTH_DISABLE_IDENTITY_FLOW = true; in your code (in app.py or in Dockerfile or ...?)
Thank you for your answer.

@anders-kiaer
Copy link
Author

I added it the same place as WEBSITES_PORT=5000, i.e. under Configuration in the Azure web app.

Having said that, I have recently created new web apps (using Docker containers), and today it is working without the workaround for my part, so to me it looks like the underlying bug is fixed.

@anders-kiaer
Copy link
Author

For Single Container (screenshot below) authentication now works out of the box. However, selecting the Docker Compose functionality and a minimal configuration setup (using the same image as when doing Single container), authentication suddenly is bypassed (i.e. you go directly to the app).

After I posted this comment, this has now been "fixed" by greying out the Authentication / Authorization tab when you use Docker compose, with a tooltip saying that "This feature is not supported with multi-container apps".

I.e. at least indicating that it is not working with Docker compose, even though technically it does not need to be a multi-container app. E.g. this will still not work:

version: '3'
services:
  web:
    image: some_acr.azurecr.io/pythonflasktutorial:latest
    ports:
      - 80:5000

@VladyslavHnatchenko
Copy link

@anders-kiaer, thank you very much for your answer! I added here in the Configuration -> Application settings -> WEBSITE_AUTH_DISABLE_IDENTITY_FLOW = true; but it's fixed my problem. When I turn off Authentication/Authorization(Log in with Azure Active Directory), my flask app worked correct, but when I turn on this function, I have 500 error(without details), in the last step of my workflow in the app. Thank you!

@VladyslavHnatchenko
Copy link

VladyslavHnatchenko commented Nov 11, 2019
edited
Loading

Sorry @anders-kiaer, why you add WEBSITES_PORT= 5000, I don't add this?

@anders-kiaer
Copy link
Author

Based on this line:

python-sample-vscode-flask-tutorial/Dockerfile

Lines 6 to 11 in 3b80224

# IMPORTANT: When deploying to Azure App Service, go to the App Service on the Azure
# portal, navigate to the Applications Settings blade, and create a setting named
# WEBSITES_PORT with a value that matches the port here (the Azure default is 80).
# You can also create a setting through the App Service Extension in VS Code.
ENV LISTEN_PORT=5000
EXPOSE 5000

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JoshuaPartlow JoshuaPartlow

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@kraigb @JoshuaPartlow @HansKallekleiv @qubitron @anders-kiaer @VladyslavHnatchenko