Authenticate with Azure AD

[DennisRP]

It should be simple, but I cannot get it to work.
If DAB _entity._permission.role is "anonymous", it works. If I use "authenticated". I always get:

{
  "error": {
    "code": "AuthorizationCheckFailed",
    "message": "Authorization Failure: Access Not Allowed.",
    "status": 403
  }
}

I am creating a Static Web App in Azure, enabling Database connection (preview), adjusting autogenerated pipeline yaml by adding "skip_app_build: true" for it to run and deploy configuration.

Creating two App Registrations; one for DAB and another for an service principal/app to test the access.

Auth provider in DAB is set to AzureAD with correct DAB client id and tenant url.

I can generate an accesstoken for the service principal, but I still get 403 when sending it to DAB. I even tried to create an app role, changed role for one of the database entities to matched, verified that it existed in the jwt accesstoken, adding X-MS-API-ROLE to the header - but still same error message.

I know I am doing something wrong, but not sure what.

[seantleonard]

Hi @DennisRP,

[See full thread here: Discussions/1720]

When using DAB with Static Web Apps (Database Connections feature), DAB configuration (for Static Web Apps, this file may be named staticwebapp.database.config.json) and DAB's config should use the following authentication config per this doc snippet:

"authentication": {
    "provider": "StaticWebApps"
}

From Static Web Apps, you can then configure authentication providers like Azure AD. Step by step found here: https://learn.microsoft.com/azure/static-web-apps/authentication-authorization

---

For convenience, these were the steps I had used to create my own working SWA+DAB environment.

The following changes should be made in your Static Web Apps config file staticwebapp.config.json (not DAB's config file). That file is located in your GitHub repo for your SWA project, most likely under the /src folder.

1. Modify the auth section to include Azure AD, and add your tenant ID where noted between the < >. Note: the environment variables AZURE_CLIENT_ID and AZURE_CLIENT_SECRET must be set within the Azure Portal under your SWA apps config page.

"auth": {
        "identityProviders": {
            "azureActiveDirectory": {
                "registration": {
                    "openIdIssuer": "https://login.microsoftonline.com/<TENANT_ID_REPLACE_THIS>/v2.0",
                    "clientIdSettingName": "AZURE_CLIENT_ID",
                    "clientSecretSettingName": "AZURE_CLIENT_SECRET"
                }
            }
        }
    }

2. Confirm your staticwebapp.config.json​ file has an entry for the route /data-api. You may have something that looks like the following, if not, you'll need to add it.

     {
       "route": "/data-api/*",
       "allowedRoles": ["anonymous","authenticated"]
     }

3. You'll need to update the 'allowed' roles to match the roles you utilize in your DAB configuration.

      {
        "route": "/data-api/*",
        "allowedRoles": ["anonymous","authenticated", "samplerole"]
      }

Example config file (For reference only):

{
    "routes": [
        {
            "route": "/authenticated/*",
            "allowedRoles": [
                "authenticated"
            ]
        },
        {
            "route": "/data-api/*",
            "allowedRoles": [
                "anonymous",
                "authenticated"
            ]
        }
    ],
    "auth": {
        "identityProviders": {
            "azureActiveDirectory": {
                "registration": {
                    "openIdIssuer": "https://login.microsoftonline.com/<TENANT_ID_REPLACE_THIS>/v2.0",
                    "clientIdSettingName": "AZURE_CLIENT_ID",
                    "clientSecretSettingName": "AZURE_CLIENT_SECRET"
                }
            }
        }
    }
}

[DennisRP]

Hi Sean, thank you for provding an answer.

It still doesn't work, same error. I feel like I've read all documentation and issues available but still no dice. I always tried this approach earlier (with no luck) but just to be sure I did it again. I don't know if you see any error, if I provide my setup.

staticwebapp.config.json

{
    "auth": {
        "identityProviders": {
            "azureActiveDirectory": {
                "registration": {
                    "openIdIssuer": "https://login.microsoftonline.com/<my tenant id>/v2.0",
                    "clientIdSettingName": "AZURE_CLIENT_ID",
                    "clientSecretSettingName": "AZURE_CLIENT_SECRET"
                }
            }
        }
    },
    "routes": [
      {
        "route": "/",
        "redirect": "/test.html",
        "methods": ["GET"]
      },
      {
        "route": "/data-api/*",
        "allowedRoles": ["anonymous","authenticated","Application.Read"]
      }
    ]
  }

I created this file (it was not provided when creating an Azure Static Web App and cloning the generated repo). "AZURE_CLIENT_" strings are like this in the config and both are created as application settings in the Static Web App resource. I also added the "route: "/" redirect, to ensure the config was kicking in.

staticwebapp.database.config.json

  "entities": {
    "customer": {
      "source": {
        "object": "dbo.Books",
        "type": "table"
      },
      "graphql": {
        "enabled": false,
        "type": {
          "singular": "Customer",
          "plural": "Customers"
        }
      },
      "rest": {
        "enabled": true
      },
      "permissions": [
        {
          "role": "authenticated",
          "actions": [
            {
              "action": "*"
            }
          ]
        }
      ]
    },

I also have another entity called vendor that looks pretty much the same, though role = Application.Read (which is an app role that my API has, which has been added on my client App Registration and approved by an admin). I don't expect my setup to be utilizing an app role, but wasn't sure if it was required, so I made two DAB endpoints so I could check both.

Im using VS Code extension "Thunderclient" for issuing requests

When I decode the returned token, it's a v2, with "Application.Read" role in it.
I can see in Thunderclient console, that the token is being sent along with the request.
But still, I get the 403 error as in my main post. Is there a way to view logs perhaps?

Again, thank you for reaching out, much appreciated.

[DennisRP]

More setup.

SWA Config:

App Registration - DAB:
Application (client) ID: c9c0bd2a-
Secret: V~R8

App Registration - Client (used in Thunderclient)
Application (client) ID: e9261952-
Secret: w4g

Autogenerated deploy pipeline:

[Aniruddh25]

@thomasgauvin, could you please take a look at this question?

[dbapibuilder]

If App Roles value is "Application.Read" for Azure App Registration, please change role's value to "Application.Read" instead of "authenticated" from config json. And add X-MS-API-ROLE: Application.Read to the header when invoking. Have a try.

"permissions": [
{
"role": "Application.Read",
"actions": [
{
"action": "*"
}
]
}
]
},

[DennisRP]

Thank you for pitching in. I also tried that, unfortunately with the same error. Actually, no matter what I try I always get 403, even when switching between StaticWebApp and AzureAd as auth.

Just to be sure, I dont need to set a role right? If I stick with authenticated, that should be enough for seeing my data?

I think I will try DAB as Azure Container Instance instead since that might work and also be more in scope of the api being a dataheavy provider and not for supporting a SPA.

[dbapibuilder]

From my personal experience, you don't need to set a role for development environment. Setting a role value make secure for production development.
I notice that your App role and API permission are Application type, I use User/Group and Delegated from App registration. Probably you check the official setting again https://learn.microsoft.com/en-us/azure/data-api-builder/authentication-azure-ad.

I met the same error annoyingly before. Following up the official article step by step helped locate the wrong setting and fix for me. Good lucky to you.

Belows are FYI.

[DennisRP]

Thanks again for your detailed guide. I am pretty sure too that my API will work if I do this. I just dont want to allow a user account to authenticate against my API. It should only be a service account (and therefore I avoid using a delegated permission). Your effort are greatly appreciated though!

[yorek]

Also, check this you. With SWA it should be as easy as using the "StaticWebApps" provider in the configuration file, and then calling /.auth/login/aad, as described here: Authenticate and authorize Static Web Apps, and then you should be good to go.

Check out this video too: Authentication and row level-security with Jamstack application in 10 minutes

Completely different configuration if you need to customize the AAD Authentication Process (for example you want to allow only people with a certain email domain to log in). Let me know if you need custom authentucation, I have a sample ready with that :)

[DennisRP]

Thank you for your feedback. You are right, if I append /.auth/login/aad then it works just as expected. But I need this to work in the context of a service account. No user will ever do a login to my API, only automated systems or scripts.

I am really starting to think that I am using the wrong tool for the job. A container must be more suited - I just hoped SWA provided a quick system-to-system flow for me.

[yorek]

Yeah, most likely running DAB in an Azure Container Apps would be the best option for you. I recentently updated the ACA sample, that is waiting to be merged, take a look at it here: #1858.

Having said that, you still need to go through all the process of setting up service-to-service authentication. I haven't tried yet. It should be the regular process you would follow if you would have to authenticate - for example - an Azure Function to call another Azure Function. Would be great if, once you have done it, you could blog or write your findings.

Happy to help if needed :)

[DennisRP]

So, like I saw some other guy here in another thread do, I instead deployed my DAB service as an Azure Container Instance, which straight away worked with AzureAD as authentication for my App Registrations.

[sudhanshu2356]

can u share the blog where i can see DAB using app Registrations. basically i want to autheticate by service account or client id not by azure user account

[samanax]

I have spent two days trying to find a solution to this problem, and finally, I found this discussion. The authentication works perfectly when I run the SWA locally, but it does not work on Azure. Here are my values on staticwebapp.database.config.json file:
Auth:

"authentication": {
          "provider": "AzureAD",
          "jwt": {
              "audience": "CLIENT ID OF THE SP (GUID)",
              "issuer": "https://login.microsoftonline.com/OURTENANTGUID/v2.0"
          }
        }

And the permissions:

 "permissions": [
          {
            "role": "Appname.Reader",
            "actions": ["*"]
          }
        ]

I have the X-MS-API-ROLE in my api calls and have done everything as explained in this article: https://learn.microsoft.com/en-gb/azure/data-api-builder/authentication-azure-ad

What am I doing wrong?

[seantleonard]

When using Static Web Apps, set the authentication provider as StaticWebApps. then you will be able to set up your AzureAD/EntraID settings in the SWA config. See: https://learn.microsoft.com/azure/static-web-apps/authentication-custom?tabs=aad%2Cinvitations#configure-a-custom-identity-provider