Reputation: 1088
Permission error for Azure Active Directory easy auth /.auth/me returns 401
I've a Python Flask App for which I've use Azure Easy Auth (Azure Active Directory)for App Service. The login mechanism works well. However I want the info of who the logged in user is i.e., name, email etc. For this I understood that we can call http://xyz.contoso.com/.auth/me which will return the data required. However, when I send a get request from the Web App, it does not work and returns a 401 with you do not have permission to view this directory or page. If I browse to the same page with my browser, it works returning the data about the logged in user. Am I missing something ?
Upvotes: 3
Views: 1204
Answers (2)
Reputation: 1
You can call the .auth/me endpoint within your app (e.g. flask) if you add the appropriate header to your request.
Here is an example:
from typing import Dict
import httpx
from httpx import Response
url: str = "https://some_url/.auth/me"
cookie_header: str = "AppServiceAuthSession"
cookie_value: str = "{cookie_value}"
cookie_value: str = f"{cookie_header}={cookie_value}"
headers: Dict[str, str] = {"Cookie": cookie_value}
response: Response = httpx.get(url, headers=headers)
Found this out by reading the docs & looking at the network call in the browser:
Edit: Please note that in some cases the cookie can consist of several cookies, e.g. AppServiceAuthSession & AppServiceAuthSession1. You need to include them both in the header cookie in your request.
For example
{"cookie": "AppServiceAuthSession=abc;AppServiceAuthSession1=def"}
Upvotes: 0
Reputation: 15619
You can access http://xyz.contoso.com/.auth/me via browser since you have authenticated session. But if you send the get request from the web app, you will have no permission.
However, you can get the user information from the headers. App Service passes user claims to your application by using special headers. External requests aren't allowed to set these headers, so they are present only if set by App Service. Some example headers include:
X-MS-CLIENT-PRINCIPAL-NAME
X-MS-CLIENT-PRINCIPAL-ID
Reference:
Upvotes: 1
Related Questions
- ASP.NET Web API authorized using Azure AD: Authorization has been denied
- Web API (.NET Framework) Azure AD Authentication always returns 401 Unauthorized
- Authorization error trying to connect to Azure Web App
- Getting access denied when accessing Azure Web App via token
- Azure Web App EasyAuth callback throws error
- Azure Easy Auth Session timeout
- Azure App Service Authentication - 302 when trying to GET /.auth/me
- Azure Web App Authentication / Authorization issue
- 401 error when authenticating to an Azure API App using AAD
- Azure easy auth API