SOLVED

UWP web distribution behind AAD auth

%3CLINGO-SUB%20id%3D%22lingo-sub-1601917%22%20slang%3D%22en-US%22%3EUWP%20web%20distribution%20behind%20AAD%20auth%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1601917%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20%3CA%20href%3D%22https%3A%2F%2Fstackoverflow.com%2Fquestions%2F63454137%2Fuwp-side-loaded-app-distribution-from-aad-protected-web-site%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Easked%20this%20over%20at%20StackOverflow%3C%2FA%3E%20and%20also%20as%20a%20reply%20on%20another%20thread%20in%20this%20forum%2C%20but%20think%20this%20question%20is%20appropriate%20as%20a%20stand-alone%20topic%20in%20this%20forum.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20an%20internal%20LOB%20UWP%20app%20which%20I%20want%20to%20make%20available%20to%20company%20employees%20across%20the%20world.%20With%20the%20future%20of%20the%20MS%20Store%20for%20Business%20uncertain%2C%20we've%20move%20in%20the%20direction%20of%20web%20distribution.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20app%20already%20does%20AAD%20auth%20internally%2C%20but%20we'd%20like%20to%20require%20users%20to%20be%20authenticated%20against%20AAD%20before%20even%20getting%20to%20the%20web%20distribution%20page.%20Pushing%20this%20out%20to%20an%20Azure%20web%20site%20with%20'%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapp-service%2Foverview-authentication-authorization%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EEasy%20Auth%3C%2FA%3E'%20turned%20on%20seems%20like%20a%20good%20solution%20for%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20turning%20this%20feature%20on%20breaks%20the%20installer%20experience%20with%20the%20AppInstaller%20displaying%20the%20message%20'%3CSPAN%3EAn%20error%20occurred%20while%20accessing%20the%20file%20from%20the%20web.%20Please%20try%20downloading%20and%20opening%20the%20file%20locally'.%20This%20is%20probably%20because%20the%20AppInstaller%20is%20making%20its%20own%20http%20request%20to%20the%20msix%20file%20without%20using%20inherited%20auth%20tokens%20from%20the%20original%20web%20login.%20My%20guess%20is%20this%20will%20also%20be%20a%20problem%20for%20the%20auto-update%20feature.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIs%20this%20problem%20solvable%20today%20or%20will%20it%20be%20solvable%20in%20the%20future%3F%20Is%20there%20a%20better%20approach%20to%20this%20problem%20which%20doesn't%20require%20being%20on%20a%20company%20WAN%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1624178%22%20slang%3D%22en-US%22%3ERe%3A%20UWP%20web%20distribution%20behind%20AAD%20auth%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1624178%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F765947%22%20target%3D%22_blank%22%3E%40JoshKBCCG%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou're%20correct%20-%20the%20problem%20is%20that%20App%20Installer%20is%20making%20its%20own%20auth%20request%20without%20the%20inherited%20web%20auth%20tokens.%20Sending%20authenticated%20requests%20is%20currently%20not%20supported%20today%20but%20this%20is%20an%20item%20in%20our%20backlog%20and%20we're%20working%20to%20address%20this%20issue.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECheers%2C%3C%2FP%3E%0A%3CP%3ETanaka%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I've asked this over at StackOverflow and also as a reply on another thread in this forum, but think this question is appropriate as a stand-alone topic in this forum.

 

I have an internal LOB UWP app which I want to make available to company employees across the world. With the future of the MS Store for Business uncertain, we've move in the direction of web distribution.

 

The app already does AAD auth internally, but we'd like to require users to be authenticated against AAD before even getting to the web distribution page. Pushing this out to an Azure web site with 'Easy Auth' turned on seems like a good solution for this.

 

However, turning this feature on breaks the installer experience with the AppInstaller displaying the message 'An error occurred while accessing the file from the web. Please try downloading and opening the file locally'. This is probably because the AppInstaller is making its own http request to the msix file without using inherited auth tokens from the original web login. My guess is this will also be a problem for the auto-update feature.

 

Is this problem solvable today or will it be solvable in the future? Is there a better approach to this problem which doesn't require being on a company WAN?

1 Reply
best response confirmed by John Vintzel (Microsoft)
Solution

Hi @JoshKBCCG 

 

You're correct - the problem is that App Installer is making its own auth request without the inherited web auth tokens. Sending authenticated requests is currently not supported today but this is an item in our backlog and we're working to address this issue.

 

Cheers,

Tanaka