Deployed DAB on Azure Container App 403 Forbidden

[thinh-ngu]

Hello all, I'm so close to the finish line of getting this working.
If anyone had any insight, it would help a lot.

What I am doing is sending via postman to my endpoint */api/rls_test_view

With the following headers:
Authorization: Bearer ey909e0esfjse
X-MS-API-ROLE: DAB.Reader

I've configured myself to be the user in the "Enterprise App" and assigned myself the role of DAB.Reader.

I'm obtaining my access token for my ACA DAB API and confirm that I have the role of DAB.Reader in the decoded access token as well. This access token represents me as a user along with any roles I've defined.

However when I attempt utilize it in the app I get these 403 Forbidden errors in the HTTPAuth :
2024-04-20T16:07:05.506860210Z {"Timestamp":"2024-04-20T16:07:05.5057532Z","SiteName":"","TaskName":"MiddlewareWarning","Message":"Access was denied for 'Th**PII**' because this principal does not match any of the allowed applications.","ModuleRuntimeVersion":"1.6.20","ProviderName":"Microsoft-Azure-AppService-Middleware","Level":3,"EventId":5} 2024-04-20T16:07:05.595554154Z warn: MiddlewareConsoleLogs[0] 2024-04-20T16:07:05.595581756Z {"Timestamp":"2024-04-20T16:07:05.5073634Z","SiteName":"","TaskName":"MiddlewareWarning","Message":"An authenticated principal (userhash: E45F4A8464CFBC48155436B76640EB35) for an API call failed authorization.","ModuleRuntimeVersion":"1.6.20","ProviderName":"Microsoft-Azure-AppService-Middleware","Level":3,"EventId":5} 2024-04-20T16:07:05.599035125Z info: MiddlewareConsoleLogs[0]

Note things I have already investigated:

1. I confirmed that its not an issuer issue(due to v1 vs v2 token) as I encounter that earlier in the process and fixed it.
2. I have also tried the same thing without any app roles and role of "authenticated" and the result is the same.
3. All the scenarios I have written about work perfectly locally. e.g.

Would anyone know what I am missing here (possibly in the Azure Container App Configurations)?

Snippet of part of my dab-config.json

"authentication": { "provider": "AzureAD", "jwt": { "audience": "@env('APP_ID')", "issuer": "@env('AUTH_URL')" } }, "mode": "development" } }, "entities": { "rls_test_view": { "source": { "object": "[dbo].[rls_test_view]", "type": "view", "key-fields": [ "id" ] }, "graphql": { "enabled": true, "type": { "singular": "rls_test_view", "plural": "rls_test_views" } }, "rest": { "enabled": true }, "permissions": [ { "role": "DAB.Reader",

[thinh-ngu]

I figured out the issue was.

If you add any authentication provider in the Azure Container App settings, it causes conflicts if you decide to use the built in DAB authentication.

This causes the sidecar HttpAuth container that azure container app spins up to conflict.

When I deleted all the authentication providers and used the built in DAB authentication via the following it works fine:

"authentication": { "provider": "AzureAD", "jwt": { "audience": "@env('APP_ID')", "issuer": "@env('AUTH_URL')" } }

[yorek]

Fantastic! Your experience would make a fantastic blog post! ;)

[JuanMeeske]

So you don't need the authentication settings in ACA? Only the dab-config.json part?

[thinh-ngu]

That's right.

You just need pass in the access token to the authorization header of your rest API call.