Enhanced AppService EasyAuth Payload Processing

[seantleonard]

Why make this change?

• Closes Improve X-MS-CLIENT-PRINCIPAL payload parsing and error handling #864 for AppService EasyAuth Parsing
  • Before this change, an EasyAuth payload unable to be deserialized into AppService ClientPrincipal would result in silently handling the request as "anonymous" with no indication that EasyAuth payload was invalid.
  • After this change, correctly notify client when EasyAuth payload is invalid via HTTP 401 Unauthorized response because a properly configured EasyAuth environment guarantees that an EasyAuth payload will be present for authenticated requests.
    • Note: No EasyAuth payload indicates an anonymous request. Applicable when the runtime config's authentication provider is StaticWebApps or AppService
    • Note: An EasyAuth payload that fails deserialization suggests there is an EasyAuth environment issue.

What is this change?

• This change modifies previous EasyAuth authentication behavior. Now, requests with an invalid EasyAuth payload will result in HTTP 401 because the StaticWebApps/AppService Authentication Handler interprets a null identity as an EasyAuth authentication failure.
  • identity is null when:
  1. The EasyAuth header value fails to deserialize into the expected AppServiceClientPrincipal types.
  2. The EasyAuth header deserializes into the expected AppServiceClientPrincipal but property Auth_typ is null. Auth_typ signifies the authentication method (provider) and a null value is not expected.

How was this tested?

• Integration Tests
• Unit Tests added and updated to pass with the new behavior. Also updated authenticateDevModeRequests legacy behavior to handle this change.

Sample Request(s)

• REST
  • Set X-MS-CLIENT-PRINCIPAL header as the following JSON when authentication provider is AppService

{"message": "hello world"}

[Aniruddh25]

LGTM after answering few questions :)

[ayush3797]

LGTM!

[ayush3797]

LGTM! Thanks for resolving the comments, Sean!