-
Notifications
You must be signed in to change notification settings - Fork 203
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] Do not auto-detect region if app developer does not opt-in to region #629
Comments
Thanks for reading our docs and speaking up for app developers.
I believe the suggestion above still applies. Basically, as long as auto detection can find a region, then the Please try that |
Hi @pamelafox . Azure Region (ESTS-R) is a mechanism only available to 1st party applications (registered via the 1p app portal). Apps need to use Subject/Name issuer mechanism for certificates (sendX5C API). This is only available in Microsoft production tenants. If your app is 1p and you are using SN/I, you are requested to use region, we recommend that you configure the region yourself. Auto-discovery is not working very well. If, instead, you ask customers to setup their own apps, then these are 3p apps and you cannot use regional auth. Is this your case? @rayluo - from the code snippet above, it does not look like region was set at all. MSAL Py should not run auto-discovery. Marking this as a bug. |
Back then, these were the region feature criteria that was documented. The 4 criteria were believed to be with
@bgavrilMS , thanks for pointing that out. I went back to memory lane and now remember what happened in the history.
So, this customer's code snippet did not opt in to use region, currently MSAL Python performs an env var-based auto-detection and emits that warning, but would not use region in this case. Those are all the current known behaviors. If we now want to have MSAL Python strictly follow design No.2, let me know. I can work out a PR for this. |
Will discuss offline more details. The correct behavior is:
|
I'm a bit confused as to what I should be doing for our app on App Service. I'm not positive what 1p vs 3p means in this situation, our app is a sample that many customers deploy to their tenants, and we're working on automating its auth setup in this PR: Azure-Samples/azure-search-openai-demo#891 |
@pamelafox - it looks like you expect your end-users to create the applications in their own tenants, so the apps are 3p. 1p apps means application created in the 1st party application portal. Also, it looks like you configure the back-end as a web-api, and expect to use OBO (on-behalf-of) flow. Regional Auth is not available to OBO anyway, so this is a moot point. It's better to not use "azure_region" in your case. Aside: you are asking users to configure a secret in their app registration. While this works, we recommend folks to use certificates in their production apps. Perhaps you can add a note about this. Aside2: @rayluo does MSAL.py automatically ignore region for OBO ? |
Okay, if I remove azure_region, I will go back to seeing the warning, but perhaps that's an issue on your side? Yeah, I know certificates are recommended, and I've been trying to come up with an automation flow using KeyVault to create certificates, but it's been a bit tricky. Hoping to have that worked out by Build. I'll look for a place in code or README to suggest certs. Thanks! |
Yeah the warning is an issue in MSAL Py. I proposed a PR for this, waiting for @rayluo to review. |
Describe the bug
We're using code like this on App Service:
To Reproduce
Steps to reproduce the behavior:
Open Azure-Samples/azure-search-openai-demo#891 in a Codespace and follow README steps to deploy.
azd env set AZURE_USE_AUTHENTICATION true
to enable the login UI and App Service authentication.azd env set AZURE_AUTH_TENANT_ID <YOUR-TENANT-ID>
to set the tenant ID associated with authentication.azd up
to deploy the app.Expected behavior
I don't expect to see warnings in the logs.
What you see instead
I see this warning:
WARNING:msal.application:Region configured (None) != region detected ('eastus2')
I read through https://msal-python.readthedocs.io/en/latest/index.html#msal.ClientApplication.params.azure_region but am still not sure what we should be doing on App Service, since it only explicitly mentions VMs and Functions. For App Service, should we keep it as None and avoid the warning? Or set it to our region? Or set it to True?
The MSAL Python version you are using
1.24.1
The text was updated successfully, but these errors were encountered: