DFM_ALLOWED_APP_ROLES problem in standalone version

[Erry91]

Hi,

I am pretty sure I am missing something and this is not a bug, so if possible I would tag it as question.
I have an azure function resource that hosts the DurableFunctionsMonitor in the standalone version. I am trying to configure app roles and have one group of users that can only "read" and for example me with the permissions to start/restart etc.

For this I have followed the Wiki for the configuration and arrived with this setup:

And I have assigned to me the role "Writer":

Then I added the app settings to my azure function resource:

However, when I do this, as soon as the app restarts and I open a new clean session, login and get to the "home" page I receive a 401 error. This does not happen when I only configure allowed users by their emails with the app settings DFM_ALLOWED_USER_NAMES. However only using DFM_ALLOWED_USER_NAMES wouldn't accomplish what I am trying to achieve since any user would have full access in the durable functions monitor.

One thing that I am failing at as well is retrieving the access token to have a look at it.

Any ideas on what am I doing wrong?

Thank you very much in advance.

Enrico

[scale-tone]

Hi @Erry91 , the first thing to clarify is:
which auth flow your DfMon is using, server-directed or client-directed ?

The quickest way to check that on a running instance is to press F12 in your browser, go to Network tab and check any API call the client is making. If that API call contains Authorization header - then it is client-directed, otherwise it is server-directed.

[Erry91]

Hi @scale-tone and thank you for your reply. I would say I am in the server-directed situation. An example of API call is this, where I don't think I see any Authorization header in the request.

[scale-tone]

@Erry91 , please, try to cleanup cookies:

or simply relogin.

This should make the Roles claim to appear in the ClaimsPrincipal and thus resolve the issue.

[Erry91]

I tried that, both clearing cookies and relogin from incognito or another browser. The page still replies with 401 as soon as I enable the app setting DFM_ALLOWED_APP_ROLES

[scale-tone]

OK, from what I can see on your screenshots, you have your App Role's value set to DurableMonitorWriter.
While in DFM_ALLOWED_APP_ROLES setting you specify Writer (which is role's Display Name).
You need to specify DurableMonitorWriter there instead.
Please, try doing that.

[Erry91]

Oh my, I was using the Display Name and not the actual Value then. Thank you so much for spotting that for me! I was sure it was something silly but I couldn't nail it down...

[scale-tone]

(assuming it all works now) can I close this one, @Erry91 ?

[Erry91]

Yes, @scale-tone thank you again. We can close it.