Share via

Web app with Entra authentication got 403 error

Ben Wilson 20 Reputation points
2024-06-17T20:06:33.8233333+00:00

Webapp1 is a asp.net 8.0 app with Entra as authentication provider. The registered app is app1. Webapp1 used to work but I got the 403 app after a deployment.

The error page showed "Access to webapp1.azurewebsites.net was denied. You don't have the user rights to view this page. HTTP ERROR 403". The url is https://webapp1.azurewebsites.net/signin-oidc

The sign-in log of the Enterprise Applicatino app1 showed my sign-in activities and their status are all "Success".

There was no configuration change in app1.

In application insights, I found no exception or 403 error.

What should I do next?

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,371 questions
Azure Static Web Apps
Azure Static Web Apps
An Azure service that provides streamlined full-stack web app development.
842 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pinaki Ghatak 3,110 Reputation points Microsoft Employee
    2024-07-03T10:24:35.0333333+00:00

    Hello @Ben Wilson

    The HTTP 403 error typically indicates that the server understood the request, but it refuses to authorize it. This status is often returned if the request lacks valid authentication credentials for the target resource or if the server does not wish to make the representation available to the client.

    Here are a few things you could check:

    Role-Based Authorization: Ensure that the roles are correctly set up in your application. If the bearer token used for authentication contains a roles element, ASP.NET Core’s JWT bearer authentication middleware will use that data to populate roles for the user.

    Access Restrictions: Check if there are any access restrictions set up in the Networking page of your web app. Try giving access to all by adding 0.0.0.0/0. Later you can add restrictions based on your requirements.

    Certificate Authentication: If you're using certificate authentication, ensure that the correct certificate is sent. If no certificate or the wrong certificate is sent, an HTTP 403 status code is returned.

    Deployment Issues: Sometimes, the issue might be unrelated to authentication and could be due to an exception thrown in a completely unrelated area during deployment.

    Remember to check the sequence of the restrictions and the order in which you add the middleware in Configure, as these can impact the behavior of your application.

    I hope that this response has addressed your query and helped you overcome your challenges. If so, please mark this response as Answered. This will not only acknowledge our efforts, but also assist other community members who may be looking for similar solutions.

    0 comments
  2. Ben Wilson 20 Reputation points
    2024-07-13T12:33:11.83+00:00

    I finally figured out the root cause. My app has codes for OpenIdConnect Middleware, as shown in my previous comments. while app service Easy Auth is enabled at the same time. Apparently, the 403 error is the result of the conflict between two authentication approaches. I removed the Easy Auth from the app service and the error was gone. It was strange that this app worked just fine for a couple months. My guess is that some recent changes in the Azure web app service made it less tolerant on my incorrect configuration.

    Best regards,

    0 comments