Setting Header Values for Authentication in App Service

K 0 Reputation points
2025-01-10T09:05:45.13+00:00

Currently, we are implementing both the frontend and backend as containers on App Service. We are using App Service authentication with Microsoft Entra ID and Single Sign-On (SSO). After authentication, we intend to authorize users based on their email addresses in the backend. However, we are unable to find the following four request headers in the browser's DevTools:

  • X-MS-CLIENT-PRINCIPAL
  • X-MS-CLIENT-PRINCIPAL-ID
  • X-MS-CLIENT-PRINCIPAL-NAME
  • X-MS-CLIENT-PRINCIPAL-IDP

After authentication with Microsoft Entra ID, is it possible for App Service to insert these headers into the request headers?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,187 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Grmacjon-MSFT 18,806 Reputation points
    2025-01-15T00:32:52.4266667+00:00

    Hi @K these headers are actually internal headers that App Service uses between its authentication middleware and your application. They are not directly visible in browser DevTools because they are server-side headers. However, there are two ways to access this authentication information:

    1. Using the EasyAuth endpoint:
    
    /.auth/me
    
    

    This endpoint will return a JSON object containing all the principal information, including claims and tokens.

    1. Using environment-specific special headers: 
    • For Linux App Service:

      ```

      X-MS-CLIENT-PRINCIPAL

      ```

      This header contains a Base64 encoded JSON with all principal information.

    • For Windows App Service:

      ```

      X-MS-CLIENT-PRINCIPAL-NAME (user's name/email)

      X-MS-CLIENT-PRINCIPAL-ID (unique user ID)

      X-MS-CLIENT-PRINCIPAL-IDP (identity provider)

      ```

    Here's how you can access this information in your backend:

    
    // For Linux App Service
    
    public class UserInfo
    
    {
    
        public async Task<IActionResult> GetUserInfo([FromHeader(Name = "X-MS-CLIENT-PRINCIPAL")] string principal)
    
        {
    
            if (string.IsNullOrEmpty(principal))
    
            {
    
                return Unauthorized();
    
            }
    
            // Decode the Base64 string
    
            byte[] bytes = Convert.FromBase64String(principal);
    
            string jsonString = System.Text.Encoding.UTF8.GetString(bytes);
    
            
    
            // Parse the JSON to get user information
    
            var userInfo = JsonSerializer.Deserialize<ClientPrincipal>(jsonString);
    
            
    
            return Ok(userInfo);
    
        }
    
    }
    
    // For Windows App Service
    
    public class UserInfo
    
    {
    
        public IActionResult GetUserInfo(
    
            [FromHeader(Name = "X-MS-CLIENT-PRINCIPAL-NAME")] string name,
    
            [FromHeader(Name = "X-MS-CLIENT-PRINCIPAL-ID")] string id,
    
            [FromHeader(Name = "X-MS-CLIENT-PRINCIPAL-IDP")] string idp)
    
        {
    
            if (string.IsNullOrEmpty(name))
    
            {
    
                return Unauthorized();
    
            }
    
            var userInfo = new
    
            {
    
                Name = name,
    
                Id = id,
    
                IdentityProvider = idp
    
            };
    
            
    
            return Ok(userInfo);
    
        }
    
    }
    
    

    Some important points to note:

    1. Make sure App Service authentication is properly configured in your Azure portal:

       - Enable authentication

       - Configure Microsoft Entra ID as the identity provider

       - Set "Action to take when request is not authenticated" to "Log in with Microsoft Entra ID"

    1. If you're using a Linux App Service, you'll need to decode the Base64-encoded X-MS-CLIENT-PRINCIPAL header to access the user information.
    2. Consider implementing a middleware to handle the authentication information consistently across your application:
    
    public class AuthenticationMiddleware
    
    {
    
        private readonly RequestDelegate _next;
    
        public AuthenticationMiddleware(RequestDelegate next)
    
        {
    
            _next = next;
    
        }
    
        public async Task InvokeAsync(HttpContext context)
    
        {
    
            // For Linux
    
            string principal = context.Request.Headers["X-MS-CLIENT-PRINCIPAL"].FirstOrDefault();
    
            if (!string.IsNullOrEmpty(principal))
    
            {
    
                byte[] bytes = Convert.FromBase64String(principal);
    
                string jsonString = System.Text.Encoding.UTF8.GetString(bytes);
    
                context.Items["UserPrincipal"] = JsonSerializer.Deserialize<ClientPrincipal>(jsonString);
    
            }
    
            // For Windows
    
            string userName = context.Request.Headers["X-MS-CLIENT-PRINCIPAL-NAME"].FirstOrDefault();
    
            if (!string.IsNullOrEmpty(userName))
    
            {
    
                context.Items["UserName"] = userName;
    
            }
    
            await _next(context);
    
        }
    
    }
    
    
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.