Hi @K these headers are actually internal headers that App Service uses between its authentication middleware and your application. They are not directly visible in browser DevTools because they are server-side headers. However, there are two ways to access this authentication information:
- Using the EasyAuth endpoint:
/.auth/me
This endpoint will return a JSON object containing all the principal information, including claims and tokens.
- Using environment-specific special headers:
- For Linux App Service:
```
X-MS-CLIENT-PRINCIPAL
```
This header contains a Base64 encoded JSON with all principal information.
- For Windows App Service:
```
X-MS-CLIENT-PRINCIPAL-NAME (user's name/email)
X-MS-CLIENT-PRINCIPAL-ID (unique user ID)
X-MS-CLIENT-PRINCIPAL-IDP (identity provider)
```
Here's how you can access this information in your backend:
// For Linux App Service
public class UserInfo
{
public async Task<IActionResult> GetUserInfo([FromHeader(Name = "X-MS-CLIENT-PRINCIPAL")] string principal)
{
if (string.IsNullOrEmpty(principal))
{
return Unauthorized();
}
// Decode the Base64 string
byte[] bytes = Convert.FromBase64String(principal);
string jsonString = System.Text.Encoding.UTF8.GetString(bytes);
// Parse the JSON to get user information
var userInfo = JsonSerializer.Deserialize<ClientPrincipal>(jsonString);
return Ok(userInfo);
}
}
// For Windows App Service
public class UserInfo
{
public IActionResult GetUserInfo(
[FromHeader(Name = "X-MS-CLIENT-PRINCIPAL-NAME")] string name,
[FromHeader(Name = "X-MS-CLIENT-PRINCIPAL-ID")] string id,
[FromHeader(Name = "X-MS-CLIENT-PRINCIPAL-IDP")] string idp)
{
if (string.IsNullOrEmpty(name))
{
return Unauthorized();
}
var userInfo = new
{
Name = name,
Id = id,
IdentityProvider = idp
};
return Ok(userInfo);
}
}
Some important points to note:
- Make sure App Service authentication is properly configured in your Azure portal:
- Enable authentication
- Configure Microsoft Entra ID as the identity provider
- Set "Action to take when request is not authenticated" to "Log in with Microsoft Entra ID"
- If you're using a Linux App Service, you'll need to decode the Base64-encoded X-MS-CLIENT-PRINCIPAL header to access the user information.
- Consider implementing a middleware to handle the authentication information consistently across your application:
public class AuthenticationMiddleware
{
private readonly RequestDelegate _next;
public AuthenticationMiddleware(RequestDelegate next)
{
_next = next;
}
public async Task InvokeAsync(HttpContext context)
{
// For Linux
string principal = context.Request.Headers["X-MS-CLIENT-PRINCIPAL"].FirstOrDefault();
if (!string.IsNullOrEmpty(principal))
{
byte[] bytes = Convert.FromBase64String(principal);
string jsonString = System.Text.Encoding.UTF8.GetString(bytes);
context.Items["UserPrincipal"] = JsonSerializer.Deserialize<ClientPrincipal>(jsonString);
}
// For Windows
string userName = context.Request.Headers["X-MS-CLIENT-PRINCIPAL-NAME"].FirstOrDefault();
if (!string.IsNullOrEmpty(userName))
{
context.Items["UserName"] = userName;
}
await _next(context);
}
}