How to configure app settings if both using dashboard and api

[gummigroda]

Hi and thanks for a great solution 👍

I'm trying to configure the app service to allow us to use the dashboard and the api with Entra ID authentication AND only to assigned users/group and applications.

Reading the appointed documentation: https://github.com/shibayan/keyvault-acmebot/wiki/App-Role-based-authorization
I've added the roles and the App Setting: Acmebot:AppRoleRequired = true, I've also added the user I'm using to the roles in the Enterprise App, but trying to issue a certificate in the dashboard gives me a 403.
Removing the Acmebot:AppRoleRequired = true setting and keeping the 'App Role' assignment, lets me again issue certificates.

Regardless, of settings, I'm not able to issue a certificate via below PowerShell snippet:

$at = Get-AzAccessToken -ResourceUrl 'api://6374f649-4f7f-4883-950a-310b24d53fe7' -AsSecureString
$props = @{
  Uri         = "https://REDACTED.azurewebsites.net/api/certificate"
  Headers     = @{Authorization = ('Bearer ' + ($at.Token | ConvertFrom-SecureString -AsPlainText)) }
  Method      = 'POST'
  ContentType = 'application/json; charset=utf-8'
  ErrorAction = 'Stop'
  Body        = @{
    DnsNames = @('test2.domain.tld', 'test3.domain.tld')
  } | ConvertTo-Json -Depth 20
}
Invoke-RestMethod @props -Verbose

The error I'm getting when trying the API via PowerShell is: You do not have permission to view this directory or page. which seems odd...

How should I configure the App Registration and the Enterprise App to enable access to only specified users to the dashboard and the api for specified applications (SPs)

Thanks!

[shibayan]

If you get a 403 error when issuing a certificate from the dashboard, it is likely that the App Role has not been set correctly.

After creating the App Role correctly for the Entra ID App used in App Service Authentication, you need to assign the user application to the Enterprise Application associated with it.

Please check the procedure again.

[gummigroda]

Do I need to create the app roles to be able to access the API?

As of now, (in a new setup) I have the acmebot enterprise app set to Assignment required and added the required users to the Users and Groups with the Default Access role. This gives the users access to the Dashboard = All Good.

Now, when I try to access the API via powershell, I get the same error as above: You do not have permission to view this directory or page.
Usually, on my own Powershell function apps, this exact setup allows me to access the API as one of the assigned users. Perhaps I'm requesting the access token the incorrect way?

Is the Acmebot:AppRoleRequired setting and the setup of the AppRoles, just a way to delegate different permissions or is it NEEDED to be able to access the API and dashboard 'simultaneous'?

So my question is really, if we don't need different appRoles (all users are allowed to issue and revoke), what's needed to be able to access the dashboard and the API as an assigned user?

[gummigroda]

A quick update, I've tried to do a new deployment in a test environment via the Deploy To Azure button, and then added EasyAuth via the Portal within the Function. Same error as described above.
Then tried the Terraform example from here: https://github.com/shibayan/terraform-azurerm-keyvault-acmebot/blob/master/example/main.tf in same test environment.
Had some initial deployment problems, but after a successful deployment, I'm able to access the API. I'm able to see some differences in the terraform deployed app reg/enterprise app versus the 'Portal enabled one' within the function app. Let's see if I find the culprit.
Any ideas?

[igoltz]

Hello, thanks for the great tool!
I do follow up here instead of creating a new question.
We use it via GUI but now need some automation. But can't get the API access to work. Followed the documentation and other references like https://github.com/SparebankenVest/ingress2acmebotreflector/blob/main/controllers/ingress_controller.go
But all we get is "You do not have permission to view this directory or page." when using the API.
Simple test:

TENNANTID=ourTennent
CLIENTSECRET=xxxManuallyCreatedServicePrinicpal
APPCLIENTID=xxxManuallyCreatedServicePrinicpal
SCOPE=api://yyyAppRegDeployedByAcmebot/.default

TOKEN=$(curl -s -H 'Content-Type: application/x-www-form-urlencoded' \
-d "client_id=${APPCLIENTID}&scope=${SCOPE}&grant_type=client_credentials&client_secret=${CLIENTSECRET}" \
-X POST "https://login.microsoftonline.com/${TENNANTID}/oauth2/v2.0/token" \
| jq .access_token)

curl -H "Accept: application/json"  -H 'Content-Type: application/json' -H "Authorization: Bearer ${TOKEN}" \
-X GET "https://func-fn-acmeboyyyy.azurewebsites.net/api/certificates"

We configured app roles on the functions registration

Gave the manually created registration (the one used for client auth.) API permissions

These are seen now in the functions enterprise application

The functions Auth. settings are:

Following the above description also tried to add new paramter:

What are we missing, doing complete wrong? Your help is much appreciated.
Thanks a lot!