Exploring App Service Authentication on Linux

A while ago, it has been announced that App Service on Linux has gained the ability to make use of Authentication / Authorization as well. Originally, I wanted to publish the article earlier, but I got to finish it just now. This article is going to walk you through how the Authentication / Authorization works in App Service on Linux and might give you few hints how to make some more use of it.

When you setup an App Service on Linux site you get the ability to enable Authentication / Authorization (also called EasyAuth internally at Microsoft). Honestly, this feature has fascinated me since the second I saw it. It basically allows you to protect your site or Azure Function in seconds. I have always wanted to run this feature on my own on-premise server as well – just for experiments – everything that goes in production must be running in Azure, and ideally on top of its platform services.

I am not going to describe how it works generally, because this has been already done by its author – Chris Gillum on his blog (I recommend reading it if you want to know about the internals).

Since we know, that App Service on Linux is Docker based, the EasyAuth cannot be easily hooked into the image just like it is built into the IIS pipeline in App Service on Windows. This basically gave me two ideas – either Microsoft developed their own nginx/apache module which they run on top of the App Service on Linux’s proxy or there is another container.

Just a sidenote, Cloudflare has actually built a very nice clone to EasyAuth for Nginx and Google’s OAuth2. It doesn’t have that many features like EasyAuth but it is very nice.

Since I have moved my blog to Microsoft Azure, I have been running it in a Docker container which was heavily inspired by App Service on Linux’s containers. All of App Service’s containers reside on GitHub and hold your hats… Docker Hub. I would have hoped for Microsoft to use Azure Container Registry instead, but anyways, lets continue.

Thanks to all of the images being on Docker Hub, I discovered a very special image called middleware. When you explore the image, you won’t notice anything out of the ordinary – ASP.NET Core Docker container, but the entrypoint is calling MiddlewareLinux.dll. When I saw that, I already knew I have found what I was looking for.

So it turned out that Microsoft is using an Ambassador Pattern which uses the Middleware container as a proxy which does all the EasyAuth magic for Docker.

Original: https://docs.microsoft.com/en-us/azure/architecture/patterns/_images/ambassador.png

Now having the ability to pull the image, the next obvious thing to do is to explore its contents. If you want to try it yourself, simply go to Play with Docker for a full Docker browser experience.

And there, in one of the layers, you can find the afformentioned DLL – MiddlewareLinux.dll along with other DLLs (located in /app directory in one of the layers). You can then zip all the files and use transfer.sh (or an alternative solution) service to upload it from the bash and move it to your PC. Unfortunately, due to the license included with the source code, this article has to end here. However, you should have sufficient information by now about how EasyAuth works in App Service on Linux. I have not been able to determine, whether this additional container is running on the same instance as your application (and thus eating your resources, which is very likely to be honest) or running in some other tier placed in front of the worker roles. Aditionally you can read more about the general App Service on Linux architecture on IT Nerd Space – it has been described really well.

Please note: The purpose of this article is to provide insight and more understanding about how this software works, rather than create harm or break any license terms which might apply.

Author: Jan Hajek

I am Honza, hi.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.