Durableorchestration client threw ERROR 401 in an environment authenticated by Azure Active Directory.

[master-maintenance1-peer-connect]

Description

Durableorchestrationclient threw ERROR 401 in an environment authenticated by Azure Active Directory.

Expected behavior

I was able to set up an environment in which only users authenticated by AAD(Azure Active Directory) could launch the HttpTriger Function.
And I expected that only AAD(Azure Active Directory)-authenticated users could invoke the durable orchestration function.

Actual behavior

HTTPrequset holds the following authentication information, but there is no way to propagate it to durableorchestrationclient1 or axiosInstance.
Therefore, the http request for axiosInstance inside durableorchestrationclient1 will be http 401 Unauthorized.

 'x-ms-client-principal-name': 'master-maintenance1@.......onmicrosoft.com',
  'x-ms-client-principal-id': ...
  'x-ms-client-principal-idp': 'aad',
  'x-ms-client-principal':...............
  'x-ms-token-aad-access-token':.....',
  'x-ms-token-aad-expires-on': '2020-05-09T07:17:23.0000000Z',
  'x-ms-token-aad-refresh-token'

Relevant source code snippets

import * as df from "durable-functions";
import { AzureFunction, Context, HttpRequest } from "@azure/functions";

const httpStart: AzureFunction = async function (context: Context, req: HttpRequest): Promise<any> {
   context.log("at httpstart:", context, process.env, req.headers)
   const durableorchestrationclient1 = df.getClient(context);
   const instanceId = "req.RequestedDataOrinented";
   const existingInstance = await durableorchestrationclient1.getStatus(instanceId);
  // Error: The operation failed with an unexpected status code: 401. Details: ""
   if(existingInstance) {
      try {
          await durableorchestrationclient1 .terminate(instanceId, "replace request");
      } catch (err) {
        context.log("at durableorchestrationclient1 .terminate:", err)
      }
   }
   await durableorchestrationclient1.startNew("Batch_DurableFunctionsOrchestratorJS1", instanceId, req);
   return durableorchestrationclient1.createCheckStatusResponse(req, instanceId);
}

Known workarounds

Not Known.
May be,,Using REST API with AAD authenticated Http Headers.

App Details

• Durable Functions extension version (e.g. v1.8.3): "durable-functions@1.3.3
• Azure Functions runtime version (1.0 or 2.0): 2.0
• Programming language used: JavaScript(TypeScript)

Screenshots

 Error: The operation failed with an unexpected status code: 401. Details: ""
    at DurableOrchestrationClient.createGenericError (/home/site/wwwroot/node_modules/durable-functions/lib/src/durableorchestrationclient.js:587:16)
    at DurableOrchestrationClient.<anonymous> (/home/site/wwwroot/node_modules/durable-functions/lib/src/durableorchestrationclient.js:126:48)
    at Generator.next (<anonymous>)
    at fulfilled (/home/site/wwwroot/node_modules/durable-functions/lib/src/durableorchestrationclient.js:4:58)
    at <anonymous>
    at process._tickCallback (internal/process/next_tick.js:189:7)

If deployed to Azure

FunctionName:Batch_DurableFunctionsHttpStart1

deployed to Azure: https://supportersystem-demo1-makedataactivity1.azurewebsites.net

repos: https://dev.azure.com/peerconnect/SupporterSystem-Demo1-MakeDataActivity1/_git/SupporterSystem-Demo1-MakeDataActivity1

[ConnorMcMahon]

This is currently expected with old versions of the Durable Task extension and the Durable Functions npm package. This is because the durableorchestrationclient communicates over HTTP, meaning it is blocked by the Authentication/Authorization feature.

If your app is using the latest version of the extension* (either 1.8.5 or 2.2.1), and the latest version of the durable-functions npm package, then we use a local HTTP endpoint for durableorchestrationclient, meaning we bypass the authentication altogether, and this is no longer a problem.

*note: By default, non-C# languages are using extension bundles, which are still pinned to 1.8.3 of the extension for at least a few more weeks, after which they will use 1.8.5. To upgrade this version so you can bypass this issue, remove the "extensionBundle" section of your host.json, and use the Functions CLI to install the extension manually with the below command:

func extensions install -p Microsoft.Azure.WebJobs.Extensions.DurableTask -v 2.2.1

[master-maintenance1-peer-connect]

I need more help.
Together with the commands you didn't show, the execution in local environment was successful.
However, I got an error message when deploying to the Azure cloud environment.
Am I supposed to wait a few weeks?

• at local environment;
  ** func extensions install -p Microsoft.Azure.WebJobs.Extensions.DurableTask -v 1.8.5
  ** func extensions install
  ** Automatically generated extensions.csproj even though only JavaScript is used as follow;

<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFramework>netstandard2.0</TargetFramework>
	<WarningsAsErrors></WarningsAsErrors>
	<DefaultItemExcludes>**</DefaultItemExcludes>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="Microsoft.Azure.WebJobs.Extensions.CosmosDB" Version="3.0.7" />
    <PackageReference Include="Microsoft.Azure.WebJobs.Extensions.DurableTask" Version="1.8.5" />
    <PackageReference Include="Microsoft.Azure.WebJobs.Extensions.Storage" Version="3.0.11" />
    <PackageReference Include="Microsoft.Azure.WebJobs.Script.ExtensionsMetadataGenerator" Version="1.1.0" />
  </ItemGroup>
</Project>

• at Azure cloud environment;
  ** Failed to update deployment history. Error: Bad Request (CODE: 400)

##[error]To debug further please check Kudu stack trace URL : https://$SupporterSystem-Demo1-MakeDataActivity1:***@supportersystem-demo1-makedataactivity1.scm.azurewebsites.net/api/vfs/LogFiles/kudu/trace
##[debug]Processed: ##vso[task.issue type=error;]To debug further please check Kudu stack trace URL : https://$SupporterSystem-Demo1-MakeDataActivity1:***@supportersystem-demo1-makedataactivity1.scm.azurewebsites.net/api/vfs/LogFiles/kudu/trace
##[debug]Deployment Failed with Error: Error: Error: Failed to deploy web package to App Service. Conflict (CODE: 409)
##[debug]task result: Failed
##[error]Error: Error: Failed to deploy web package to App Service. Conflict (CODE: 409)
##[debug]Processed: ##vso[task.issue type=error;]Error: Error: Failed to deploy web package to App Service. Conflict (CODE: 409)
##[debug]Processed: ##vso[task.complete result=Failed;]Error: Error: Failed to deploy web package to App Service. Conflict (CODE: 409)
##[debug]Application Insights is not configured for the App Service. Skipping adding release annotation.
##[debug]Azure_App_Service_Deploy_PackageArtifactAlias=
##[debug]release.releaseId=undefined
##[debug]release.releaseName=undefined
##[debug]system.TeamFoundationCollectionUri=https://dev.azure.com/peerconnect/
.....
##[debug]build.repository.name=SupporterSystem-Demo1-MakeDataActivity1
##[debug]build.repository.provider=TfsGit
##[debug]build.repository.uri=https://peerconnect@dev.azure.com/peerconnect/SupporterSystem-Demo1-MakeDataActivity1/_git/SupporterSystem-Demo1-MakeDataActivity1
##[debug]build.sourcebranchname=master
##[debug]build.buildUri=vstfs:///Build/Build/299
##[debug]release.releaseUri=undefined
##[debug]build.buildId=299
##[debug]release.releaseId=undefined
##[debug]build.buildNumber=20200516.4
##[debug]release.releaseName=undefined
##[debug]system.TeamFoundationCollectionUri=https://dev.azure.com/peerconnect/
##[debug]system.teamProjectId=******
##[debug]build.sourceVersion=0d53a10e670b663817eb7d34f39b8b9a2541c2a5
##[debug]build.repository.name=SupporterSystem-Demo1-MakeDataActivity1
##[debug]build.repository.provider=TfsGit
##[debug]system.teamproject=SupporterSystem-Demo1-MakeDataActivity1
##[debug]setting affinity cookie ["ARRAffinity=**********;Path=/;HttpOnly;Domain=supportersystem-demo1-makedataactivity1.scm.azurewebsites.net"]
##[debug][PUT]https://$SupporterSystem-Demo1-MakeDataActivity1:***@supportersystem-demo1-makedataactivity1.scm.azurewebsites.net/api/deployments/2991589644720453
##[debug]updateDeployment. Data: {"statusCode":400,"statusMessage":"Bad Request","headers":{"cache-control":"no-cache","pragma":"no-cache","expires":"-1","server":"Kestrel","date":"Sat, 16 May 2020 15:58:42 GMT","connection":"close","content-length":"0"}}
##[warning]Error: Failed to update deployment history. Error: Bad Request (CODE: 400)
##[debug]Processed: ##vso[task.issue type=warning;]Error: Failed to update deployment history. Error: Bad Request (CODE: 400)
##[debug]Active DeploymentId :undefined

[ConnorMcMahon]

You will not have to wait a few weeks. A peer of mine is looking into why your deployment failed.

[master-maintenance1-peer-connect]

It's been 19 days, But I am not getting a solution to the problem I encountered.

In the process of looking for workarounds,
I tried to use the function ms-identity-nodejs-webapi-azurefunctions&"passport-azure-ad",
and a similar deployment error occurred.
Azure-Samples/ms-identity-nodejs-webapi-azurefunctions#1

If there are no deployment errors,
Is ms-identity-nodejs-webapi-azurefunctions a workaround?

[master-maintenance1-peer-connect]

"wait A few weeks later", it seems to have become the time when it was noticed.
The following extensions.csproj worked around the problem.
Maybe, if we wait a few weeks, we won't have to make the following files,
to Programming language used: JavaScript(TypeScript) (NOT C#).

<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFramework>netstandard2.0</TargetFramework>
	<WarningsAsErrors></WarningsAsErrors>
	<DefaultItemExcludes>**</DefaultItemExcludes>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="Microsoft.Azure.WebJobs.Extensions.CosmosDB" Version="3.0.7" />
    <PackageReference Include="Microsoft.Azure.WebJobs.Extensions.DurableTask" Version="1.8.5" />
    <PackageReference Include="Microsoft.Azure.WebJobs.Extensions.Storage" Version="3.0.11" />
    <PackageReference Include="Microsoft.Azure.WebJobs.Script.ExtensionsMetadataGenerator" Version="1.0.2" />
  </ItemGroup>
</Project>