The following forum(s) have migrated to Microsoft Q&A (Preview): Azure App Service - API Apps!
Visit Microsoft Q&A (Preview) to post new questions.

Learn More

 locked
Azure App Calls Rest API to Backend Server; Set-Cookie Header from Server is stripped out by Azure App RRS feed

  • Question

  • (@AzureSupport on Twitter told us to post here but not sure if it's the correct forum)

    Hello, we have an Azure app, built using Microsoft's botframework. The bot app that's hosted on Azure allows a user to post updates to our backend website, which is hosted elsewhere.  Login/authentication works fine, as do HTTP Get requests. However posts that require users to be authenticated fail with an error: "ForbiddenError: ["Access denied for user anonymous""

    This scenario - logging in and posting by authenticated users via the REST API - works fine through Postman and through our Android and iOS apps.  It seems that Azure is either not passing through the Cookie/Set-Cookie headers.

    What headers do we need to add to the request from the Azure App that calls the REST API to post to our backend server and how can we ensure that the response headers sent by the server reach the Azure App?  Or what else is causing the authentication to be lost in transit?

    Thanks

    • Moved by Nayana A S Friday, June 23, 2017 12:32 PM More suited here
    Friday, June 23, 2017 1:20 AM

Answers

  • The issue is probably your restify configuration. That is the code that is actually passing on headers. If you run the website, does the restify code work?
    Thursday, June 29, 2017 1:23 AM
  • Are you saying that your website works fine on your local machine? You haven't mentioned that, only Postman. My guess is that you're not attaching the cookie header to your outgoing request, but you should really run the site locally to confirm. Put another way, which part of your investigation makes you think the problem is Azure and not your restify code?
    Friday, June 30, 2017 3:12 AM
  • Are you saying that when you run the bot on your local machine, everything works? That would be evidence that Azure is doing something to your header.
    Saturday, July 1, 2017 2:37 AM

All replies

  • Hello MS Team,

    Any thoughts on this?

    Thanks

    Saturday, June 24, 2017 1:08 AM
  • Are the cookie headers present in Postman? What code are you using to call the REST API from your Azure App?

    Wednesday, June 28, 2017 9:02 PM
  • Yes, the headers are present in Postman. I'm using restify.  Authentication works, as mentioned above; subsequent post does not seem to have the correct cookie headers.  This is true even if I try to authenticate and post during one response from the bot (as an attempt to keep the same session with the backend going).  Here's the post code (dummy data substituted) that is executed after the successful login:

    var client = restify.createJsonClient({
     url: 'https://example.com'
    });

    var args = {

    "var1":"xxxx",
    "var2":"xxxx",
    "headers": {
    "Content-Type": "application/json",
    "X-CSRF-Token": userAuthToken <--saved token from login
    }
    };

    client.post('/endpoint/blabla.json', args, function (err, req, res, obj) {...}

    HTTP "Get" and "Post" calls that do not require authentication work fine through Azure; only calls that require an authenticated user result in the error.  All calls work fine via Postman and mobile apps.

    Thanks


    • Edited by designdit Thursday, June 29, 2017 1:25 AM
    Thursday, June 29, 2017 1:20 AM
  • The issue is probably your restify configuration. That is the code that is actually passing on headers. If you run the website, does the restify code work?
    Thursday, June 29, 2017 1:23 AM
  • What do you mean by "if you run the website, does the restify code work?"?

    The restify code to log in and the restify code to execute "get" requests both work just fine through the same botframework program.  Please see the original description for what works and what does not via Azure.

    Does Azure require additional headers to be sent with rest requests that require authentication? Any "Allow" headers or something else to ensure the set-cookie header is received by the my code after it comes through the Azure endpoint?  Seems like Azure is stripping the Set-Cookie header that I should receive after authenticating my user.


    • Edited by designdit Friday, June 30, 2017 3:07 AM
    Friday, June 30, 2017 3:01 AM
  • Are you saying that your website works fine on your local machine? You haven't mentioned that, only Postman. My guess is that you're not attaching the cookie header to your outgoing request, but you should really run the site locally to confirm. Put another way, which part of your investigation makes you think the problem is Azure and not your restify code?
    Friday, June 30, 2017 3:12 AM
  • Hello,

    I'm not running my website locally.  It is hosted and publicly available and has nothing to do with Azure.  It exposes REST APIs.  I can consume these REST APIs from Postman and from apps that are downloadable and publicly available from Google's and Apple's app stores.  Postman and the apps are successful will ALL types of http requests: post for authentication, get requests, and posting data which is only permitted for authenticated users.

    I have a bot that uses the botframework and Microsoft's Botconnector.  This bot is hosted on Azure.  The bot consumes the same REST APIs  consumed by Postman and the mobile apps.  A user connects with the bot via one of the Botconnector supported programs, such as, Telegram, Kik, Slack, etc.  The bot allows a user to login and authenticate themselves on the website by posting to the authentication REST API exposed by the website.  This works.  The bot presents the user with data from the website by "getting" the data via an http call to another REST API exposed by the website.  This works for data that does not require authentication.  An authenticated user can choose to post data to the website.  This http post calls another REST API exposed by the website.  This does not work; the post is not successful via the bot hosted on Azure for a user that has been successfully authenticated via the bot hosted on Azure.

    The reason I believe Azure is not passing the "Set-Cookie" header to the bot code after successful authentication is because authentication is successful according to the website (user data from the website is returned to the bot) but the bot code does not receive a Cookie header and therefore can't return a "Cookie" header to the website on the subsequent call to post data.  Postman and the apps all have a Cookie header after the authentication step.  Azure passes coding into and out of its environment before returning it to the bot so I suspect that Azure is stripping the "Set-Cookie" header that all of the other consumers (Postman and apps) receive from the website, without issue.


     

     

    Saturday, July 1, 2017 12:37 AM
  • Are you saying that when you run the bot on your local machine, everything works? That would be evidence that Azure is doing something to your header.
    Saturday, July 1, 2017 2:37 AM
  • Please read all of the descriptions and explanations.  If the issue is not clear please ask someone else to provide support.  Nothing is hosted locally.  I don't have time to repeat the explanations and am moving on to another cloud hosting provider while MSFT tries to support us.
    Saturday, July 1, 2017 6:03 PM
  • Hello MSFT Team,

    Can someone who understands the issue help troubleshoot?

    Thanks

    Saturday, July 8, 2017 2:32 AM
  • Please read all of the descriptions and explanations.  If the issue is not clear please ask someone else to provide support.  Nothing is hosted locally.  I don't have time to repeat the explanations and am moving on to another cloud hosting provider while MSFT tries to support us.

    Do you have a support ticket? Thanks!

    Ed Price, Azure Development Customer Program Manager (Blog, Small Basic, Wiki Ninjas, Wiki)

    Answer an interesting question? Create a wiki article about it!

    Monday, July 17, 2017 7:11 PM