Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AlwaysOn with AuthLevel.FUNCTION fails - need guidance for FastAPI + authenticated warmup #10758

Open
Molier opened this issue Jan 20, 2025 · 0 comments
Open

AlwaysOn with AuthLevel.FUNCTION fails - need guidance for FastAPI + authenticated warmup #10758

Molier opened this issue Jan 20, 2025 · 0 comments
Labels
Needs: Triage (Functions)

Comments

@Molier
Copy link

Molier commented Jan 20, 2025

Related to #9109 which identified that AlwaysOn uses /admin/warmup endpoint.

Issue

We're seeing 401 errors with AlwaysOn when using AuthLevel.FUNCTION with FastAPI on Azure Functions. The /admin/warmup endpoint used by AlwaysOn doesn't include function keys, causing authentication failures.

Current setup

# function_app.py
import azure.functions as func
from fastapi import FastAPI

fast_app = FastAPI()
app = func.AsgiFunctionApp(app=fast_app, http_auth_level=func.AuthLevel.FUNCTION)
  • Premium plan with AlwaysOn enabled
  • Function authentication level set to FUNCTION

Attempted solutions

  1. Added web.config to scripts folder:
<?xml version="1.0" encoding="UTF-8" standalone="no">
<configuration>
    <system.webServer>
      <rewrite>
        <rules>
          <rule name="Rewrite AlwaysOn" stopProcessing="true">
            <match url="^$" />
            <conditions>
              <add input="{HTTP_USER_AGENT}" pattern="^AlwaysOn$" />
            </conditions>
            <action type="Rewrite" url="/api/Online/Ping" />
          </rule>
        </rules>
      </rewrite>
    </system.webServer>
</configuration>

Result: Configuration does not get deployed to wwwroot

  1. Tried WEBSITE_WARMUP_PATH setting
    Result: Documentation confirms this doesn't affect AlwaysOn path

Logs

2024-04-04T05:58:14Z [Information] Executing StatusCodeResult, setting HTTP status code 401

Key Questions

  1. Is there a way to set different auth levels per route while keeping app-level auth?
  2. Can we configure AlwaysOn to use function keys?
  3. What's the recommended approach for FastAPI apps that need both security and AlwaysOn?

Environment

  • Python 3.11
  • Azure Functions runtime v4
  • FastAPI on Azure Functions
  • Authentication Level: FUNCTION
  • Hosting: Premium plan

extra context

Please provide guidance on the recommended approach to handle this authentication scenario without compromising security by switching to AuthLevel.ANONYMOUS.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs: Triage (Functions)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Molier