Problem: I am trying to setup an Azure Static Web App so the html content of it would be only accessible to the authenticated (Entra B2C) users:
1. What I have:
I have a static web app in Azure (mkdocs site) deployed with the following config file:
Here is the content of staticwebapp.config.json
file
{
"navigationFallback": {
"rewrite": "/index.html",
"exclude": ["/images/*.{png,jpg,gif}", "/css/*"]
},
"routes": [
{
"route": "/*",
"allowedRoles": ["authenticated"]
}
],
"responseOverrides": {
"401": {
"statusCode": 302,
"redirect": "/.auth/login/aad"
}
},
"auth": {
"identityProviders": {
"customOpenIdConnectProviders": {
"aadb2c": {
"registration": {
"clientIdSettingName": "AZURE_CLIENT_ID",
"clientCredential": {
"clientSecretSettingName": "AZURE_CLIENT_SECRET"
},
"openIdConnectConfiguration": {
"wellKnownOpenIdConfiguration": "https://mytenantb2c.b2clogin.com/mytenantb2c.onmicrosoft.com/B2C_1_SiIn/v2.0/.well-known/openid-configuration"
}
},
"login": {
"nameClaimType": "emails",
"scopes": ["openid"],
"loginParameterNames": []
}
}
}
}
},
"globalHeaders": {
"Content-Security-Policy": "default-src 'self'; img-src *; media-src media1.com media2.com; script-src userscripts.example.com",
"X-Content-Type-Options": "nosniff",
"X-Frame-Options": "DENY"
}
}
2. What works:
I am able to see /.auth/me
which will show if I am not authenticated with:
{
"clientPrincipal": null
}
then when I go to .auth/login/aad
, it will properly allow me to login, and then the .auth/me
will show this:
{
"clientPrincipal": {
"identityProvider": "aad",
"userId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"userDetails": "[email protected]",
"userRoles": [
"anonymous",
"authenticated"
]
}
}
so the process of the authentication seems to work and it has the context of the authenticated user.
3. What does not work:
I open a private/incognito/ window (or my phone), and I am able to access all of the pages on the website, without any authentication.
Somehow my Static Web App is using staticwebapp.config.json
to have the login and have the user content functionality but it is not applied to the content of the website.
What am I missing?
I hope it is not the reverse proxy that I am missing, but a configuration or a header that I need to add to each html page.
Tried: I open a private/incognito/ window (or my phone), and I am able to access all of the pages on the website, without any authentication.
Expected: Login prompt on page access, similar to calling .auth/login/aad