Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Azure Web App + Node.js + Azure AD = Error 431

I created a Node.js based web application, running in an Azure Web App, that I wanted to put behind an Azure Active Directory authentication. After activating "App Service Authentication", the login process works normally, however upon returning to my app, it just returns a HTTP 431 "Request Header Fields Too Large".

To validate it's not my app, I checked the Azure web app sample for Node.js and even this returns a 431 when activating AAD.

Steps to reproduce:

  • Create new Azure resource -> Web App
    • Select any Node based runtime stack, for example Node 12 LTS
    • Select any OS
    • Create the web app and wait for deployment to finish
  • Create a simple web app
    • Example: https://github.com/Azure-Samples/app-service-web-nodejs-get-started
    • Deploy on the web service
    • Result so far: App works.
  • In the web app settings, go to "Authentication / Authorization"
    • Turn "App Service Authentication" to "On"
    • Select Azure Active Directory
    • Select Express Management Mode and create a new Azure AD App in the process
    • As "Action to take when request is not authenticated" select "Log in with Azure AD"
    • Confirm

Result: When opening the web app URL with a browser, it will show the log in process, following the process everything seems to work fine and the AAD returns to the application, however at that point it returns a HTTP 431.

Further tests:

  • Deactivate the authentication and everything works fine again
  • Upload a simple .html file instead of a Node app works fine with authentication enabled
  • Tested with restify and http

Any ideas? Am I missing something?

like image 808
Dirk Songür Avatar asked Apr 06 '20 12:04

Dirk Songür


People also ask

Why host your Node JS app on azure?

Host your Node.js apps on a productive, flexible platform. Deploy your first Node.js app in minutes. Why Node.js on Azure? Easily deploy Node.js code to Azure from Visual Studio Code.

How do I deploy node_modules to Azure App service?

Run npm install on a Windows machine that has all the native module's prerequisites installed. Then, deploy the created node_modules folder as part of the application to Azure App Service.

Does Azure App Service Support Express web apps?

In this quickstart, you'll learn how to create and deploy your first Node.js ( Express) web app to Azure App Service. App Service supports various versions of Node.js on both Linux and Windows.

What is the default iisnode timeout on Azure App service?

By default, the total timeout in iisnode on Azure App Service is 200 * 250 ms = 50 seconds. This setting controls the directory where iisnode logs stdout/stderr. The default value is iisnode, which is relative to the main script directory (directory where main server.js is present)


Video Answer


1 Answers

This is a known issue since there is limitation with more recent versions of node that utilize a hard cap of 8KB for headers. EasyAuth adds some very large headers to the request, which can cause the node container to reject the request made by the middleware container with a 400. Read more about it here:   This can be mitigated by setting the app setting WEBSITE_AUTH_DISABLE_IDENTITY_FLOW to true. This will remove one of the largest headers we add to the request. This header is generally only used by .NET Framework and Azure Functions apps, and so this setting should be safe.

If the issue still occurs, you can try with NodeJS 12 versions or increase the header size parameter: node server.js --max-http-header-size 81000

like image 65
Bryan Trach-MSFT Avatar answered Oct 08 '22 07:10

Bryan Trach-MSFT