Skip to content

[WIP] Fix truncation issue in az webapp auth update excluded-path #32269

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Copilot wants to merge 1 commit into from
Closed

[WIP] Fix truncation issue in az webapp auth update excluded-path #32269

Copilot wants to merge 1 commit into from

Conversation

Copy link

Copilot AI commented Oct 16, 2025

Thanks for assigning this issue to me. I'm starting to work on it and will keep this PR's description up to date as I form a plan and make progress.

Original prompt

This section details on the original issue you should resolve

<issue_title>az webapp auth update --excluded-path silently truncates or misparses path value</issue_title>
<issue_description>### Describe the bug

The az webapp auth update command appears to corrupt the value of --excluded-path.

Specifically, when I provide:
--excluded-path "/health"

the resulting configuration in authsettingsV2 shows:
"excludedPaths": ["healt"]

  • The leading slash / is dropped.
  • The last character h is also missing.

This causes the exclusion to fail and authentication to be enforced on /health requests, breaking health checks and other unauthenticated probes.

Related command

az webapp auth update `
  --resource-group MyResourceGroup `
  --name my-webapp `
  --enabled true `
  --action RedirectToLoginPage `
  --excluded-path **"/health"**

Errors

N/A

Issue script & Debug output

az webapp auth update `
  --resource-group "xxx" `
  --name xxx `
  --enabled true `
  --action RedirectToLoginPage `
  --excluded-path "/health"

The behavior of this command has been altered by the following extension: authV2

{
  "clearInboundClaimsMapping": "false",
  "globalValidation": {
    **"excludedPaths": [
      "healt"
    ],**
    "redirectToProvider": "azureactivedirectory",
    "requireAuthentication": true,
    "unauthenticatedClientAction": "RedirectToLoginPage"
  },
  "httpSettings": {
    "forwardProxy": {
      "convention": "NoProxy"
    },
    "requireHttps": true,
    "routes": {
      "apiPrefix": "/.auth"
    }
  },
  "identityProviders": {
    "apple": {
      "enabled": true,
      "login": {},
      "registration": {}
    },
    "azureActiveDirectory": {
      "enabled": true,
      "isAutoProvisioned": true,
      "login": {
        "disableWWWAuthenticate": false
      },
      "registration": {
        "clientId": "xxx",
        "openIdIssuer": "https://sts.windows.net/xxx/v2.0"
      },
      "validation": {
        "allowedAudiences": [
          "api://xxx"
        ],
        "defaultAuthorizationPolicy": {
          "allowedPrincipals": {}
        },
        "jwtClaimChecks": {}
      }
    },
    "facebook": {
      "enabled": true,
      "login": {},
      "registration": {}
    },
    "gitHub": {
      "enabled": true,
      "login": {},
      "registration": {}
    },
    "google": {
      "enabled": true,
      "login": {},
      "registration": {},
      "validation": {}
    },
    "legacyMicrosoftAccount": {
      "enabled": true,
      "login": {},
      "registration": {},
      "validation": {}
    },
    "twitter": {
      "enabled": true,
      "registration": {}
    }
  },
  "login": {
    "cookieExpiration": {
      "convention": "FixedTime",
      "timeToExpiration": "08:00:00"
    },
    "nonce": {
      "nonceExpirationInterval": "00:05:00",
      "validateNonce": true
    },
    "preserveUrlFragmentsForLogins": false,
    "routes": {},
    "tokenStore": {
      "azureBlobStorage": {},
      "enabled": true,
      "fileSystem": {},
      "tokenRefreshExtensionHours": 72.0
    }
  },
  "platform": {
    "enabled": true,
    "runtimeVersion": "~1"
  }
}

Expected behavior

The path /health should be correctly set under globalValidation.excludedPaths:

"globalValidation": {
      "requireAuthentication": true,
      "unauthenticatedClientAction": "RedirectToLoginPage",
      "redirectToProvider": "azureactivedirectory",
      "excludedPaths": [
        "/health"
      ]
    },

Environment Summary

{
  "azure-cli": "2.75.0",
  "azure-cli-core": "2.75.0",
  "azure-cli-telemetry": "1.1.0",
  "extensions": {
    "aks-preview": "4.0.0b4",
    "authV2": "1.0.0",
    "azure-devops": "1.0.1",
    "containerapp": "1.2.0b1"
  }
}

Additional context

  • This occurs consistently.
  • I am using the authV2 extension.
  • I suspect there is a bug in argument parsing or serialization.</issue_description>

Comments on the Issue (you are @copilot in this section)

@yonzhan Thank you for opening this issue, we will look into it.

Fixes #31803

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Oct 16, 2025

Validation for Azure CLI Full Test Starting...

Thanks for your contribution!

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Oct 16, 2025

Validation for Breaking Change Starting...

Thanks for your contribution!

@microsoft-github-policy-service microsoft-github-policy-service bot added the Auto-Assign Auto assign by bot label Oct 16, 2025
@a0x1ab a0x1ab closed this Oct 16, 2025
Copilot AI requested a review from a0x1ab October 16, 2025 05:47
@a0x1ab a0x1ab deleted the copilot/fix-excluded-path-truncation branch October 16, 2025 05:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jsntcy jsntcy Awaiting requested review from jsntcy

@zhoxing-ms zhoxing-ms Awaiting requested review from zhoxing-ms

@yanzhudd yanzhudd Awaiting requested review from yanzhudd

@yonzhan yonzhan Awaiting requested review from yonzhan

@wangzelin007 wangzelin007 Awaiting requested review from wangzelin007

@ruslany ruslany Awaiting requested review from ruslany

@sanchitmehta sanchitmehta Awaiting requested review from sanchitmehta

@ebencarek ebencarek Awaiting requested review from ebencarek

@JennyLawrance JennyLawrance Awaiting requested review from JennyLawrance

@howang-ms howang-ms Awaiting requested review from howang-ms

@vinisoto vinisoto Awaiting requested review from vinisoto

@chinadragon0515 chinadragon0515 Awaiting requested review from chinadragon0515

@vturecek vturecek Awaiting requested review from vturecek

@torosent torosent Awaiting requested review from torosent

@pagariyaalok pagariyaalok Awaiting requested review from pagariyaalok

@Juliehzl Juliehzl Awaiting requested review from Juliehzl

@jijohn14 jijohn14 Awaiting requested review from jijohn14

@Greedygre Greedygre Awaiting requested review from Greedygre

@a0x1ab a0x1ab Awaiting requested review from a0x1ab

Assignees

@zhoxing-ms zhoxing-ms

@a0x1ab a0x1ab

Copilot code review Copilot

Labels

Auto-Assign Auto assign by bot ContainerApp Web Apps az webapp

Projects

None yet

Milestone

November 2025 (2025-11-04)

Development

Successfully merging this pull request may close these issues.

az webapp auth update --excluded-path silently truncates or misparses path value

3 participants

@zhoxing-ms @a0x1ab