Azure-docs: Azure Web App + Node.js + Azure AD = HTTP status 431

Created on 6 Apr 2020 · 8Comments · Source: MicrosoftDocs/azure-docs

I created a Node.js based web application, running in an Azure Web App, that I wanted to put behind an Azure Active Directory authentication. After activating "App Service Authentication" as described on this page, the login process works normally, however upon returning to my app, it just returns a HTTP 431 "Request Header Fields Too Large".

To validate it's not my app, I checked the Azure web app sample for Node.js and even this returns a 431 when activating AAD.

Steps to reproduce:

Create new Azure resource -> Web App
- Select any Node based runtime stack, for example Node 12 LTS
- Select any OS
- Create the web app and wait for deployment to finish
Create a simple web app
- Example: https://github.com/Azure-Samples/app-service-web-nodejs-get-started
- Deploy on the web service
- Result so far: App works.
In the web app settings, go to "Authentication / Authorization"
- Turn "App Service Authentication" to "On"
- Select Azure Active Directory
- Select Express Management Mode and create a new Azure AD App in the process
- As "Action to take when request is not authenticated" select "Log in with Azure AD"
- Confirm

Result: When opening the web app URL with a browser, it will show the log in process, following the process everything seems to work fine and the AAD returns to the application, however at that point it returns a HTTP 431.

Further tests:

Deactivate the authentication and everything works fine again
Upload a simple .html file instead of a Node app works fine with authentication enabled
Tested with restify and http

Any ideas? Am I missing something?

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: 6f1c454d-73bc-5a73-5d3f-1b1ca7625044
Version Independent ID: 552b3f09-6650-e7f7-01f2-a702005b83e9
Content: Configure Azure AD authentication - Azure App Service
Content Source: articles/app-service/configure-authentication-provider-aad.md
Service: app-service
GitHub Login: @cephalin
Microsoft Alias: cephalin

Pri1 app-servicsvc cxp product-issue triaged

Source

DirkSonguer

Most helpful comment

Solved: https://stackoverflow.com/questions/61059648/azure-web-app-node-js-azure-ad-error-431/61116561#61116561

TLDR: Add key "WEBSITE_AUTH_DISABLE_IDENTITY_FLOW", value "true" to Configuration -> Application Settings to filter the large requests.

DirkSonguer on 9 Apr 2020

👍5

All 8 comments

Quick update: I now did a clean run of the "Create a Node.js app in Azure" page (https://docs.microsoft.com/en-us/azure/app-service/containers/quickstart-nodejs), which worked without authentication.

After activating AAD authentication as described, this app also returns a 431 error.

DirkSonguer on 6 Apr 2020

Hi @DirkSonguer, thank you for the detailed question! We are currently investigating and will update you when we have accurate information to provide.

Grace-MacJones-MSFT on 6 Apr 2020

👍1

Quick update: Creating a new Web App and activating app service authentication with the default web page works as described. The issue seems to be that as soon as a Node.js web service / server comes in (as described in the docs), it doesn't work anymore as the service returns the respective HTTP 431 error.

Looking through the logs, the authentication seems to indeed work fine with the Node.js service:

2020-04-06T09:41:00  PID[17788] Verbose     JWT validation succeeded. Subject: '...', Issuer:'https://sts.windows.net/.../'.
2020-04-06T09:41:00  PID[17788] Verbose     Calling into external HTTP endpoint POST https://login.windows.net/.../oauth2/token.
2020-04-06T09:41:01  PID[17788] Information Login completed for '[email protected]'. Provider: 'aad'.
2020-04-06T09:41:01  PID[17788] Verbose     Writing 'AppServiceAuthSession' cookie for site'my-web-app.azurewebsites.net'. Length: 1112.
2020-04-06T09:41:01  PID[17788] Information Redirecting: https://my-web-app.azurewebsites.net/
2020-04-06T09:41:01  PID[17788] Verbose     Received request: GET https://my-web-app.azurewebsites.net/
2020-04-06T09:41:01  PID[17788] Verbose     Received request: GET https://my-web-app.azurewebsites.net/
2020-04-06T09:41:01  PID[17788] Verbose     Found 'AppServiceAuthSession' cookie for site 'my-web-app.azurewebsites.net'. Length: 1112.
2020-04-06T09:41:01  PID[17788] Verbose     Authenticated [email protected] successfully using 'Session Cookie' authentication.

The cookie with length 1112 also doesn't seem to be outlandishly large and the referrer URL also seems fine. At this point it seems like everything should work with Node.js, but doesn't.

DirkSonguer on 7 Apr 2020

Any update on this?

rayishome on 8 Apr 2020

I did some more tests on my side. Turns out if you follow the steps with a Web App running on West EU, it works as described in the docs:

Create new Web App
Arbitrary RG and name
Western Europe as location
Node 12 LTS as engine
Windows as OS
F1 as app service plan
Deploy Hello World based on restify
Activate AAD as described

Result: Works as intended

However keeping Central US as default location when creating the Web App and following the same steps led to the error described above.

At this point I personally have no idea how to test / debug this further.

DirkSonguer on 9 Apr 2020

Solved: https://stackoverflow.com/questions/61059648/azure-web-app-node-js-azure-ad-error-431/61116561#61116561

TLDR: Add key "WEBSITE_AUTH_DISABLE_IDENTITY_FLOW", value "true" to Configuration -> Application Settings to filter the large requests.

DirkSonguer on 9 Apr 2020

👍5

I am still encountering this error on a fresh node.js app with authentication turned on. I have set WEBSITE_AUTH_DISABLE_IDENTITY_FLOW to true, and even tried creating the app in West Europe, and I'm still getting 431 errors when navigating back to the app when I have a session already active.

Are there any additional workarounds I should try?