fix(auth): resolve tenant from az cli, clear stale audiences, normalize issuer

Three fixes discovered during end-to-end azd up testing:

1. `az containerapp auth microsoft update` rejects `--issuer` and
   `--tenant-id` together; the issuer is derived from tenant-id.
2. `azd env get-value AZURE_TENANT_ID` prints its error message to stdout
   (not stderr), corrupting TENANT_ID when that key is absent. Read from
   `az account show` first instead.
3. `--allowed-token-audiences api://<clientId>` breaks EasyAuth login
   because the ID tokens it issues have `aud=<clientId>` (GUID), not the
   identifierUri. Drop the override and normalize `allowedAudiences` to
   just the clientId via an authConfig PUT (which also clears stale
   values left by prior runs and fixes `openIdIssuer` if it was
   previously corrupted).

Verified: Web `/.auth/login/aad` -> 302 to login.microsoftonline.com with
the correct client_id, redirect_uri, and scopes; API returns 401 to
unauthenticated callers; allowedApplications on the API restricts callers
to the Web clientId.

Author: DonLee

infra/scripts/configure_auth.ps1

@@ -25,8 +25,9 @@ function Azd-Get($key, $default = "") {
 $EnvName        = Azd-Get "AZURE_ENV_NAME" "cps"
 $ResourceGroup  = Azd-Get "AZURE_RESOURCE_GROUP"
 $SubscriptionId = Azd-Get "AZURE_SUBSCRIPTION_ID"
-$TenantId       = Azd-Get "AZURE_TENANT_ID"
-if (-not $TenantId) { $TenantId = (az account show --query tenantId -o tsv) }
+$TenantId = (az account show --query tenantId -o tsv)
+if (-not $TenantId) { $TenantId = Azd-Get "AZURE_TENANT_ID" "" }
+if (-not $TenantId) { throw "Could not resolve Azure tenant id. Run 'az login' or set AZURE_TENANT_ID." }
 
 $WebName = Azd-Get "CONTAINER_WEB_APP_NAME"
 $WebFqdn = Azd-Get "CONTAINER_WEB_APP_FQDN"
@@ -217,18 +218,18 @@ Write-Host ""
 Write-Host "➡️  Step 5/6: Enabling EasyAuth on Web + API container apps"
 $Issuer = "https://login.microsoftonline.com/$TenantId/v2.0"
 
-function Configure-EasyAuth($CaName, $ClientId, $Audience) {
+function Configure-EasyAuth($CaName, $ClientId) {
+  # Note: --tenant-id and --issuer are mutually exclusive. Do not override
+  # --allowed-token-audiences; EasyAuth issues ID tokens with aud=<client_id>.
   az containerapp auth microsoft update -n $CaName -g $ResourceGroup `
     --client-id $ClientId `
     --client-secret-name $CaSecretName `
     --tenant-id $TenantId `
-    --issuer $Issuer `
-    --allowed-token-audiences $Audience `
     --yes --output none
 }
 
-Configure-EasyAuth $ApiName $ApiClientId $ApiIdentifierUri
-Configure-EasyAuth $WebName $WebClientId $WebIdentifierUri
+Configure-EasyAuth $ApiName $ApiClientId
+Configure-EasyAuth $WebName $WebClientId
 
 az containerapp auth update -n $WebName -g $ResourceGroup --enabled true --unauthenticated-client-action AllowAnonymous --output none
 az containerapp auth update -n $ApiName -g $ResourceGroup --enabled true --unauthenticated-client-action AllowAnonymous --output none
@@ -243,25 +244,33 @@ az containerapp update -n $WebName -g $ResourceGroup `
   --output none
 Write-Host "  ✓ Web env vars updated"
 
-$authUrl = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroup/providers/Microsoft.App/containerApps/$ApiName/authConfigs/current?api-version=2024-03-01"
-$current = az rest --method get --url $authUrl | ConvertFrom-Json
-if (-not $current.properties) { $current | Add-Member -MemberType NoteProperty -Name properties -Value (@{}) }
-if (-not $current.properties.identityProviders) { $current.properties | Add-Member -MemberType NoteProperty -Name identityProviders -Value (@{}) }
-if (-not $current.properties.identityProviders.azureActiveDirectory) { $current.properties.identityProviders | Add-Member -MemberType NoteProperty -Name azureActiveDirectory -Value (@{}) }
-$aad = $current.properties.identityProviders.azureActiveDirectory
-if (-not $aad.validation) { $aad | Add-Member -MemberType NoteProperty -Name validation -Value (@{}) }
-if (-not $aad.validation.defaultAuthorizationPolicy) { $aad.validation | Add-Member -MemberType NoteProperty -Name defaultAuthorizationPolicy -Value (@{}) }
-$policy = $aad.validation.defaultAuthorizationPolicy
-$allowed = @()
-if ($policy.allowedApplications) { $allowed = @($policy.allowedApplications) }
-if ($allowed -notcontains $WebClientId) { $allowed += $WebClientId }
-$policy.allowedApplications = $allowed
+function Patch-AuthConfig($CaName, $ClientId, $AddWebAllowed) {
+  $url = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroup/providers/Microsoft.App/containerApps/$CaName/authConfigs/current?api-version=2024-03-01"
+  $current = az rest --method get --url $url | ConvertFrom-Json
+  if (-not $current.properties) { $current | Add-Member -MemberType NoteProperty -Name properties -Value (@{}) }
+  if (-not $current.properties.identityProviders) { $current.properties | Add-Member -MemberType NoteProperty -Name identityProviders -Value (@{}) }
+  if (-not $current.properties.identityProviders.azureActiveDirectory) { $current.properties.identityProviders | Add-Member -MemberType NoteProperty -Name azureActiveDirectory -Value (@{}) }
+  $aad = $current.properties.identityProviders.azureActiveDirectory
+  if (-not $aad.registration) { $aad | Add-Member -MemberType NoteProperty -Name registration -Value (@{}) }
+  $aad.registration.openIdIssuer = "https://login.microsoftonline.com/$TenantId/v2.0"
+  if (-not $aad.validation) { $aad | Add-Member -MemberType NoteProperty -Name validation -Value (@{}) }
+  $aad.validation.allowedAudiences = @($ClientId)
+  if (-not $aad.validation.defaultAuthorizationPolicy) { $aad.validation | Add-Member -MemberType NoteProperty -Name defaultAuthorizationPolicy -Value (@{}) }
+  $policy = $aad.validation.defaultAuthorizationPolicy
+  $allowed = @()
+  if ($policy.allowedApplications) { $allowed = @($policy.allowedApplications) }
+  if ($AddWebAllowed -and ($allowed -notcontains $WebClientId)) { $allowed += $WebClientId }
+  $policy.allowedApplications = $allowed
 
-$tmp = New-TemporaryFile
-$current | ConvertTo-Json -Depth 20 | Out-File -FilePath $tmp -Encoding utf8
-Retry { az rest --method put --url $authUrl --headers "Content-Type=application/json" --body "@$tmp" | Out-Null }
-Remove-Item $tmp
-Write-Host "  ✓ API 'allowed applications' includes Web client id"
+  $tmp = New-TemporaryFile
+  $current | ConvertTo-Json -Depth 20 | Out-File -FilePath $tmp -Encoding utf8
+  Retry { az rest --method put --url $url --headers "Content-Type=application/json" --body "@$tmp" | Out-Null }
+  Remove-Item $tmp
+}
+
+Patch-AuthConfig $ApiName $ApiClientId $true
+Patch-AuthConfig $WebName $WebClientId $false
+Write-Host "  ✓ authConfigs normalized (issuer, audiences, allowedApplications)"
 
 az containerapp auth update -n $WebName -g $ResourceGroup --unauthenticated-client-action RedirectToLoginPage --output none
 az containerapp auth update -n $ApiName -g $ResourceGroup --unauthenticated-client-action Return401 --output none

infra/scripts/configure_auth.sh

@@ -23,7 +23,14 @@ echo "============================================================"
 ENV_NAME="$(azd env get-value AZURE_ENV_NAME 2>/dev/null || echo "")"
 RESOURCE_GROUP="$(azd env get-value AZURE_RESOURCE_GROUP)"
 SUBSCRIPTION_ID="$(azd env get-value AZURE_SUBSCRIPTION_ID)"
-TENANT_ID="$(azd env get-value AZURE_TENANT_ID 2>/dev/null || az account show --query tenantId -o tsv)"
+TENANT_ID="$(az account show --query tenantId -o tsv)"
+if [[ -z "$TENANT_ID" ]]; then
+  TENANT_ID="$(azd env get-value AZURE_TENANT_ID 2>/dev/null || true)"
+fi
+if [[ -z "$TENANT_ID" ]]; then
+  echo "❌ Could not resolve Azure tenant id. Run 'az login' or set AZURE_TENANT_ID." >&2
+  exit 1
+fi
 
 WEB_NAME="$(azd env get-value CONTAINER_WEB_APP_NAME)"
 WEB_FQDN="$(azd env get-value CONTAINER_WEB_APP_FQDN)"
@@ -275,23 +282,21 @@ ensure_ca_secret_from_app_reg "$WEB_CLIENT_ID" "$WEB_NAME"
 echo ""
 echo "➡️  Step 5/6: Enabling EasyAuth on Web + API container apps"
 
-OPENID_ISSUER="https://login.microsoftonline.com/${TENANT_ID}/v2.0"
-
 configure_easyauth_app() {
   local ca_name="$1"
   local client_id="$2"
-  local audience="$3"
+  # Note: --tenant-id and --issuer are mutually exclusive; tenant-id derives
+  # the v2.0 issuer automatically. Do not override --allowed-token-audiences;
+  # EasyAuth issues ID tokens with aud=<client_id>, which is the default.
   az containerapp auth microsoft update -n "$ca_name" -g "$RESOURCE_GROUP" \
     --client-id "$client_id" \
     --client-secret-name "$CA_SECRET_NAME" \
     --tenant-id "$TENANT_ID" \
-    --issuer "$OPENID_ISSUER" \
-    --allowed-token-audiences "$audience" \
     --yes --output none
 }
 
-configure_easyauth_app "$API_NAME" "$API_CLIENT_ID" "$API_IDENTIFIER_URI"
-configure_easyauth_app "$WEB_NAME" "$WEB_CLIENT_ID" "$WEB_IDENTIFIER_URI"
+configure_easyauth_app "$API_NAME" "$API_CLIENT_ID"
+configure_easyauth_app "$WEB_NAME" "$WEB_CLIENT_ID"
 
 # Make sure auth is enabled and (temporarily) permissive so we can still push
 # env vars / verify deployment. Final lockdown happens at the end.
@@ -318,31 +323,43 @@ az containerapp update -n "$WEB_NAME" -g "$RESOURCE_GROUP" \
   --output none
 echo "  ✓ Web env vars: APP_WEB_CLIENT_ID / APP_WEB_SCOPE / APP_API_SCOPE / APP_AUTH_ENABLED"
 
-# Patch API authConfig: restrict to Web client id
-# (equivalent to portal "Allow requests from specific client applications")
-API_AUTHCONFIG_URL="/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP}/providers/Microsoft.App/containerApps/${API_NAME}/authConfigs/current?api-version=2024-03-01"
-
-CURRENT_AUTH_JSON="$(az rest --method get --url "$API_AUTHCONFIG_URL")"
-PATCHED_AUTH_JSON="$(echo "$CURRENT_AUTH_JSON" | python3 -c "
-import json, sys
-doc = json.load(sys.stdin)
-props = doc.setdefault('properties', {})
+# Patch both authConfigs:
+#   - API: add Web client id to allowedApplications
+#   - Both: reset allowedAudiences to only the clientId, normalize openIdIssuer
+patch_authconfig() {
+  local ca_name="$1"
+  local client_id="$2"
+  local add_web_allowed="$3"   # "true" / "false"
+  local url="/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP}/providers/Microsoft.App/containerApps/${ca_name}/authConfigs/current?api-version=2024-03-01"
+  local cur patched
+  cur="$(az rest --method get --url "$url")"
+  patched="$(echo "$cur" | ADD_WEB="$add_web_allowed" WEB_CLIENT_ID="$WEB_CLIENT_ID" CLIENT_ID="$client_id" TENANT_ID="$TENANT_ID" python3 -c "
+import json, os, sys
+d = json.load(sys.stdin)
+props = d.setdefault('properties', {})
 idp = props.setdefault('identityProviders', {})
 aad = idp.setdefault('azureActiveDirectory', {})
+reg = aad.setdefault('registration', {})
+reg['openIdIssuer'] = f\"https://login.microsoftonline.com/{os.environ['TENANT_ID']}/v2.0\"
 val = aad.setdefault('validation', {})
+val['allowedAudiences'] = [os.environ['CLIENT_ID']]
 policy = val.setdefault('defaultAuthorizationPolicy', {})
 allowed = set(policy.get('allowedApplications') or [])
-allowed.add('${WEB_CLIENT_ID}')
+if os.environ['ADD_WEB'] == 'true':
+    allowed.add(os.environ['WEB_CLIENT_ID'])
 policy['allowedApplications'] = sorted(allowed)
-print(json.dumps(doc))
+print(json.dumps(d))
 ")"
+  echo "$patched" > /tmp/authconfig_patch.json
+  retry az rest --method put --url "$url" \
+    --headers "Content-Type=application/json" \
+    --body @/tmp/authconfig_patch.json >/dev/null
+  rm -f /tmp/authconfig_patch.json
+}
 
-echo "$PATCHED_AUTH_JSON" > /tmp/api_authconfig.json
-retry az rest --method put --url "$API_AUTHCONFIG_URL" \
-  --headers "Content-Type=application/json" \
-  --body @/tmp/api_authconfig.json >/dev/null
-rm -f /tmp/api_authconfig.json
-echo "  ✓ API 'allowed applications' now includes Web client id"
+patch_authconfig "$API_NAME" "$API_CLIENT_ID" "true"
+patch_authconfig "$WEB_NAME" "$WEB_CLIENT_ID" "false"
+echo "  ✓ authConfigs normalized (issuer, audiences, allowedApplications)"
 
 # Final lockdown
 az containerapp auth update -n "$WEB_NAME" -g "$RESOURCE_GROUP" \