Deployment on Azure (AppService) + AD Authentication enabled + st.file_uploader = 403 Forbidden

Hello,

I’m using a production workload of AppService so all issues with regards to sockets and getting stuck on ‘connecting…’ (described here: https://discuss.streamlit.io/t/azure-appservice-with-authentication-issues) are fine, app loads correctly. Deployment is on a linux docker image hosted on ACR (Azure Container Registry).

However when a file gets uploaded into the st.file_uploader widget, the POST http request returns a 403 Forbidden.

When AD Authentication is disabled, file uploader works fine.

Any one else experiencing this?

Hey @JoeNSalloum -

I don’t know anything about Azure AD specifically, but I wonder if it’s an issue that using file_uploader sends it through a different port, and the browser isn’t able to sign the requests (since we haven’t incorporated anything like that).

I don’t know, just thinking out loud. But it sounds like there’s a step missing to authenticate with AD Authentication.

Best,
Randy

Hi @randyzwitch ,

Thanks for your reply. The browser is sending the file using the upload_file enpoint, through the standard https port 443:

image

both healthz and stream endpoint work properly, as you can see:

It’s only the upload_file.

Is there a log file I can inspect on the container itself that can potentially show me what’s going on under the hood? Verbose would be ideal.

Thanks for confirming the port.

I wonder if either of these links are saying what I’m thinking:

When you’re using file_uploader from the browser, I wonder if the issue is that Streamlit doesn’t have the AD token that you need. Similarly, I wonder if it would work with anonymous requests (second link).

Hi @randyzwitch,

Yes that was my suspicion as well, will look into adjusting the service principal, will let you know if it makes a difference. Although if that were the case I would expect all endpoints to be problematic, including healthz and stream; otherwise there’s something special about what upload_file is doing on the backend.

As for anonymous requests, yes it does work as I said in my original thread.

Unfortunately I’m also unfamiliar with AD authentication but one thing the upload_file endpoint does differently is requires a XSRF token. You could try disabling server.enableXsrfProtection to False to see if that’s the issue.

Just to add on regarding this, you can always change your log level config option with logger.level. The available options are error, warning, info, or debug.