Non-Root Docker Image with Authentication Enabled (Microsoft Provider)

[webflow-entertainment]

I have an issue with running a function in a Docker image based on Node and Go (Custom Handler). We have also enabled authentication with Microsoft as the provider. Basically, everything works until I switch the function image to non-root. I receive a Bad Request (403) and cannot swap the function. Does anyone have an idea?

FROM mcr.microsoft.com/azure-functions/node:4.33.1 

ENV AzureWebJobsScriptRoot=/home/site/wwwroot \
    AzureFunctionsJobHost__Logging__Console__IsEnabled=true \
    ASPNETCORE_URLS=http://+:8080 \
    NODE_OPTIONS=--max-http-header-size=32768 \
    HOME=/home \
    FUNCTIONS_WORKER_RUNTIME=node \
    DOTNET_USE_POLLING_FILE_WATCHER=true \
    HOST_VERSION=4.33.0 \
    ASPNETCORE_CONTENTROOT=/azure-functions-host

COPY functions/ /home/site/wwwroot/

RUN groupadd nonroot -g 2000 && \
    useradd -r -M -s /sbin/nologin -g nonroot nonroot -u 1000 && \
    chown -R nonroot:nonroot /azure-functions-host && \
    chown -R nonroot:nonroot /FuncExtensionBundles && \
    chown -R nonroot:nonroot /home/site/wwwroot

USER nonroot
EXPOSE 8080

CMD [ "/azure-functions-host/Microsoft.Azure.WebJobs.Script.WebHost" ]

I've already tried the inputs from this article #424 (comment) but it doesn't help.

Thanks!

[habnux]

I am also interested in a solution to this problem. I wonder why microsoft does not follow security best practices here.