Facing issues in consuming an Azure Active Directory enabled Azure Functions in a azure web application

1
votes

I have enabled AAD Authentication for an Azure Function and then tried to consume the Function App (HTTP Trigger) in a web application but getting Unauthorized issue. I also tried consuming it by creating a function proxy but the issue still persists. Process Followed:

  • Created two AD Application (Web App, Azure Functions) and gave the permission of Azure Functions AD to the Web App AD Created a basic http trigger function
  • Enabled Authentication for Azure Functions by providing the details of Azure Functions

  • Created a web application and during the access token generation, provided the Client ID,Secret of web application and Audience URI( App ID) of Azure F Unctions AD.

    ClientCredential clientCredential = new ClientCredential(ConfigurationManager.AppSettings["ida:ClientId"], ConfigurationManager.AppSettings["ida:SecretKey"]);
    AuthenticationContext authContext = new AuthenticationContext(Startup.Authority);
    AuthenticationResult result = await authContext.AcquireTokenAsync(ConfigurationManager.AppSettings["azrfunc:ResourceID"], clientCredential);
    string requestUrl = "https://xxxx.azurewebsites.net/api/HttpTriggerCSharp1?code=Gxxxxx==&name=xxxx";

    // Make the GET request
    HttpClient client = new HttpClient();
    HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, requestUrl);
    request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
    HttpResponseMessage response = client.SendAsync(request).Result;
1
azure-active-directoryazure-functionsazure-web-app-service

1 Answers

3
votes

According to your description, I assumed that you are using Authentication and authorization in Azure App Service for your azure function app.

And as How authentication works in App Service states as follows:

Users who interact with your application through a web browser will have a cookie set so that they can remain authenticated as they browse your application. For other client types, such as mobile, a JSON web token (JWT), which should be presented in the X-ZUMO-AUTH header, will be issued to the client. The Mobile Apps client SDKs will handle this for you. Alternatively, an Azure Active Directory identity token or access token may be directly included in the Authorization header as a bearer token.

Based on your scenario, I created my two aad apps and set the required permission for my web app to access the aad app of my function app as follows:

enter image description here

And enable AAD authentication for my azure function app as follows:

enter image description here

Then getting the access token by using the following code:

var clientCredential = new ClientCredential("{clientId-for-my-web-app}", "{clientSecret-for-my-web-app}");
var authContext = new AuthenticationContext("https://login.windows.net/{tenantId}");
var result = await authContext.AcquireTokenAsync("{clientId-for-my-function-app}", clientCredential);

TEST:

enter image description here

In summary, you could decode your access token by using https://jwt.io/ and check the aud as follows:

enter image description here

Moreover, I noticed that your requestUrl contains the query string code. If you both enable the function level authorization and the user-based authentication, you also need to make sure your function key or master key is correct. Also, you could just set the anonymous authorization level for your azure function and just leverage the user-based authentication.