Azure Function authentication using Azure Active Directory

5
votes

I wanted to enable authentication on Azure Functions. So, I decided to go with EasyAuth (Authentication/Authorization link under platform features) and was successfully able to configure the authentication process.

The authentication works when I manually sign-in to the Azure Function endpoint. But when I try to programmatically access the API, without any manual user intervention, I'm facing authentication issue:

Status Code:401, Unauthorized

I get an access token from AAD using clientID and clientSecret using the following code:

AuthenticationContext context = new AuthenticationContext("https://login.windows.net/<tenant-id>");
string key = "<client-secret>";
ClientCredential cc = new ClientCredential("<client-id>", key);
AuthenticationResult result = context.AcquireTokenAsync("https://<AzureFunctionAppName>.azurewebsites.net/", cc).Result;
return result.AccessToken;

Then I'm trying to send the Access Token received in the header for a new request to my API:

var content = "{\"on\":true, \"sat\":254, \"bri\":254, \"hue\":10000}";
var AADToken = GetS2SAccessToken();
HttpClient Client = new HttpClient();
Client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", AADToken);
var foo = Client.PostAsync("https://<AzureFunctionAppName>.azurewebsites.net/.auth/login/aad", new StringContent(content.ToString())).Result;
Console.WriteLine($"result: {foo}");

But the above code is resulting in unauthorized calls. I am not sure what I'm doing wrong.

2
c#azureoauth-2.0azure-active-directoryazure-web-app-service

2 Answers

5
votes

We could use the accesstoken to access the you azure function api directly, if your azure function authentication level is anonymous or function key is also required.

I get the access token with your mentioned way. According to the Azure Resources portal(https://resources.azure.com/), the default allowedAudiences is 

  "https://{functionAppName}.azurewebsites.net/.auth/login/aad/callback"

So I add the https://{functionAppName}.azurewebsites.net/ as allowed aduiences

enter image description here

Then I can use the access token directly. I test it with postman.

enter image description here

We also could use the following way to get easy auth token. The access token is the token that you got.

Post https://xxx.azurewebsites.net/.auth/login/aad
Content-Type:application/json
{
    "access_token":"eyJ0eXAiOix...rtf2H7lyUL-g34HVw"
}

enter image description here

After that we could use the get token to access the azure function api

enter image description here

Note: Header is x-zumo-auth: token

3
votes

Regarding the issue, you need to create a client app to call your Azure function. The detailed steps are as Below.

  1. Configure Azure AD for Azure Function. Please refer to https://docs.microsoft.com/en-us/azure/azure-functions/functions-how-to-use-azure-function-app-settings#auth.

    i. Go to Integrate of your trigger, set Authorization level to Anonymous enter image description here

    ii. Got to Authentication / Authorization and configure Azure AD

    enter image description here

  2. Register a clent application in AD on the azure portal. For more details, please refer to https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v1-integrate-apps-with-azure-ad.

    a. Open the Azure Active Directory and click the App registrations , choose New application registration.

    b. Enter your Name and Redirect URL, you can write anything. Then click create button.

    c. Settings-> Required permissions -> add, choose the application you use in the step1

    d. Select permission -> APPLICAION PERMISSIONS ->Select->Done->Grant Permissions->Yes

    e. Create a key and copy it

    f. Copy the Application ID

  3. Test

Get Token:

METHOD: POST

Url : https://login.microsoftonline.com/your directory ID/oauth2/token 

HEADERS:  Content-Type : application/x-www-form-urlencoded

BODY:
grant_type+=client_credentials&resource+=”your Function APP ID”&client_id+++++=”the application that your register  id”&client_secret+=”the key you create”

Test Function:

METHOD: Get

Url : https://<Functionname>.azurewebsites.net/api/HttpTriggerCSharp1?name=azure

HEADERS:  Authorization : Bearer <access token>

enter image description here enter image description here enter image description here