(I apologize for the length of this question; I wanted to be thorough.)
I'm new to Azure and am trying to set up a "serverless" API which requires authentication. I have a Function which behaves correctly when authentication is not enabled (basically just "Hello, world" in Node.js). However, when I enable authentication, the only response I get is:
You do not have permission to view this directory or page.
To enable authentication, I:
- Went to Azure Active Directory in the Azure portal.
- Went to App Registrations.
- Created a new registration for my Functions app.
- Added a Web redirect URI of
https://<myapp>.azurewebsites.net/.auth/login/microsoftaccount/callback. - Created a new client secret for my app.
- Went to my app from the Dashboard, selected the "Platform features" tab, and clicked on "Authentication / Authorization".
- Enabled "App Service Authentication".
- Configured the Microsoft authentication provider with the above registration's Application ID and client secret.
- Set "Action to take when request is not authenticated" to "Log in with Microsoft Account".
At this point, I can no longer access my API endpoint without authentication (as expected). I then configured Postman to obtain a token by:
- Selecting the Authorization tab.
- Setting the Type to "OAuth 2.0".
- Clicking "Get New Access Token".
- Setting the following values:
- Grant Type: Authorization Code
- Callback URL:
https://<myapp>.azurewebsites.net/.auth/login/microsoftaccount/callback(the same as I entered into my App Registration, above). - Auth URL:
https://login.microsoftonline.com/<Directory (tentant) ID>/oauth2/authorize?resource=<Application (client) ID> - Access Token URL:
https://login.microsoftonline.com/<Directory (tentant) ID>/oauth2/token?resource=<Application (client) ID> - Client ID: <Application (client) ID>
- Client Secret: <Client secret>
- Scope: <empty>
- State: <empty>
- Client Authentication: Send as Basic Auth Header
- Clicking the "Request Token" button.
- Logging in as myself in the window which pops up. (Only happened the first time; presumably my credentials are being cached somewhere.)
- Clicking the "Use Token" button.
- Clicking the "Preview Request" button.
When I then click "Send", I get the error above. If I disable authentication or change "Action to takeā¦" to allow unauthorized requests, it begins working again (but doesn't, of course, require authentication). I've run the JWT that Postman receives through JWT.io and the payload looks reasonable, as far as I can tell:
{
"aud": "<Application (client) ID>",
"iss": "https://login.microsoftonline.com/<Directory (tentant) ID>/v2.0",
"iat": 1558488698,
"nbf": 1558488698,
"exp": 1558492598,
"aio": "<base64? data>",
"azp": "<Application (client) ID>",
"azpacr": "1",
"idp": "live.com",
"name": "Ben Blank",
"oid": "<a GUID I don't recognize>",
"preferred_username": "[email protected]",
"scp": "User.Read",
"sub": "<base64? data>",
"tid": "<Directory (tentant) ID>",
"uti": "<base64? data>",
"ver": "2.0"
}
Can anyone tell me what I've done wrong?
