1
votes

I am using Azure Functions v3

I am trying to use Authentication and I have set my function to User level security for its HttpTriggers

The logic below is called on the startup of my function

       protected override void SetupAuthentication(IServiceCollection services, 
            IConfiguration configuration)
        {
            var tokenOptions = configuration.GetSection("JwtIssuerOptions")
                .Get<TokenConfiguration>();
            
            var tokenValidationParameters = new TokenValidationParameters
            {
                // The signing key must match!
                ValidateIssuerSigningKey = true,
                IssuerSigningKey = tokenOptions.SecurityKey,
                // Validate the JWT Issuer (iss) claim
                ValidateIssuer = true,
                ValidIssuer = tokenOptions.Issuer,
                // Validate the JWT Audience (aud) claim
                ValidateAudience = true,
                ValidAudience = tokenOptions.Audience,
                // Validate the token expiry
                ValidateLifetime = true,
                // If you want to allow a certain amount of clock drift, set that here:
                ClockSkew = TimeSpan.Zero
            };
            
            services.Configure<IdentityConfiguration>(configuration.GetSection("IdentityConfiguration"));
            services.AddScoped<CustomJwtBearerEvents>();

            services
                .AddAuthentication(o =>
                {
                    o.DefaultForbidScheme = JwtBearerDefaults.AuthenticationScheme;
                    o.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
                })
                .AddJwtBearer(options =>
                {
                    options.TokenValidationParameters = tokenValidationParameters;
                    options.EventsType = typeof(CustomJwtBearerEvents);
                });

        }

When I call the function externally I get the error

No authentication handler is registered for the scheme 'WebJobsAuthLevel'. 

The registered schemes are: Bearer. Did you forget to call AddAuthentication().AddSomeAuthHandler?.

What have I missed?

I need to mimic the same convention as web apps

[FunctionName("GetPayments")] public async Task<List> GetPaymentsAsync( [HttpTrigger(AuthorizationLevel.User, "post", Route = "payments/get-payments")] HttpRequest req , ILogger log) { var data = await req.ReadAsStringAsync();

       //THis is where I have my logic which I only want to be able to access if the user has permissions
    }

I have seen the link below

https://damienbod.com/2020/09/24/securing-azure-functions-using-azure-ad-jwt-bearer-token-authentication-for-user-access-tokens/comment-page-1/?unapproved=127819&moderation-hash=3fdd04b596812933c4c32e8e8c8cf26a#comment-127819

It initially looked to be what I need, but I cant work out how to adapt it so that it just uses the identity token validation side

Any help would be appreciated

Paul

1
Hey Paul, any luck with that? I have a same issue with IS4 - Roman Borovets

1 Answers

0
votes

Have a look at: https://www.nuget.org/packages/DarkLoop.Azure.Functions.Authorize

The latest version ensures all built-in authentication is in place before you add your own or extend the built-in ones. By the way JTW Bearer is already configured by the Functions runtime.

All you need to do is call in your method

services.AddFunctionsAuthentication()

and then chain whatever other schemes you need to configure. The resulting authentication builder is designed to handle modifications to the jwt bearer (AddJwtBearer(options => ...) and will not break telling you the Bearer scheme already exists.

This package also gives you the ability to use the FunctionsAuthorize attribute to handle granular authorization requirements for your HTTP functions. Here is a blog post with details: https://blog.darkloop.com/post/functionauthorize-for-azure-functions-v3