Azure Function authentication using Azure Active Directory

Question

I wanted to enable authentication on Azure Functions. So, I decided to go with EasyAuth (Authentication/Authorization link under platform features) and was successfully able to configure the authentication process.

The authentication works when I manually sign-in to the Azure Function endpoint. But when I try to programmatically access the API, without any manual user intervention, I'm facing authentication issue:

Status Code:401, Unauthorized

I get an access token from AAD using clientID and clientSecret using the following code:

AuthenticationContext context = new AuthenticationContext("https://login.windows.net/<tenant-id>");
string key = "<client-secret>";
ClientCredential cc = new ClientCredential("<client-id>", key);
AuthenticationResult result = context.AcquireTokenAsync("https://<AzureFunctionAppName>.azurewebsites.net/", cc).Result;
return result.AccessToken;

Then I'm trying to send the Access Token received in the header for a new request to my API:

var content = "{\"on\":true, \"sat\":254, \"bri\":254, \"hue\":10000}";
var AADToken = GetS2SAccessToken();
HttpClient Client = new HttpClient();
Client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", AADToken);
var foo = Client.PostAsync("https://<AzureFunctionAppName>.azurewebsites.net/.auth/login/aad", new StringContent(content.ToString())).Result;
Console.WriteLine($"result: {foo}");

But the above code is resulting in unauthorized calls. I am not sure what I'm doing wrong.

Answer 1

We could use the accesstoken to access the you azure function api directly, if your azure function authentication level is anonymous or function key is also required.

I get the access token with your mentioned way. According to the Azure Resources portal(https://resources.azure.com/), the default allowedAudiences is

  "https://{functionAppName}.azurewebsites.net/.auth/login/aad/callback"

So I add the https://{functionAppName}.azurewebsites.net/ as allowed aduiences

Then I can use the access token directly. I test it with postman.

We also could use the following way to get easy auth token. The access token is the token that you got.

Post https://xxx.azurewebsites.net/.auth/login/aad
Content-Type:application/json
{
    "access_token":"eyJ0eXAiOix...rtf2H7lyUL-g34HVw"
}

After that we could use the get token to access the azure function api

Note: Header is x-zumo-auth: token

Answer 2

Regarding the issue, you need to create a client app to call your Azure function. The detailed steps are as Below.

1. Configure Azure AD for Azure Function. Please refer to https://docs.microsoft.com/en-us/azure/azure-functions/functions-how-to-use-azure-function-app-settings#auth.

   i. Go to Integrate of your trigger, set Authorization level to Anonymous

   ii. Got to Authentication / Authorization and configure Azure AD

   

2. Register a clent application in AD on the azure portal. For more details, please refer to https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v1-integrate-apps-with-azure-ad.

   a. Open the Azure Active Directory and click the App registrations , choose New application registration.

   b. Enter your Name and Redirect URL, you can write anything. Then click create button.

   c. Settings-> Required permissions -> add, choose the application you use in the step1

   d. Select permission -> APPLICAION PERMISSIONS ->Select->Done->Grant Permissions->Yes

   e. Create a key and copy it

   f. Copy the Application ID

3. Test

Get Token:

METHOD: POST

Url : https://login.microsoftonline.com/your directory ID/oauth2/token 

HEADERS:  Content-Type : application/x-www-form-urlencoded

BODY:
grant_type+=client_credentials&resource+=”your Function APP ID”&client_id+++++=”the application that your register  id”&client_secret+=”the key you create”

Test Function:

METHOD: Get

Url : https://<Functionname>.azurewebsites.net/api/HttpTriggerCSharp1?name=azure

HEADERS:  Authorization : Bearer <access token>