Using OpenIdConnect with AzureFunctions

Question

I'm using azure functions to host an API for a react app, however I'm also using the same azure function to host the html/js/css for the app (via proxy functions to static files on blob storage).

I have been using EasyAuth to provide authentication for it which has been working brilliantly, however I need to support a identity provider that isn't built into EasyAuth (and it doesn't support custom ones at all). This means I'm falling back to using the Microsoft.AspNetCore.Authentication.OpenIdConnect package.

I have registered the auth in my startup file

 builder.Services
            .AddAuthentication()
            .AddCookie("WebJobsAuthLevel") //errors without this, although I suspect it's wrong
            .AddCookie("Bearer") //errors without this, although I suspect it's wrong
            .AddOpenIdConnect("custom", o =>
            {
                o.MetadataAddress = "https://localhost:44320/.well-known/openid-configuration";
                o.ClientId = "clientid";
                o.ClientSecret = "secret";
                o.ResponseMode = OpenIdConnectResponseType.Code;
                o.SignInScheme = "Cookies";
                o.GetClaimsFromUserInfoEndpoint = true;
             });

along with a function that lets me trigger the challenge

    [FunctionName("CustomAuth")]
    public async Task<IActionResult?> Challenge([HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = ".auth/login/custom")]HttpRequest req, ILogger log)
    {
        return new ChallengeResult("custom");
    }

If i hit this function it works great, redirecting to the auth provider to login.

However once i login it redirects back to my function app which 404's

http://localhost:7071/signin-oidc?querystringhere

At this stage I'm guessing that AddAuthentication isn't able to hook into incoming web requests like it can when using it in asp.net mvc core. Wondering if there's a known way that I can hook this up, either at a lower level or via custom azure functions

Answer 1

• Add a reference to Microsoft.Azure.WebJobs.Script.WebHost
• Create an AzureFunctions middleware using the relatively new IJobHostHttpMiddleware interface
• Register this middleware as a service

    
    public class AzureFunctionsAuthenticationMiddleware : IJobHostHttpMiddleware
    {
        private IAuthenticationSchemeProvider _schemeProvider;

        public AzureFunctionsAuthenticationMiddleware(IAuthenticationSchemeProvider schemeProvider)
        {
            _schemeProvider = schemeProvider;
        }

        public Task Invoke(HttpContext context, RequestDelegate next)
        {
            return new AuthenticationMiddleware(next, _schemeProvider).Invoke(context);
        }
    }

  public void Configure(IWebJobsBuilder builder)
        {
            builder.Services.AddHttpContextAccessor();


            builder.Services.AddSingleton();

            builder.Services.AddAuthentication(options =>
            {
                options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            })
            .AddArmToken()
            .AddScriptAuthLevel()
            .AddScriptJwtBearer()
            .AddCookie()
            .AddOpenIdConnect("custom", o =>
            {
                o.AuthenticationMethod = OpenIdConnectRedirectBehavior.RedirectGet;
                o.SignInScheme = "Cookies";

                o.MetadataAddress = "metadata address";
                o.ClientId = "clientid";
                o.ClientSecret = "secret";
                o.ResponseMode = "query";
                o.ResponseType = "code";
            });

This resolves the signin-oidc 404, I'm now hitting another issue around invalid openid messages which I'm not sure is related (eg I think my openidconnect server isn't correct rather than my client)