I am attempting to set up an Azure B2C instance, I want to enrich the token with extra claims using an API Connector.
Can I use an Azure Function app function as the API?
I can't see anyway to do this using the Authentications allowed - the API Connector only seems to allow Basic (username/password) or Certification authentication. Whilst the Function App requires a x-functions-key in the header.
Am I heading down the wrong path with this? Should I use a simple API?
#juunas got it right in the comments.
https://<myfunctionApp>.azurewebsites.net/api/GetClaims?code=<mykey>
Related
I would like to use the Azure DevOps API to create a PAT for my user. But I'm unable to authenticate yet. In this document from Microsoft, they state that authentication is possible with a PAT, but it is not true. I'm getting a HTTP 203 with a Sign In page in response.
PS: I'm using Postman to test the API requests.
I think the security section of this REST API is misleading.
In fact, this REST API cannot be authenticated with PAT, as mentioned in another document:
To use the API, you must authenticate with an Azure AD token.
Unlike other Azure DevOps Services APIs, users must provide an Azure AD access token to use this API instead of a PAT token. Azure AD tokens are a safer authentication mechanism than using PATs. Given this API’s ability to create and revoke PATs, we want to ensure that such powerful functionality is given to allowed users only.
This document also explains how to use this REST API in detail, which you can refer to.
Yes it does work, you're just not setting it up right.
Look at the Basic Authentication of this document. You need to base 64 encode the username password like this: username:PAT. Spearate the two with the colon.
I'm using Azure Functions to be the middleman between my Xamarin Forms app and my ComosDB Table. I think I understand how authentication works using Active Directory B2C, but I'm unclear about how authorization checks take place.
My understanding is that I can enable Active Directory B2C to authenticate the user and give them an access token. I can then make an http call to an Azure Function with the token as a parameter. How do I check that the token is correct for that user. Ultimately, I want to protect the data in the Table and only give data relevant to that specific user.
There are at least 2 approaches to validate tokens in Azure Functions:
The first is that you could do it manually: https://github.com/Azure-Samples/ms-identity-dotnet-webapi-azurefunctions/blob/12640a348852696ac0d01e7adfd937900ef8ea40/Function/BootLoader.cs#L73.
This uses Microsoft.IdentityModel.Protocols.OpenIdConnect and System.IdentityModel.Tokens.Jwt to get the configuration from the metadata endpoint and validate the token.
The main difference for you would be the openid-configuration URL, which you can get from the view that allows you to run a B2C user flow for testing in Azure portal.
Another approach is to use App Service Authentication: https://cgillum.tech/2016/05/27/app-service-auth-and-azure-ad-b2c/.
I have an Azure Functions app and in Azure Portal I have configured Easy Auth -> Azure Active Directory.
The requirement is, that the API must support both AAD and some custom JWT Authentication, so that the consumer can Authenticate either using AAD or JWT.
How can I support multiple authentication mechanisms in Azure Functions?
As Easy Auth is actually an IIS module, I believe you'll need to receive the token in your Azure Function and programatically validate against the support providers.
Do it the same way you would do it in an ASP.NET Core application by using this package: DarkLoop.Azure.Functions.Authorize for Functions V3+, or DarkLoop.Azure.WebJobs.Authorize for Functions V2.
You can read this blog post for more information.
It will allow you to configure as many authentication protocols for authentication with the power of policies for every individual HTTP triggered function.
I'm developing an application that have a web front and an azure function in the backend. I have protect the azure function using easyauth. The application is multitenant and i want to call the azure function on-behalf of authenticated user on the web. I want to use MSAL. I obtain a token on be-half of the user, i check it with jwt.io and all the informations are correct, scope is ok but when i call the function adding the Authentication token "Bearer:xxxxxxxxxxx" i obtain a 401. Seems to me that the problem is on the Function side: same parameter, compatibility with MSAL...
Is there a racomandated architecture for this scenario. I found many but nothing specific about Azure Functions, EasyAuth, on-behalf msal token
Unfortunately, we cannot use v2 endpoint(msal) to authenticate Azure function in Azure Portal for now.
Currently, authentication providers in Azure Web App service contain Azure Active Directory and it use v1 ednpoint to redirect.
You can find more details here.
I'm not sure if it'd meet all your requirements, but you could front the web app with API management using OAuth2 and then set headers to appropriate values and redirect to an HTTP Trigger for your function using one of the AuthorizationLevel options available.
Sounds like EasyAuth is on people's minds already and there may be a solution for you somewhere in the comments on the github ticket.
I have a Web App (VueJS + ASP .NET Core backend) hosted on Azure App Service and I use Azure AD B2C for authentication. I also have a Functions App that I want to call from the client code but I’m not sure what’s the best way to flow the auth to the Functions.
I can register the Functions App in B2C and set Easy Auth but how do I flow the already authenticated user from the client to the Function?
I can create a custom JWT token and be done with it but is it possible to flow a B2C token to the Function? If so, how do I validate the token?
If Easy Auth didn't work for you, there is a workaround and yes it is a manual task.
Send B2C token in header while calling Azure Function
Read the token at the function level and validate the JWT token.
You can easily validate JWT token by decoding/ writing simple code
Check Validate JWT SO post
This manual validation also secure and safe to use.
You can handle Azure B2C validation the same way I did here Github
There are several problems to handle:
1. Load token from valid b2c policy
2. Validate it depending on rules set.
3. Setup Validation on Startup/Attribute in order not to create boilerplate code.
4. Currently AF 2.0 does not support invocation short circuits, so you need to properly handle your 401 codes.