Azure AD B2C + App Service + Functions : How to flow the auth? - azure

I have a Web App (VueJS + ASP .NET Core backend) hosted on Azure App Service and I use Azure AD B2C for authentication. I also have a Functions App that I want to call from the client code but I’m not sure what’s the best way to flow the auth to the Functions.
I can register the Functions App in B2C and set Easy Auth but how do I flow the already authenticated user from the client to the Function?
I can create a custom JWT token and be done with it but is it possible to flow a B2C token to the Function? If so, how do I validate the token?

If Easy Auth didn't work for you, there is a workaround and yes it is a manual task.
Send B2C token in header while calling Azure Function
Read the token at the function level and validate the JWT token.
You can easily validate JWT token by decoding/ writing simple code
Check Validate JWT SO post
This manual validation also secure and safe to use.

You can handle Azure B2C validation the same way I did here Github
There are several problems to handle:
1. Load token from valid b2c policy
2. Validate it depending on rules set.
3. Setup Validation on Startup/Attribute in order not to create boilerplate code.
4. Currently AF 2.0 does not support invocation short circuits, so you need to properly handle your 401 codes.

Related

What is the flow of Azure AD based authentication in a project having SPA and web api?

I have a front end SPA (single page application) and back end api.
Each event in the SPA (like button click) invokes the respective api endpoint, and displays the result in the SPA.
I want to implement Azure AD based authentication so that only my Azure Tenant users are able to use the SPA/api.
Is the following flow correct approach to implementing such a feature:
User opens the SPA
User clicks on login button which opens Microsoft login popup
User enters Microsoft credentials in the popup, and if credentials are correct then user gets the JWT token
For every subsequent api request, the JWT token is placed in the bearer header
The endpoint validates the JWT token using Azure public key and rejects the request if token is missing or validation fails.
Is this flow correct and what is such a flow called?
There are several implementation steps that needs to be performed before you will have the flow that you have described:
User flow needs to be configured (Azure AD) - e.g. selfsignup allowed?
Backend and frontend applications needs to be registered (Azure AD)
Permissions and scopes needs to be added (Azure AD)
Backend API needs to be configured (e.g. API management) in order to validate the JWT token
I highly recommend to configure one of the Azure sample implementations end2end to get and idea of all the needed tasks: https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-authentication-sample-spa-app
The steps you outlined are correct.
An OAuth 2.0 "flow" outlines the steps to acquire a token from an Identity Provider (IdP). Since you are using a SPA, there are some restrictions on which flows you can use. A SPA can't act as a "Confidential Client" which is required for some flows. (Basically - the Client Secret required for the other flows would be visible in the browser network trace, so it's not "confidential".) The "Implicit Flow" used to be recommended for SPAs but it's less secure, so now the "Authorization code flow (with PKCE)" is recommended. Steps 2 & 3 in the question above are when you are executing the flow to acquire a token.
The authentication flow doesn't really address how you save and send the token to the API (#4 in the question), but the Microsoft Authentication Library (MSAL) helps with that - More information here - https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-spa-overview
In Azure AD, you'll want 2 App Registrations - one for your SPA and one for your API. The API App Registration will need to "Expose an API" which really means to define a scope. Your SPA App Registration will need to Add an "API Permission" to the scope you defined from your API App Registration. (It will show up in My APIs.) This relationship is how #5 in the question is enforced.
Many of the steps for setting up authentication in Azure AD and Azure B2C are similar but Azure AD is designed for authenticating users that are part of your organization. Azure B2C allows you to build a set of users that aren't members of a particular Azure AD organization.

AAD B2C Authentication for Dockerized Azure Function App

We are currently successfully running a Node.js Azure Function App deployed in an App Service in Azure with AAD B2C authentication as backend for a React-based Single-Page Application. User authentication in the SPA is done with Azure AAD B2C, where users obtain a JWT Token which is used as Bearer token for all requests against the backend API.
This works great.
Due to different reasons, we now need to dockerize our Function App and move it inside a Kubernetes cluster. This prevents us from using the AAD B2C integration of the Function App in the App Service for protecting the API, hence we need a different approach to validate the Bearer tokens of the requests.
From what we understand, there are two possible options to do this:
passport.js
MSAL
passport.js seems to work great for all Express-based apps and is therefore not suitable for us as our Function App is not Express-based.
We also had a look at msal-node and various examples using it, but struggle to understand exactly where and how our token validation fits and which (if any) of the examples fits our use case.
Are we looking in the right direction with msal-node and if so, how can we accomplish the task of protecting a containerized Node.js Azure Function App by validating the Bearer token with the AAD B2C?
We found a working solution. Turns out we were thinking way too complicated and "normal" JWT verification is exactly what we needed to do.
This StackOverflow post describes exactly what we were trying to achieve.

How to get JWT from Azure SSO Login

I am using Azure SSO Login to get authenticated to our own application.
Everything works fine except the fact that I would like to have JSON Web Token (JWT) which I could use in order to make some API calls to Microsoft Azure after login.
Azure SSO does not return JWT after login, is there any way to obtain it?
Mirko
Scenarios that you may refer to get idea in addition with #juunas suggestion:
This Microsoft docs tutorial of JavaScript single-page
application (SPA) signs in users and calls Microsoft Graph by using
the authorization code flow with PKCE. The SPA uses the Microsoft
Authentication Library (MSAL) for JavaScript v2.0.
This scenario uses js frontend and php backend with azure ad which might give an idea
Its Flow :
A user accesses front end
If the user is not authenticated, he will be redirected to Azure Active Directory (AAD) to login
AAD will redirect (on success) with an authorization token
We’ll inject this authorization token into the calls made to the backend (to prove your identity)
The backend API will validate the authorization token and verify it against the issuer (AAD)
Protect an API by using OAuth 2.0 with Azure Active Directory> This case registers two apps for azure AD - backend app and front end app ,uses validate-jwt policy to validate the OAuth token

Is the Azure Active Directory Access Token valid for ReAuthentication with a Custom WCF Policy?

I am retrieving an Azure AD access token using MSAL.js at the client and passing it as Authorization header to web api hosted in WCF API Management. But I get an error along with all the proper response as well my username and email
Cannot validate access token. IDX10501: Signature validation failed.
Key tried: 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey
The API is a WCF service configured with a custom policy binding for OAuth with the metadataEndpoint or even the v2 version https://login.microsoftonline.com/{tenantid}/.well-known/openid-configuration .
I guess the Azure AD Access token that I have is not meant for validating authentication again.
My guess I might be either missing permissions on the App registration but I couldn't find an API permission for exact authentication/authorization.
I believe with new Azure AD , we cannot authenticate the earlier manner by just passing a token and need to use MSAL standard libraries.
Could someone shed some more light on this.
I used an ID Token and then it worked. You get 2 tokens when authenticated so the ID token seems to work.

How to check authorization with Azure Functions

I'm using Azure Functions to be the middleman between my Xamarin Forms app and my ComosDB Table. I think I understand how authentication works using Active Directory B2C, but I'm unclear about how authorization checks take place.
My understanding is that I can enable Active Directory B2C to authenticate the user and give them an access token. I can then make an http call to an Azure Function with the token as a parameter. How do I check that the token is correct for that user. Ultimately, I want to protect the data in the Table and only give data relevant to that specific user.
There are at least 2 approaches to validate tokens in Azure Functions:
The first is that you could do it manually: https://github.com/Azure-Samples/ms-identity-dotnet-webapi-azurefunctions/blob/12640a348852696ac0d01e7adfd937900ef8ea40/Function/BootLoader.cs#L73.
This uses Microsoft.IdentityModel.Protocols.OpenIdConnect and System.IdentityModel.Tokens.Jwt to get the configuration from the metadata endpoint and validate the token.
The main difference for you would be the openid-configuration URL, which you can get from the view that allows you to run a B2C user flow for testing in Azure portal.
Another approach is to use App Service Authentication: https://cgillum.tech/2016/05/27/app-service-auth-and-azure-ad-b2c/.

Resources