Search code examples
c#azureoauth-2.0azure-active-directoryazure-web-app-service

Azure Function authentication using Azure Active Directory

I wanted to enable authentication on Azure Functions. So, I decided to go with EasyAuth (Authentication/Authorization link under platform features) and was successfully able to configure the authentication process.

The authentication works when I manually sign-in to the Azure Function endpoint. But when I try to programmatically access the API, without any manual user intervention, I'm facing authentication issue:

Status Code:401, Unauthorized

I get an access token from AAD using clientID and clientSecret using the following code:

AuthenticationContext context = new AuthenticationContext("https://login.windows.net/<tenant-id>");
string key = "<client-secret>";
ClientCredential cc = new ClientCredential("<client-id>", key);
AuthenticationResult result = context.AcquireTokenAsync("https://<AzureFunctionAppName>.azurewebsites.net/", cc).Result;
return result.AccessToken;

Then I'm trying to send the Access Token received in the header for a new request to my API:

var content = "{\"on\":true, \"sat\":254, \"bri\":254, \"hue\":10000}";
var AADToken = GetS2SAccessToken();
HttpClient Client = new HttpClient();
Client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", AADToken);
var foo = Client.PostAsync("https://<AzureFunctionAppName>.azurewebsites.net/.auth/login/aad", new StringContent(content.ToString())).Result;
Console.WriteLine($"result: {foo}");

But the above code is resulting in unauthorized calls. I am not sure what I'm doing wrong.

Solution

  • We could use the accesstoken to access the you azure function api directly, if your azure function authentication level is anonymous or function key is also required.

    I get the access token with your mentioned way. According to the Azure Resources portal(https://resources.azure.com/), the default allowedAudiences is 

      "https://{functionAppName}.azurewebsites.net/.auth/login/aad/callback"

    So I add the https://{functionAppName}.azurewebsites.net/ as allowed aduiences

    enter image description here

    Then I can use the access token directly. I test it with postman.

    enter image description here

    We also could use the following way to get easy auth token. The access token is the token that you got.

    Post https://xxx.azurewebsites.net/.auth/login/aad
Content-Type:application/json
{
    "access_token":"eyJ0eXAiOix...rtf2H7lyUL-g34HVw"
}

    enter image description here

    After that we could use the get token to access the azure function api

    enter image description here

    Note: Header is x-zumo-auth: token