Securing ASPNET Core Web API for calls from Azure Function
We have an exisiting ASP.NET Core Web Api in Azure that has endpoints that support Azure AD and Azure AD secured users
I want to create a new Azure Function with a Timed trigger that will call this same Web Api. The call will obviously not be in the context of a user but in the context of the Function App.
The AF is AzureFunctionsVersion "v3" with a TargetFramework of "netcoreapp3.1"
I have added an App Role to the App registration for the existing Web API
I have then requested access to the that API from the Azure Functions "Api Permissions" blade in Azure Portal
I am only running this Azure Function locally as yet so here are the values from local.settings.json. I've removed the real values
{
"IsEncrypted": false,
"Values": {
"AzureWebJobsStorage": "UseDevelopmentStorage=true",
"FUNCTIONS_WORKER_RUNTIME": "dotnet",
"AzureAd:Instance": "https://login.microsoftonline.com/",
"AzureAd:Domain": "ourdomain.co.uk",
"AzureAd:TenantId": "aaaaaaaa-92eb-430b-b902-aaaaaaaaaaaa",
"AzureAd:ClientId": "aaaaaaaa-bd17-4e69-bdf6-aaaaaaaaaaaa",
"AzureAd:Audience": "https://ourdomain.co.uk/appid,
"AzureAd:ClientSecret": "THESECRET",
"PatientApi:BaseAddress": "https://myapi.com/api/",
"PatientApi:Scopes": "https://my-api-appiduri/.default"
},
}
I then try an get a token for the Azure Function by calling GetAccessTokenForAppAsync
var accessToken = await this.tokenAcquisition.GetAccessTokenForAppAsync(this.patientScope);
this.httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
this.httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
When I call GetAccessTokenForAppAsync I get the following Exception
Microsoft.Identity.Client.MsalServiceException: 'A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '{CLIENTID_FOR_AZUREFUNCTION}'.
Is this AzureAd config and calling GetAccessTokenForAppAsync the right approach?
TL;DR
Whilst I had correctly configured the AzureAd values I must at some point have chosen to "Manage User Secrets" in the VS IDE. That had created a different ClientSecret and that was overriding the correct value in local.settings.json.
Thanks to this GitHub issue and comment from the MSAL team, https://github.com/AzureAD/microsoft-identity-web/issues/379#issuecomment-666526566
- Azure Queue Trigger is hit but not executing the logic inside of it
- Could not load file or assembly Microsoft.Extensions.Logging.Abstractions
- Specifying user-assigned managed identity in Azure Function Terraform script
- Azure function python app - getting nested environments variables
- Deployed functions but they are not showing up in Azure Portal
- How to properly use Azure Function Build and Deploy in Azure DevOps with multiple projects
- HTTP 404 error with Swagger UI on Azure Functions app
- TimeTrigger Exception "Could not create BlobContainerClient for ScheduleMonitor."
- How to delete /home/site/wwwroot/lib folder content before zip deployment?
- How to get the Exception (Message and StackStrace) of a Python Azure Function
- How to get client IP address in Azure Functions node.js?
- Get request headers in azure functions NodeJs Http Trigger
- Run time error after upgrading .net6 to .net8
- Why is my python app working when doing a code deployment but when using a docker image
- The listener for durable function was unable to start because the target machine actively refused it
- Azure Portal function app not showing functions after deploy from VS Code
- Azure Function App - How to upgrade .NET runtime
- Additional Python Files in azure Function
- Azure Functions Timer Trigger Configuration Not Resolving After Upgrading to .NET 8
- Azure Function Javascript Invocation hooks usage with HTTP triggers
- EventData having serialisation problem after migrating Azure function app from .NET 6 In Process to .NET 8 Isolated
- Azure function app (v4 / node.js) no functions found after zip deployment
- script not being recognized as function as a function app
- Busy line when calling my Twilio number to my Azure Function?
- Basic Azure function logging isn't working
- Issue during Upgrade of Azure functions to .NET 8 and isolated workers
- How to pass secrets downloaded from Azure KeyVault as parameters to an Azure Function?
- Azure Function Servicebus Queue Trigger Parameters From Azure App Configuration Service
- TaskCanceledException in Azure Function with Singleton Attribute
- Azure durable function stuck