How to get current user identity in Azure Function with Azure Authentication?

Question

I have created a new Function App, enabled App Service Authentication / Authorization for it ("Use Authentication / Authorization to protect your application and work with per-user data") and disabled non-authenticated requests.

Everything seems to be working correctly so far. If I try to request my HttpTriggered function, it requires me to log in first; once I'm logged in, all requests are processed as they should be. So there is no problem with "protect your application" part.

However, I'm totally stuck with the "work with per-user data" part. My Azure Function is invoked as

public static async Task<HttpResponseMessage> Run([HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)]HttpRequestMessage req, TraceWriter log)

And there is nothing related to authentication in HttpRequestMessage. (AuthorizationLevel.Anonymous seems to control the entirely different thing - namely, if the function could be called by anyone or only by those who have a fixed API key).

How do I get the identity of authenticated user who called the function?

Is your "Use Authentication / Authorization to protect your application and work with per-user data" refering to an article? i cant find one with that exact title — woelliJ, Jun 16 '17 at 11:10
@woelliJ, it refers to the hint for the "Authentication / Authorization" button in Azure portal. — penartur, Jun 16 '17 at 12:05
same problem here, I had an idea to maybe make it work with API Management? — tatigo, Jan 25 '18 at 06:04

Kzryzstof · Answer 1 · 2019-03-18T19:33:02.790

Using the Azure Function runtime v2.0.12309, you can retrieve the authenticated user information from the ClaimsPrincipal instance injected in the Run method:

public static async Task<HttpResponseMessage> Run(
    [HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)]
    HttpRequest httpRequest, 
    ILogger logger, 
    ClaimsPrincipal claimsPrincipal)
 {
            // Explores the authenticated user's claims in claimsPrincipal.
 }

score 1 · Answer 2 · answered Jan 13 '18 at 12:58

1

Logically, AuthorizationLevel.Anonymous will not give you a current claims principal.

Unfortunately, just changing to AuthorizationLevel.Function doesn't help either: For me I am finding that ClaimsPrincipal.Current is null, even after authenticating successfully via Azure Active Directory B2C.

Finally, I tried AuthorizationLevel.User, but that isn't currently supported by azure functions see here

I believe you need to follow the steps as per the accepted answer on this SO question (I'm in process of trying it now ...)

answered Jan 13 '18 at 12:58

ubienewbie

1,771
17
31

yes, that SO question does point very much in right direction. – ubienewbie Jan 14 '18 at 09:37
1

I am super confused on how you cannot get the current user but all these Azure Functions are being deployed and used. Are they not making use of the current user or something? It would seem you would want to know the user that is accessing the current resource. – Mike-E Mar 20 '18 at 19:39
1

@Mike-EEE yes, I've been wondering the same thing for a long time. Otherwise, Azure functions are a lot less useful in the real world scenarios. – Denis Molodtsov May 13 '18 at 03:10

penartur · Answer 3 · 2017-06-16T12:08:39.560

0

It seems that one can get current user name from global state System.Security.Claims.ClaimsPrincipal.Current.Identity.Name (I didn't know that when I originally posted this question). However, it is unclear if this is a reliable or recommended method of getting logged in user info.

Example:

using System.Net;
using System.Net.Http;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.Azure.WebJobs;
using Microsoft.Azure.WebJobs.Extensions.Http;
using Microsoft.Azure.WebJobs.Host;

namespace FunctionApp
{
    public static class Function1
    {
        [FunctionName("HttpTriggerCSharp")]
        public static async Task<HttpResponseMessage> Run([HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)]HttpRequestMessage req, TraceWriter log)
        {
            return req.CreateResponse(HttpStatusCode.OK, "Hello " + ClaimsPrincipal.Current.Identity.Name);
        }
    }
}

edited Jun 16 '17 at 12:08

answered Jun 16 '17 at 10:57

penartur

9,792
5
39
50

2

Truly confused here ... why enable authentication if you cannot access the user information that is currently logged in?! – Mike-E Mar 20 '18 at 19:59
FWIW, I am getting empty `ClaimsPrinciple.Current` as that is not yet supported in v2. – Mike-E Mar 21 '18 at 07:21
Yes this is supported only v2 as this runs on ,NET Core instead of .NET old versions. – Rare Solutions Jul 12 '19 at 17:32

score 0 · Answer 4 · answered Jun 16 '17 at 18:20

0

First class integration with App Service EasyAuth is something that isn't in place yet, but we're tracking in our repo here. We're looking at this now and will likely have some improvements in this area very soon.

As you discovered, you can enable EasyAuth and it will require login, and will flow the authenticated principal through, allowing you to access it via standard .NET APIs like ClaimsPrincipal.Current, etc. However the problem is that you had to mark your method with auth level Anonymous which isn't what you want, and requires you to reject unauthenticated requests in your method (see notes in issue referenced above).

We'll iron all these issues out soon in an upcoming release.

answered Jun 16 '17 at 18:20

mathewc

13,312
2
45
53

"the problem is that you had to mark your method with auth level Anonymous which isn't what you want" It seems that AuthenticationLevel is for completely different thing. I don't see how it is a problem in my case; what problem is there in marking my methods with AuthenticationLevel.Anonymous, if I don't want to require users to supply fixed API key? – penartur Jul 15 '17 at 10:11
1

"and requires you to reject unauthenticated requests in your method" Right now, I don't reject unauthenticated requests in my method, because Azure seems to do it for me (because I disabled non-authenticated requests on the same page where one can enable AAD/Facebook/etc auth). You seem to imply that unauthenticated users still can somehow get through to my function? – penartur Jul 15 '17 at 10:12

Mike-E · Answer 5 · 2018-03-21T09:40:16.723

Copied from my issue here, which was intended to find how to debug locally with an Azure Active Directory authenticated user.
https://stackoverflow.com/a/49402152/3602057

This will work with any provider that is configured on Azure with your Azure Function, and will work while for both local debugging and deployed scenarios.

Alright after a few more (OK, a LOT) hours, I have figured out a solution for now. This works in both local and deployed scenarios. I have posted a template solution here:

https://github.com/Mike-EEE/Stash/tree/master/AzureV2Authentication/AzureV2Authentication

Here are the steps that outline the overall process:

Sign into your function at https://function-name.azurewebsites.net
CTRL-SHIFT-C in Chrome -> Application -> Cookies -> -> AppServiceAuthSession -> Copy Value
Open local.settings.json and paste value from previous step in AuthenticationToken setting.
While you're there, paste in the URL from first step in AuthenticationBaseAddress
Launch application.
Cross fingers.
Enjoy magic (Hopefully.)

Here is the main event:

public static class AuthenticationExtensions
{
    public static Authentication Authenticate(this HttpRequest @this)
    {
        var handler = new HttpClientHandler();
        var client = new HttpClient(handler) // Will want to make this a singleton.  Do not use in production environment.
        {
            BaseAddress = new Uri(Environment.GetEnvironmentVariable("AuthenticationBaseAddress") ?? new Uri(@this.GetDisplayUrl()).GetLeftPart(UriPartial.Authority))
        };
        handler.CookieContainer.Add(client.BaseAddress, new Cookie("AppServiceAuthSession", @this.Cookies["AppServiceAuthSession"] ?? Environment.GetEnvironmentVariable("AuthenticationToken")));

        var service = RestService.For<IAuthentication>(client);

        var result = service.GetCurrentAuthentication().Result.SingleOrDefault();
        return result;
    }
}

Note that:

An HttpClient is created for each call. This is against best practices.
Sample code is based on EasyAuth sample by @stuartleeks
This solution makes use of the excellent Refit project to get its data.

Here are the remaining classes of interest, for the sake of completeness:

public class Authentication // structure based on sample here: https://cgillum.tech/2016/03/07/app-service-token-store/
{
    [JsonProperty("access_token", NullValueHandling = NullValueHandling.Ignore)]
    public string AccessToken { get; set; }
    [JsonProperty("provider_name", NullValueHandling = NullValueHandling.Ignore)]
    public string ProviderName { get; set; }
    [JsonProperty("user_id", NullValueHandling = NullValueHandling.Ignore)]
    public string UserId { get; set; }
    [JsonProperty("user_claims", NullValueHandling = NullValueHandling.Ignore)]
    public AuthenticationClaim[] UserClaims { get; set; }
    [JsonProperty("access_token_secret", NullValueHandling = NullValueHandling.Ignore)]
    public string AccessTokenSecret { get; set; }
    [JsonProperty("authentication_token", NullValueHandling = NullValueHandling.Ignore)]
    public string AuthenticationToken { get; set; }
    [JsonProperty("expires_on", NullValueHandling = NullValueHandling.Ignore)]
    public string ExpiresOn { get; set; }
    [JsonProperty("id_token", NullValueHandling = NullValueHandling.Ignore)]
    public string IdToken { get; set; }
    [JsonProperty("refresh_token", NullValueHandling = NullValueHandling.Ignore)]
    public string RefreshToken { get; set; }
}
public class AuthenticationClaim
{
    [JsonProperty("typ")]
    public string Type { get; set; }
    [JsonProperty("val")]
    public string Value { get; set; }
}
interface IAuthentication
{
    [Get("/.auth/me")]
    Task<Authentication[]> GetCurrentAuthentication();
}
public static class Function1
{
    [FunctionName("Function1")]
    public static IActionResult Run([HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)]HttpRequest req, TraceWriter log)
    {
        log.Info("C# HTTP trigger function processed a request.");

        var authentication = req.Authenticate();

        return authentication != null
            ? (ActionResult)new OkObjectResult($"Hello, {authentication.UserId}")
            : new BadRequestObjectResult("Authentication not found. :(");
    }
}

score 0 · Answer 6 · answered Jun 16 '23 at 16:41

Update for anyone looking at this in 2023 and beyond you want to look at https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-user-identities which shows the use of the X-MS-CLIENT-PRINCIPAL header. Given the way MS works I don't know if it applies to every auth technique they have but I used it for AD integration with a Static Web app and an Azure Function behind it.

How to get current user identity in Azure Function with Azure Authentication?

6 Answers6

Linked