1

This was working up until recently when I must have broken something without realising it.

When attempting to call an azure function through postman I get the following:

enter image description here

The bearer token being passed in is definitely correct (or at least I don't think I changed anything about it). I basically followed the guide here where I built a url like so:

https://login.windows.net/[tenant_id]/oauth2/authorize?response_type=code+id_token&redirect_uri=https://localhost:8080/&client_id=[client_id]&scope=openid+profile+email&response_mode=fragment&state=redir%3D%252Fapi%252FGetGolfers&nonce=dbaee60794b948c58f27c068611528e1_20170909014932";

I'm at a complete loss why this isn't working as it definitely was working last night, Iv'e checked to make sure the application id/tenant id are correct several times as well. Not sure what's happening with azure ad all of a sudden...

edit:

So I just went through the instructions here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code

I was able to grab the code and get to the stage with a post request giving me the following:

{ "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1THdqcHdBSk9NOW4tQSJ9.eyJhdWQiOiJodHRwczovL3NlcnZpY2UuY29udG9zby5jb20vIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvN2ZlODE0NDctZGE1Ny00Mzg1LWJlY2ItNmRlNTdmMjE0NzdlLyIsImlhdCI6MTM4ODQ0MDg2MywibmJmIjoxMzg4NDQwODYzLCJleHAiOjEzODg0NDQ3NjMsInZlciI6IjEuMCIsInRpZCI6IjdmZTgxNDQ3LWRhNTctNDM4NS1iZWNiLTZkZTU3ZjIxNDc3ZSIsIm9pZCI6IjY4Mzg5YWUyLTYyZmEtNGIxOC05MWZlLTUzZGQxMDlkNzRmNSIsInVwbiI6ImZyYW5rbUBjb250b3NvLmNvbSIsInVuaXF1ZV9uYW1lIjoiZnJhbmttQGNvbnRvc28uY29tIiwic3ViIjoiZGVOcUlqOUlPRTlQV0pXYkhzZnRYdDJFYWJQVmwwQ2o4UUFtZWZSTFY5OCIsImZhbWlseV9uYW1lIjoiTWlsbGVyIiwiZ2l2ZW5fbmFtZSI6IkZyYW5rIiwiYXBwaWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctODkwYS0yNzRhNzJhNzMwOWUiLCJhcHBpZGFjciI6IjAiLCJzY3AiOiJ1c2VyX2ltcGVyc29uYXRpb24iLCJhY3IiOiIxIn0.JZw8jC0gptZxVC-7l5sFkdnJgP3_tRjeQEPgUn28XctVe3QqmheLZw7QVZDPCyGycDWBaqy7FLpSekET_BftDkewRhyHk9FW_KeEz0ch2c3i08NGNDbr6XYGVayNuSesYk5Aw_p3ICRlUV1bqEwk-Jkzs9EEkQg4hbefqJS6yS1HoV_2EsEhpd_wCQpxK89WPs3hLYZETRJtG5kvCCEOvSHXmDE6eTHGTnEgsIk--UlPe275Dvou4gEAwLofhLDQbMSjnlV5VLsjimNBVcSRFShoxmQwBJR_b2011Y5IuD6St5zPnzruBbZYkGNurQK63TJPWmRd3mbJsGM0mf3CUQ", "token_type": "Bearer", "expires_in": "3600", "expires_on": "1388444763", "resource": "https://service.contoso.com/",
"refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4rTfgV29ghDOHRc2B-C_hHeJaJICqjZ3mY2b_YNqmf9SoAylD1PycGCB90xzZeEDg6oBzOIPfYsbDWNf621pKo2Q3GGTHYlmNfwoc-OlrxK69hkha2CF12azM_NYhgO668yfcUl4VBbiSHZyd1NVZG5QTIOcbObu3qnLutbpadZGAxqjIbMkQ2bQS09fTrjMBtDE3D6kSMIodpCecoANon9b0LATkpitimVCrl-NyfN3oyG4ZCWu18M9-vEou4Sq-1oMDzExgAf61noxzkNiaTecM-Ve5cq6wHqYQjfV9DOz4lbceuYCAA", "scope": "https%3A%2F%2Fgraph.microsoft.com%2Fmail.read",
"id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctODkwYS0yNzRhNzJhNzMwOWUiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83ZmU4MTQ0Ny1kYTU3LTQzODUtYmVjYi02ZGU1N2YyMTQ3N2UvIiwiaWF0IjoxMzg4NDQwODYzLCJuYmYiOjEzODg0NDA4NjMsImV4cCI6MTM4ODQ0NDc2MywidmVyIjoiMS4wIiwidGlkIjoiN2ZlODE0NDctZGE1Ny00Mzg1LWJlY2ItNmRlNTdmMjE0NzdlIiwib2lkIjoiNjgzODlhZTItNjJmYS00YjE4LTkxZmUtNTNkZDEwOWQ3NGY1IiwidXBuIjoiZnJhbmttQGNvbnRvc28uY29tIiwidW5pcXVlX25hbWUiOiJmcmFua21AY29udG9zby5jb20iLCJzdWIiOiJKV3ZZZENXUGhobHBTMVpzZjd5WVV4U2hVd3RVbTV5elBtd18talgzZkhZIiwiZmFtaWx5X25hbWUiOiJNaWxsZXIiLCJnaXZlbl9uYW1lIjoiRnJhbmsifQ." }

The docs claim the 'access_token' can be used for webapi calls (as a bearer) but they don't work for me, however the id_token being used as a bearer does!

What's going on? I feel like I'm losing my mind.

meds
  • 21,699
  • 37
  • 163
  • 314
  • It's not clear what you're trying to do. There's no Katana middleware in Azure Functions so you can only use an access token if you turn on Authentication/Authorization for that function app (also called Easy Auth). See this - https://stackoverflow.com/a/46765687/4148708 There's also function level authorization through header/parameter you can use out of the box, here - https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook#api-key-authorization – evilSnobu Feb 04 '18 at 08:16
  • I have some function apps in azure that I set to be protected and I want logged in users fro Azure AD to be able to call the azure functions. I was able to get it working simply by going to the login site (login.windows etc) and redirecting to another webpage with the id_token working as a bearer token but that stopped working. Now with the extra step in the link provided I was able to get a new id token which works contrary to what the documentation says so I'm very confused.. – meds Feb 04 '18 at 08:37
  • But the whole point of Easy Auth is you don't do that yourself, OAuth logic is handled for you, when you get the request to your function code you know it's already authorized (id_token or access token you shouldn't even care). I feel like you're seriously over-engineering this. – evilSnobu Feb 04 '18 at 08:46
  • I need the id_token or auth_token to use in a unity app when it makes http requests to the webapi... – meds Feb 04 '18 at 09:01
  • Then check your audience claim, make sure it matches exactly what your API expects and check the permissions in Azure AD, the Unity app should have `Access YOUR_API_NAME` permissions. That's pretty much it. – evilSnobu Feb 04 '18 at 09:15

1 Answers1

1

I set to be protected and I want logged in users fro Azure AD to be able to call the azure functions.

This scenario is for that you can access the Function App resouces via AAD protect.It's different as Create an Open API definition in the Function.

For your scenario, if you just want to use AAD to protect your Function and access it directly via the AAD OAuth authorization code flow , You need follow the guide you posted in the question.

The response Type of the request is code+id_token. So, it is the cause. You must request code and id_token from the endpoint and use the id_token for authentication and use code to exchange access_token to access the resource for authorization.

This flow is for Azure itself. Other protocols in the document are for developers . It means that those protocols are for the applications which you registered in AAD.

Wayne Yang
  • 9,016
  • 2
  • 20
  • 40
  • I get your answer but I'm still not sure why the link I showed said that you use the code to access resources but it's the id_token that is used as a bearer in azure functions.. – meds Feb 05 '18 at 11:59