20

I am sure someone out there has already done this, but I have yet to find any documentation with regard to the Microsoft implementation of JWT. The official documentation from Microsoft for their JWT library is basically an empty page, see:

https://learn.microsoft.com/en-us/dotnet/framework/security/json-web-token-handler-api-reference

So, here is what I (and I am sure many others) would like to accomplish:

Definition: User ID = The username or email address used to log into a system.

AUTHENTICATION:

  1. A user logs in. The user fills in web form and the system sends (via HTTPS POST) the users ID and password (hashed) to the server in order to authenticate / validate the user.

  2. Server Authenticates user. The users ID and password are checked against the values saved in the database and if NOT valid, an invalid login response is returned to the caller.

  3. Create a JWT Token - ???? No documentation available!

  4. Return the JWT token to the caller - ???? - I assume in a header? via JSON, not sure -- again - no documentation.

Given the code below, can anyone provide a code example for steps 3 and 4?

  [FunctionName( "authenticate" )]
  public static async Task<HttpResponseMessage> Run( [HttpTrigger( AuthorizationLevel.Anonymous, "get", "post", Route = null )]HttpRequestMessage req, TraceWriter log )
  {

   // Step 1 - Get user ID and password from POST data

   /*
   * Step 2 - Verify user ID and password (compare against DB values)
   * If user ID or password is not valid, return Invalid User response
   */

   // Step 3 - Create JWT token - ????

   // Step 4 - Return JWT token - ????

  }

AUTHORIZATION:

Assuming the user was authenticated and now has a JWT token (I am assuming the JWT token is saved in the users session; if someone wants to provide more info, please do):

  1. A POST request is made to an Azure Function to do something (like get a users birth date). The JWT token obtained above is loaded (from the POST data or a header - does it matter?) along with any other data required by the function.

  2. The JWT token is validated - ???? No documentation available!

  3. If the JWT token is NOT valid, a BadRequest response is returned by the function.

  4. If the JWT token is valid, the function uses the data passed to it to process and issue a response.

Given the code below, can anyone provide a code example for steps 1 and 2?

  [FunctionName( "do_something" )]
  public static async Task<HttpResponseMessage> Run( [HttpTrigger( AuthorizationLevel.Anonymous, "get", "post", Route = null )]HttpRequestMessage req, TraceWriter log )
  {

   // Step 1 - Get JWT token (from POST data or headers?)

   // Step 2 - Validate the JWT token - ???

   // Step 3 - If JWT token is not valid, return BadRequest response

   // Step 4 - Process the request and return data as JSON

  }

Any and all information would really help those of us (me) understand how to use JWT with Azure (anonymous) functions in order to build a "secure" REST API.

Thanks in advance.

bdcoder
  • 3,280
  • 8
  • 35
  • 55

5 Answers5

19

Any and all information would really help those of us (me) understand how to use JWT with Azure (anonymous) functions in order to build a "secure" REST API.

Per my understanding, you could use the related library in your azure function code to generate / validate the JWT token. Here are some tutorials, you could refer to them:

Create and Consume JWT Tokens in C#.

Jwt.Net, a JWT (JSON Web Token) implementation for .NET

JWT Authentication for Asp.Net Web Api

Moreover, you could leverage App Service Authentication / Authorization to configure the function app level Authentication / Authorization. You could go to your Function App Settings, click "NETWORKING > Authentication / Authorization" under the Platform features tab. Enable App Service Authentication and choose Allow Anonymous requests (no action) as follows:

enter image description here

You could create a HttpTrigger function with anonymous accessing for user logging and return the JWT token if the user exists. For the protected REST APIs, you could follow the code sample below:

if(System.Security.Claims.ClaimsPrincipal.Current.Identity.IsAuthenticated)
{
   //TODO: retrieve the username claim
   return req.CreateResponse(HttpStatusCode.OK,(System.Security.Claims.ClaimsPrincipal.Current.Identity as ClaimsIdentity).Claims.Select(c => new { key = c.Type, value = c.Value }),"application/json");
}
else
{
    return req.CreateResponse(HttpStatusCode.Unauthorized,"Access Denied!"); 
}

For generating the JWT token used in App Service Authentication, you could follow How to: Use custom authentication for your application and the code under custom API controller CustomAuthController from adrian hall's book about Custom Authentication to create the JWT token.

UPDATE:

For the custom authentication approach under App Service Authentication, I just want op to leverage the authentication / Authorization provided by EasyAuth. I have did some test for this approach and found it could work on my side. Op could send the username and password to the HttpTrigger for authentication, then the HttpTrigger backend need to validate the user info, and use Microsoft.Azure.Mobile.Server.Login package for issuing App Service Authentication token to the client, then the client could retrieve the token from the AuthenticationToken property. The subsequent requests against the protected APIs could look like as follows:

https://<your-funapp-name>.azurewebsites.net/api/<httpTrigger-functionName>
Header: x-zumo-auth:<AuthenticationToken>

NOTE:

For this approach, the related HttpTrigger functions need to allow anonymous accessing and the App Service Authentication also needs to choose Allow Anonymous requests (no action). Otherwise, the App Service Authentication and function level authentication would both validate the request. For the protected APIs, op needs to manually add the System.Security.Claims.ClaimsPrincipal.Current.Identity.IsAuthenticated checking.

Bruce Chen
  • 18,207
  • 2
  • 21
  • 35
  • This is helpful, so +1, but the part about custom authentication might not help with the OP's question. – Chris Gillum Mar 08 '18 at 17:29
  • 1
    For the custom authentication approach, I did some test and found it could work, so I updated my answer with the explanation. – Bruce Chen Mar 09 '18 at 02:02
  • What is gained by using "App Service Authentication" with anonymous? Isn't that equivalent to not having any authentication at all? – Dan Friedman Jun 02 '20 at 14:38
3

Try this: https://liftcodeplay.com/2017/11/25/validating-auth0-jwt-tokens-in-azure-functions-aka-how-to-use-auth0-with-azure-functions/ I successfully made it work using this guide. It took awhile due to nuget versions.

Follow that guide properly and use the following nuget versions

IdentityModel.Protocols (2.1.4)
IdentityModel.Protocols.OpenIdConenct (2.1.4)
IdentityModel.Tokens.Jwt (5.1.4)

Oh and, the guide tells you to write your AUDIENCE as your api link, don't. You'll get unauthorized error. Just write the name of your api, e.g. myapi

If you get error about System.http.formatting not being loaded when running the function, try to reinstall NET.Sdk.Functions and ignore the warning about AspNet.WebApi.Client being restored using .NETFramework. And restart visual studio.

Charles Dickens
  • 37
  • 1
  • 4
2

What you're describing is something that you should be able to do yourself by doing a little bit of research. To address your specific questions:

Create a JWT Token - ???? No documentation available!

The link Bruce gave you gives a nice example for how to create a JWT: https://www.codeproject.com/Tips/1208535/Create-And-Consume-JWT-Tokens-in-csharp

Return the JWT token to the caller - ???? - I assume in a header? via JSON, not sure -- again - no documentation.

There's no documentation because you're basically inventing your own protocol. That means how you do it is entirely up to you and your application requirements. If it's a login action, it might make sense to return it as part of the HTTP response payload. Just make sure that you're using HTTPS so that the token stays protected over the wire.

A POST request is made to an Azure Function to do something (like get a users birth date). The JWT token obtained above is loaded (from the POST data or a header - does it matter?) along with any other data required by the function.

How you send the token is, again, entirely up to you. Most platforms use the HTTP Authorization request header, but you don't have to if you don't want to.

The JWT token is validated - ???? No documentation available!

Use the ValidateToken method of the JwtSecurityTokenHandler (see the previous link for how to get the JwtSecurityTokenHandler). Docs here: https://msdn.microsoft.com/en-us/library/dn451155(v=vs.114).aspx.

Chris Gillum
  • 14,526
  • 5
  • 48
  • 61
  • 5
    Chris, I happen to be looking for the same information and I agree with the OP that the documentation from Microsoft is lacking. Not all of use can also be expert in authentication protocols; there is an assumption here that there's no point in re-inventing the wheel when it comes to authentication and that it should "just work". Furthermore, the documentation currently in the community is quite fractured as the libraries have been updated in the last year yet is still sorely lacking when it comes to authn/authz with Functions. – Charles Chen Sep 02 '19 at 21:03
1

I created an Azure Functions input binding for JWT Token Validation. You can use this as an extra parameter with the [JwtBinding] attribute. See https://hexmaster.nl/posts/az-func-jwt-validator-binding/ for source and NuGet package information.

Eduard Keilholz
  • 820
  • 8
  • 27
0

Basically Azure Functions built on top of ASP.NET Core. By making some dependency injection tricks you could add your own authentication and policy-based authorization. I created demo solution with JWT authentication just for fun, beware to use it on production.

Alexander Yushchenko
  • 51
  • 1