4

I'm using Azure AD Authenticated Azure Function. Everything work fine when deployed on Azure. 

    public static async Task<IActionResult> ExportT(
        [HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = null)] HttpRequest req, ClaimsPrincipal principal,
        ILogger log)
    {
        var c = principal.Claims.Select(x => x.Value);

        return new OkObjectResult(c);

    }

Return :

[ "38a1e83b-c1d3-4fd7-bdc6-ef2447", "https://sts.windows.net/635e38ef-108e-4a26-b718-bbd532/", "1564501257", "1564501257", "1564505157", "42FgYFCuNWnL3ROWG9x3p4EzN3+c/6u8Gh5jV7sT0A", "pwd", "test", "test", "92.169.93", "test", "36fbab-425b-9d65-b2425ef3d9bf", "a1c1ee35-67ab-4f3a-2877c5580b1e", "ES_SALARIED", "XboeusxsxyvnjhCT_vJHkzncPE2JBU58Q50", "635e38ef-26-b718-bbd960991532", "testdedev@ins.coop", "testdedev@ins.coop", "PJ0vEo70o0G__HrwX8ghAA", "1.0" ]

But when executing locally with VS2019 I get : 

[ "Admin" ]

Any idea ?

Regards,

Sauget Charles-Henri
  • 441
  • 4
  • 17
  • I assume in Azure you have secured your Function with Azure AD auth?! If so, this is obivously not in place when running locally. – silent Jul 30 '19 at 18:50
  • 1
    Yes, you'r right but because i'm passing an authorization header i was hoping to be able to get my identity available in ClaimsPincipal :( Looks like it's not as simple (as explained here : https://stackoverflow.com/questions/44587136/how-to-get-current-user-identity-in-azure-function-with-azure-authentication/48240085#48240085) I suppose I need to mock some identity object to use locally. – Sauget Charles-Henri Jul 30 '19 at 18:57
  • What are you trying to achieve here ? – HariHaran Jul 31 '19 at 04:31
  • Trying to use my ClaimPrincipal object the same way locally than deployed .... be able to retrieve the authentication the same way. (As my exemple do) – Sauget Charles-Henri Jul 31 '19 at 17:17
  • Maybe you can cross check your access policies to give admin the same rights as the Identity you app runs on in azure. This would give you the same result I believe. – nldev Aug 14 '19 at 13:46

1 Answers1

1

The closest I could find to getting this to work was this using these examples from this repo (commit at the time of writing).

In the example AuthenticationService I added context.User = claimsPrincipal; after validating the claim.

From there, I can do the following on my HTTP Triggers:

[Authorize]
[FunctionName("AuthTest")]
public async Task<IActionResult> AuthTest(
[HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = "test")] HttpRequest req)
{
    // Current user identity returned
    // (quickly thrown together as you get a circular reference error when converting to JSON):
    return new OkObjectResult(
       req.HttpContext.User.Identities.Select(x =>
          new {
                 Claims = x.Claims.Select(y => new
                    {
                        y.Type,
                        y.Value,
                        y.Issuer,
                        y.Properties
                    }),
                 x.Name,
                 x.Actor,
                 x.AuthenticationType,
                 x.NameClaimType
                })
            );
 }

Coming in Cold?

Providing you have an access token, you can then do a GET: http://localhost:7071/api/test with a JWT token in your header.

E.g:

enter image description here

You will also need to

Caveats

This isn't using "easy auth". I opted for this approach as I wanted to use MSAL.NET which supports AAD V2. I found AAD V2 isn't yet supported:

At this time, AAD V2 (including MSAL) is not supported for Azure App Services and Azure Functions. Please check back for updates. Ref

I had a real fight getting this far. Easy auth doesn't seem like an option if you need to test your apps before pushing to production. Even after this answer, I have no idea how you can make authorization as simple as a normal Web API policy approach.

Ste Pammenter
  • 3,058
  • 2
  • 19
  • 27