0

I have a functions app in azure that both a machine (client credential flow) and humans (authorization code flow) need to be able to authorize/authenticate against.

Initially I was using easy-auth, Azures out-of-the-box solution for securing functions apps. However according to this https://stackoverflow.com/a/57357226/7411328 it's not possible to use the client credentials flow with easy auth. Although I don't understand why this is. Why is it not possbile to use the same authority for two different flows with a single app registration?

Making the assumption (perhaps incorrectly) that the above is true and I have to implement JWT validation on my own.

Is there any reliable way to tell whether an API is being called by a machine or by a human?

Should I still do it with two seperate app registrations?

My understanding of these technologies might inadequate to properly ask the question, please let me know if I can do anything to clarify the question.

Gustav Eiman
  • 101
  • 2
  • 11

1 Answers1

4

As far as I know, you can use client credentials flow to call an Azure function that protected by easy-auth(AAD as auth provider).Generally ,you can try the steps below :

  1. Register an Azure AD App
  2. Getting an access token from Azure AD by request below :

URL:

POST https://login.microsoftonline.com/<your tenant ID/name>/oauth2/token

Header: 

Content-Type: application/x-www-form-urlencoded

Body:

client_id=<your new resistered app ID>&
client_secret=<your new resistered app secret>&
resource=<your Azure function app ID which configed at easy-auth>&
grant_type=client_credentials

Result: enter image description here

Use this access token to call Azure function : enter image description here

If you are using Azure AD b2c , pls provide me with more detailed infos , and I'll do some research for you .

Stanley Gong
  • 11,522
  • 1
  • 8
  • 16
  • I am having a hard time spotting the difference between AAD and AAD B2C... But if I am understanding it right it is what I am using. To make this work did you have to assign application permissions? – Gustav Eiman Nov 11 '19 at 09:27
  • Also thank you! Regarding B2C. My API should only be accessible to users in our AAD. I have single app registration with that exposes the API with a single scope called user_impersonation. The registration also has User.Read permissions for the graph API. Is this helpful or is there any other info I should provide? – Gustav Eiman Nov 11 '19 at 09:36
  • You were correct, I tried using the client credentials flow again and it worked as intended. – Gustav Eiman Nov 11 '19 at 10:42
  • How is the token getting validated at the backend in .net core? what authentication scheme are you using? is it [HttpTrigger(AuthorizationLevel.System, "get", Route = null)] HttpRequest req, ILogger log) In the screenshot of the link you provided, it is not clear how is the token getting validated. I'm using scope as :api:///.default – Rahul Dev Jan 20 '21 at 06:50
  • This is not working with a custom Open ID Connect Provider. I get a 401 Unauthorized. It is not clear how to set the scope for the Function App. – Bart VdA Jan 20 '22 at 16:48
  • Hi Stanley. Thanks for this answer. Please could you clarify where I can find ? I am struggling to locate an ID for my function app. – Mike Mar 29 '23 at 14:29
  • @Mike Sorry for the late response, I hope it could be helpful for you. You can find that id on Azure portal => your Azure function => Authentication . If there is no id, you can config one for it. – Stanley Gong Apr 14 '23 at 09:32