4

I have an Azure Function (tried both Windows and Linux Consumption) using Azure App Service Authentication (Easy Auth) with a custom OpenId Connect provider to authenticate my Azure Function with an http trigger.

I configured a client in my Identity Provider (based on Duende Identity Server), acquired a token and then sent a request to the Azure Function (contains just the code that is initially created by Visual Studio when creating a Function App project).

This is the configuration I made in the Azure Portal: An image describing the configuration in the Azure Portal

When I now send the request to the Azure function endpoint I always get the following error:

{
    "code": 401,
    "message": "IDX10214: Audience validation failed. Audiences: 'System.String'. Did not match: validationParameters.ValidAudience: 'System.String' or validationParameters.ValidAudiences: 'System.String'."
}

I didn't find any option to configure an audience in the Azure Portal or via the Azure CLI and there's no documentation on how the audience has to look like to be accepted.

I also found a Github issue describing basically the same error: https://github.com/MicrosoftDocs/azure-docs/issues/72019

How can I either see what valid audiences are, configure a valid audience in Azure AppService Authentication or fix that error altogether?

PS: If I disable the authentication in Azure obviously the function is triggered and returns a response.

Mike1991
  • 294
  • 2
  • 12
  • I have the same issue. I have tried some different setups, but all return the same error. – Kiksen Dec 15 '21 at 19:08
  • @Mike1991 How does your JWT token looks like? I mean, the one you send to the Azure function. Looking at the error description, it is probably that it doesn't contain any `aud`ience, and it is a possible reason why Azure is complaining for. I am not familiar with the identity provider you cited, although it seems that it could provide an audience value when [configuring an API resource](https://docs.duendesoftware.com/identityserver/v5/fundamentals/resources/api_resources/). Does it make sense to you? – jccampanero Dec 16 '21 at 22:18
  • The token contains an audience and I can define the audience in the token to be whatever is needed but unfortunately it is nowhere documented how the value should look like and looking in source code of EasyAuth is also not possible because it isn’t publicly available on Github – Mike1991 Dec 17 '21 at 05:44
  • Thank you very much for the feedback @Mike1991. I see, sorry, in some cases that is the problem. In an usual use case, the audience should match the Application ID URI obtained when exposing the function as an API, please, consider read for instance [this article](https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad#-create-an-app-registration-in-azure-ad-for-your-app-service-app) or this [blog entry](https://www.luminis.eu/blog/cloud-en/securing-your-azure-functions-with-microsoft-azure-ad-easyauth/), but I do not if it could be applicable to your use case. – jccampanero Dec 17 '21 at 12:04
  • well I use a custom openid provider (based on aduende Identity Server) therefore the question is what could be the pendant to Application ID URI in my case? – Mike1991 Dec 17 '21 at 16:06
  • 1
    @Mike1991 Have you tried providing the client id of the application according to Duende Identity Server? I mean, according to the product documentation, it seems you should provide a client ID in Duende Identity Provider when your application is registered in the service. Have you tried providing that value as your audience? On the other hand, have you tried providing some identification - app name, full url - about your Azure function as the audience value? – jccampanero Dec 17 '21 at 22:27
  • In the az cli, using the cloud shell, for instance, try obtaining information about your function auth configuration. Try something like: `az webapp auth show --name --resource-group `. It may give you some clues as well. – jccampanero Dec 17 '21 at 22:36
  • Yeah i tried the app name, the full url, a partial url nothing worked out. I also used the azure cli and the azure resource explorer to view settings bit no clue. I‘m not sure whether I also tried the client id, will try that asap, thank you for that hint. – Mike1991 Dec 18 '21 at 06:47
  • You are welcome @Mike1991. I hope the client ID approach helps you. – jccampanero Dec 18 '21 at 22:24

1 Answers1

4

You should try using the Client ID as the scope while generating the token.

In some cases appending /.default to the scope helps. Example eda25bbe-a724-43ba-8fa3-8977aba6fb36/.default.

Omkar Khair
  • 1,364
  • 2
  • 17
  • 40
  • That did the trick, both only the ClientId or the ClientId/.default are supported (even for a custom Identity Provider) – Mike1991 Dec 20 '21 at 06:29
  • What does specifying the `/.default` scope do vs specifying some other scope? This answer worked for me as well but I'm trying to figure out why it worked. I was previously getting the "Audience validation failed" message until I switched the loginReqest scope to /.default – joshft91 Jun 22 '22 at 20:52