From Azure Function (secured by AAD), how to properly detect the caller (the end-user of SPFx WebPart) through the AadHttpClient?

Question

Note: Both Azure Function and the SPFx WebPart mentioned below are written in NodeJS/JavaScript. None of them are in C#.

I have an Azure Function (secured by AAD: App Registration) which is being called by AadHttpClient via SPFx WebPart on a SharePoint page. The SPFx codes look like this:

return new Promise<void>((resolve: () => void, reject: (error: any) => void): void => {
    this.context.aadHttpClientFactory.getClient("XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX") // <--- This is the AAD Client App Id.
    .then((client: AadHttpClient): void => {
        
        client.post("https://myAzureFunctionName.azurewebsites.net/api/HttpTrigger1", AadHttpClient.configurations.v1, {
            body: JSON.stringify({
                data: someData
            })
        })
        .then((res: HttpClientResponse): Promise<any> => {
            return res.json();
        })
        .then((response: any): void => {
            console.log("SUCCESSFUL API RESPONSE:", response); // <--- At this point, I get the respond back from the Azure Function, successfully.
            resolve();
        }, (err: any): void => {
            console.error(err);
        });

    }, err => reject(err));
});

It is working fine except from the Azure Function end, I don't know how to properly detect who/which current SharePoint User is calling this API. The only dirty trick I can use is, of course, to attach the User Information, such as Email Address, (retrieved from _spPageContextInfo object) into the AadHttpClient API call, to the Azure Function.

Question

What is the proper/authentic way in which I can detect the caller (the currently logged in, end-user of SPFx WebPart) through the AadHttpClient, from the Azure Function end? So that I can use the user's Email Address further in the Azure Function.

Appreciate the helps in advance.

score 1 · Accepted Answer · answered Sep 28 '22 at 13:44

1

You can access the current user details from request header properties:

User ID: X-MS-CLIENT-PRINCIPAL-ID
User Name: X-MS-CLIENT-PRINCIPAL-NAME
Claims: X-MS-CLIENT-PRINCIPAL
Identity Provider's ID: X-MS-CLIENT-PRINCIPAL-IDP

Source: From Azure Function (secured by AAD), how to properly detect the caller (the end-user of SPFx WebPart) through the AadHttpClient?

answered Sep 28 '22 at 13:44

Ganesh Sanap

1,386
1
8
18

This is useful only if integrated AAD authentication is enabled. – AlfredoRevilla-MSFT Sep 29 '22 at 06:23

score 0 · Answer 2 · answered Sep 28 '22 at 10:45

0

You can try this: How to get current user identity in Azure Function with Azure Authentication? To get current user info. You can also decode access token You provided to the azure function with this code

var token = "[encoded jwt]";  
var handler = new JwtSecurityTokenHandler();
var jwtSecurityToken = handler.ReadJwtToken(token);

answered Sep 28 '22 at 10:45

Marcin Wojciechowski

381
1
4

Hi, thanks much for helping out. Unfortunately I forgot to mentioned that I didn't use C# solutions as I'm not fluent in C#. Both of my Azure Function and SPFx WebPart are written in NodeJS/JavaScript. And after studying the link you shared, I don't think "ClaimsPrincipal" Class is available in non-C# languages. – 夏期劇場 Sep 28 '22 at 12:36
1

In that case You can check if there is x-ms-client-principal-name header present in the request (https://stackoverflow.com/questions/59292572/get-current-authenticated-username-via-azure-function-on-node-js) or get the bearer from Authorization header and decode it (https://stackoverflow.com/questions/38552003/how-to-decode-jwt-token-in-javascript-without-using-a-library) User id is present in every jwt token – Marcin Wojciechowski Sep 29 '22 at 13:17

score 0 · Answer 3 · edited Oct 07 '22 at 08:31

As @marcin-wojciechowski suggests, you can decode the JWT token attached within the Authorization header and read its claims.

Here is some sample code:

const jwt_decode = require("jwt-decode");

module.exports = async function (context, req) {

    const { headers } = req;
    const { authorization } = headers;

    const token = authorization.split("Bearer ")[1];
    const decoded = jwt_decode(token);

    //  returning the user object id
    context.res = {
        body: JSON.stringify(decoded.oid)
    };
}

From Azure Function (secured by AAD), how to properly detect the caller (the end-user of SPFx WebPart) through the AadHttpClient?

Question

3 Answers3