Share via

Automatically Authentication with Microsoft Entra ID on an Azure Function using OAuth2

Andrew Kelly 0 Reputation points
2024-07-11T08:07:19.2766667+00:00

I have recently added microsoft entra ID to an azure function using the identity provider, which works well - every time my azure function is triggered in a new browser session/in postman etc, the user is prompted to login using their microsoft credentials as expected.

However, I am regularly calling the azure function from a separate application (the same application whose app registration credentials were used for the entra ID setup) - this function already requires entra ID login, and having to log in a second time when the azure function is called is proving difficult.

I know my application is storing user credentials from login (such as an OAuth2 token or something similar), I am wondering is there a way to use the existing user login credentials from the app so skip the second entra ID step for my azure function?

I have attached an image of the settings. There are currently no entra ID related steps in the azure function code (python) - it simply reads from a blob storage using managed identity. If I need to add something there I would appreciate help on that as I'm not sure where to start really. Thank you

Screenshot 2024-07-11 090217

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,146 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,937 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,229 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pinaki Ghatak 4,690 Reputation points Microsoft Employee
    2024-07-12T10:02:53.5166667+00:00

    Hello @Andrew Kelly

    One way to achieve this is by passing the OAuth2 token obtained from the initial login to the Azure Function in the request headers. To do this, you can modify your application to include the OAuth2 token in the request headers when calling the Azure Function. In your Azure Function code (Python), you can then extract the token from the request headers and use it to authenticate the user. Here's an example of how you can extract the OAuth2 token from the request headers in Python: 

    import os
import jwt
def main(req):
	token = req.headers.get('Authorization').split(' ')[1]
	decoded_token = jwt.decode(token, os.environ['JWT_SECRET'], algorithms=['HS256'])
	user_id = decoded_token['sub']
	# Use the user_id to authenticate the user and perform the necessary actions

    In this example, we are assuming that the OAuth2 token is passed in the Authorization header using the Bearer scheme. We extract the token from the header and decode it using the JWT library. We then extract the sub claim from the decoded token, which contains the user ID. You can use this user ID to authenticate the user and perform the necessary actions. Note that you will need to set the JWT_SECRET environment variable in your Azure Function app settings to the same value that was used to sign the OAuth2 token in your application.

    I hope that this response has addressed your query and helped you overcome your challenges. If so, please mark this response as Answered. This will not only acknowledge our efforts, but also assist other community members who may be looking for similar solutions.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.