Wanted: Example of using ASP.NET inside Azure Function for Role Based Authorization with Azure AD

Siegfried Heintze 1,861

Since I'm implementing an AJAX REST service in a Azure Function for various Azure AD B2C front ends (blazor server, blazor webasm & angular), I believe it is necessary to implement authentication and authorization in the front end and back end azure functions.

To be consistent with role based authorization in ASP.NET razor apps, I'm thinking I would like to use the C# attributes as demonstrated here: https://learn.microsoft.com/en-us/answers/questions/271969/how-to-add-authorization-to-basic-aad-b2c-web-app and specifically in the github example here: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/5-WebApp-AuthZ/5-1-Roles

Can someone point me to an example implementing Role based authorization & authentication via the C# attributes (or annotations) feature inside an azure function? Can I do it with ASP.NET just like we do with razor apps?

Since I realize that doing authorization in Azure AD B2C is a bit exotic, an Azure AD B2B example might suffice.

Since I am presently grabbing and printing the claims (including my role) from the header in my sample Azure Function, it seems that it would be easy to do a string compare to implement authorization (but that would be clumsy).

Cannot I just use some ASP.NET nuget packages and create some policies for use in C# attributes like Alfredo does in the above link (see Alfredo's reference to his github example)?

Apparently not according to this: https://stackoverflow.com/questions/68225375/how-can-i-use-authorize-attributes-in-httptrigger-of-azure-function and this https://learn.microsoft.com/en-us/azure/azure-functions/security-concepts?tabs=v4. But I see from that stack overflow link that there is a 3rd party implementation: https://github.com/dark-loop/functions-authorize. I will give this a try. I was assuming (and now hoping) to find a solution supported by Microsoft.

This seems very strange to me. Does not everybody need to do authorization inside their azure functions?

Since I'm using Azure API Mgt (APIM) I suppose could create custom policies for different roles (for B2C this would be custom attribute called "role").

Maybe I should consider this approach? perhaps someone could point me to an example of this approach for role based authorization?

Thanks

Siegfried

navba-MSFT 16,945 Reputation points Microsoft Employee

2023-06-07T09:52:51.6066667+00:00

@Siegfried Heintze Just following up to check if the below answer helped. If that answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know. I would be happy to help.

1 answer

navba-MSFT 16,945 Reputation points Microsoft Employee

2023-06-05T04:13:46.5066667+00:00
@Siegfried Heintze Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

Firstly, Apologies for the delayed response here!

I understand you are looking for an example/sample code snippet for using ASP.NET inside Azure Function for Role Based Authorization with Azure AD. To answer your question, it is possible to use AAD RBAC integration with Function App to authorize the request. This can be achieved by using the Authorize attribute to enable authorization for the given function. This also allows to apply authorization for selected functions and can be extended to also incorporate app roles.

[Authorize] [FunctionName("SampleFunction")] public static async Task<IActionResult> Run( [HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = "sample")] HttpRequest req, ILogger log, ClaimsPrincipal user) {..... .....

Also note that you have the flexibility to extended and incorporate app roles using [Authorize("admin")].

More Information:
Setting up the Function App, Validate Access Token and using Custom Authorize Attributes are all explained here. Another sample code which does the Authentication & Authorization with Azure Active Directory in .NET Azure Function Apps is here.

Related article:
https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad?tabs=workforce-tenant

Hope this helps.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Please sign in to rate this answer.
Siegfried Heintze 1,861 Reputation points

2023-06-08T22:57:27.4266667+00:00

Ah hah! Thanks for those great links! They are just what I was looking for. I finally had time to look at them (sorry for the delay, I had some other urgent distractions).

Let's suppose I have a single function inside the Azure Function App and I have authorization roles of worker, crewchief & admin and I also want to accommodate anonymous users not logged in.

I want to implement the logic in C# so that anonymous users can only access sample data as read only, logged in workers can only access and modify their own data (phone, address, SSN etc) and their start and stop times for each task they have worked on. The crew chief can create an assign tasks to the workers.

And of course, admins can read or write any/all data.

Question #1:

Can I do this with a single azure function inside a single azure function app using the authorize attribute on multiple C# functions inside the single Azure function inside the single function app?

I have only used the authorize attribute on the MVC controller classes and their member functions and I'm not clear if those are special some how. It would be nice to know if I can use the authorize attribute on any function.

Question #2:

Is this a good idea? Maybe not. But I want to know what my options are.

Question #3:

After reviewing those three links, I cannot find any discussion of B2B authorization v B2C authorization. Last I checked, authorization is not supported for B2C but it is possible to implement B2C authorizaton by creating some custom polices as exemplified here: https://github.com/alfredorevilla/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/5-WebApp-AuthZ/5-1-Roles-B2C

Is there any reason to believe that there would be any problem using these custom policies that implement B2C authorization with Philipp Bauknecht examples?

Thanks

Siegfried

navba-MSFT 16,945 Reputation points Microsoft Employee

2023-06-09T07:07:43.1833333+00:00

@Siegfried Heintze Thanks for getting back. Please find below the answers inline to your question:

Answer #1: Yes, you can use the Authorize attribute on multiple C# functions inside a single Azure Function inside a single Function App. The Authorize attribute is not specific to MVC controllers and can be used on any function that is exposed as an HTTP trigger in Azure Functions.

In your case, you can use the Authorize attribute to restrict access to your functions based on the user's role. You can define multiple roles in Azure AD and assign them to your users. Then, you can use the Roles parameter of the Authorize attribute to specify which roles are allowed to access the function. For example:

[Authorize(Roles = "worker, crewchief, admin")] [FunctionName("SampleFunction")] public static async Task<IActionResult> Run( [HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = "sample")] HttpRequest req, ILogger log, ClaimsPrincipal user) { // Your code logic }

You can also use the AllowAnonymous attribute to allow anonymous access to a function. For example:

[AllowAnonymous] [FunctionName("SampleFunction")] public static async Task<IActionResult> Run( [HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = "sample")] HttpRequest req, ILogger log, ClaimsPrincipal user) { // Your code logic }

Answer #2: Whether or not this is a good idea depends on your specific use case and security requirements. In general, it is a good practice to restrict access to your APIs based on the user's role and to use Azure AD for authentication and authorization. This can help prevent unauthorized access to your APIs and protect sensitive data.

Answer #3: Yes, it is possible to implement B2C authorization in Azure Functions. Azure AD B2C is a cloud identity service that enables you to customize and control how users sign up, sign in, and manage their profiles when using your applications. You can use Azure AD B2C to authenticate users and authorize them to access your APIs in Azure Functions.

To implement B2C authorization in Azure Functions, you can follow the steps in this and this article.

Hope this answers.

**

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Siegfried Heintze 1,861 Reputation points

2023-06-13T00:59:21.14+00:00

This looks great! Can I have a few more days to try it out before I mark it as answered?

navba-MSFT 16,945 Reputation points Microsoft Employee

2023-06-13T04:31:51.42+00:00

@Siegfried Heintze Thanks for your reply. Sure, Please take your time to test this. I shall wait for the reply from you.

navba-MSFT 16,945 Reputation points Microsoft Employee

2023-06-28T02:53:12.9+00:00

@Siegfried Heintze You had asked for some time to test the above suggestion. So I am following up to check if the above answer helped.

If that answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know. I would be happy to help.

Siegfried Heintze 1,861 Reputation points

2023-06-28T22:08:56.6433333+00:00

OK! I'm back!

I have my azure function accessing my Cosmos Database and I'm successfully returning the results of a query to the caller. Hurray!

After studying those links from Phil I don't have (many) more questions (yet!). I've forked his code and I'm ready to give it a try.

I searched Phils article and I'm worried that this code is designed to work with B2B and not B2C because I could not find "B2C" or "business" or "consumer" in his article. Did I miss it? Did he claim that his code works for B2C applications and I missed it?

Please clarify this line of code:

https://github.com/GrillPhil/NetCoreFunctionsAuthSample/blob/master/NetCoreFunctionsAuthSample/Auth/AuthHandler.cs#L21

Here it is (incase the link breaks):

`var userRoles = user.Claims.Where(e => e.Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/role").Select(e => e.Value);`

Phil is looking for a claim called "role" and I don't have a claim called "role". Is that because mine is a B2C app and Phil is implementing a B2B app?

I do have a claim called "custom_role" because I created an Azure AD custom attribute called "role" and Azure AD prepended "custom_" to it. Phil makes no mention of custom attributes (see https://learn.microsoft.com/en-us/powershell/azure/active-directory/using-extension-attributes-sample?view=azureadps-2.0) either.

OK, I'm out of time today... Maybe I can try this out tomorrow? I'm not sure. Thanks for your patience.

Siegfried

navba-MSFT 16,945 Reputation points Microsoft Employee

2023-06-29T05:12:19.26+00:00

@Siegfried Heintze Thanks for getting back. The code appears to be focused on validating access tokens in a general Azure Active Directory (AAD) environment, which can be used for both B2B and B2C scenarios. So it does both token validation and role-based authorization.

Regarding the below code snippet you had mentioned:

var userRoles = user.Claims.Where(e => e.Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/role").Select(e => e.Value);

This code retrieves the user's roles from the claims. It filters the claims to select only those with the claim type "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", which typically represents role claims in Azure AD. The selected claims' values are then extracted and stored in the userRoles variable as a collection.

Example:
{[http://schemas.microsoft.com/ws/2008/06/identity/claims/role]: Admin}
{[http://schemas.microsoft.com/ws/2008/06/identity/claims/role]: Manager}

In Azure AD, role claims can be used to assign specific roles or permissions to users or applications. By filtering and extracting the role claims in this code, the intention is to determine which roles the user possesses and later compare them with the provided valid roles to perform authorization checks.

If that answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know. I would be happy to help.

Siegfried Heintze 1,861 Reputation points

2023-07-04T15:51:06.9566667+00:00

This is a test!

Siegfried Heintze 1,861 Reputation points

2023-07-04T15:51:40.94+00:00

2023 Jul 4 Morning update:

Here is my code:

[NetCoreFunctionsAuthSample.Auth.Authorize("global-admin")] [FunctionName("Hello")] public static async Task<IActionResult> Run( [HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequest req, ClaimsPrincipal claimsPrincipals, ILogger log) { log.LogInformation("C# HTTP trigger function processed a request."); var sb = new StringBuilder(); var identity = req.HttpContext?.User?.Identity as ClaimsIdentity; sb.AppendLine($"<br/>IsAuthenticated: \"{identity?.IsAuthenticated}\""); sb.AppendLine($"<br/>Identity name: \"{identity?.Name}\""); sb.AppendLine($"<br/>AuthenticationType: \"{identity?.AuthenticationType}\""); var count = 0; count = DisplayWorkerTasks(sb, count); foreach (var claim in identity?.Claims)

This is not working and I cannot figure out why. It aways throws Phil's 401 (Unauthorized) exception: even when I am logged in as the global-admin. If I comment out the attribute, I can single step thru my function by attaching my Visual Studio debugger to the cloud resident function app. If I put soft breakpoints in Phil's s code here: https://github.com/GrillPhil/NetCoreFunctionsAuthSample/blob/master/NetCoreFunctionsAuthSample/Auth/AuthorizeAttribute.cs#L16

and here: https://github.com/GrillPhil/NetCoreFunctionsAuthSample/blob/master/NetCoreFunctionsAuthSample/Auth/AuthorizeAttribute.cs#L23

(1) I never hit the break points! Even when I recompile and redeploy using hard breakpoints (System.Diagnostics.Debugger.Break();). How could this be?

I think the problem is here:

public static bool UserIsInAppRole(ClaimsPrincipal user, string[] validAppRoles) { System.Diagnostics.Debugger.Break(); var userRoles = user.Claims.Where(e => e.Type == //"http://schemas.microsoft.com/ws/2008/06/identity/claims/role" "http://schemas.microsoft.com/ws/2008/06/identity/claims/extension_Role" ).Select(e => e.Value); var matchingRoles = userRoles.Intersect(validAppRoles); return matchingRoles.Count() > 0; }

(2) Since I'm running as B2C and not B2B, I don't have a claim called "role". I do have a claim called "extension_Role" however. As you can see, after failing to hit any break points I tried using "extension_Role" instead of "role" and this did not help! No breakpoints were hit and I always got 401 errors when logged in as "global-admin"

I know what claims I have because (as you can see from the first code snippet) I am enumerating all of them and sticking them in a long string buffer that I return to the caller.

(3) Now my main program ("Run") has a logger I could use. How do I access that logger from inside the attribute?

Also: as per your encouragement, I tried putting the attribute on a child function DisplayWorkerTasks that is called by the main "Run" function:

[NetCoreFunctionsAuthSample.Auth.Authorize("loafer")] private static int DisplayWorkerTasks(StringBuilder sb, int count) { var tasks = GetWorkerTasks(); foreach (var workerTask in tasks) { count++; if (count == 1) sb.AppendLine($"<ol>"); sb.AppendLine($"<li>task={workerTask.Details}"); } return count; }

(3) When I comment out the first attribute on the "Run" function, I can single step with the visual studio debugger using the F11 key (but it steps right over the attribute in spite of the hard and soft break points) and this second attribute has no affect and it should be throwing a 401 error because I'm logged in as "global-admin" and I have no "loafer" roles. How can I debug this? It appears that this Attribute only works on the main "Run" function. Is this true?

Thanks for your patience! Sorry to have been so slow to respond! I appreciate your prompt responses!

Siegfried

Siegfried Heintze 1,861 Reputation points

2023-07-04T15:52:08.74+00:00

This is another test, please ignore this.

Siegfried Heintze 1,861 Reputation points

2023-07-10T20:23:54.34+00:00

Mon Jul 10 2023 Update:

Previously, I was adding Phil's code for the authorization attribute by cloning his code, compiling it, and adding a reference to the compiled code in my csproj file and I was getting that strange behavior where it was ignoring my soft and hard break points.

So I tried again. This time I copied Phil's source code to my project and used visual studio to detect that the nuget package Microsoft.IdentityModel.Protocols.OpenIDConnect was missing and install v 6.15.1 and deployed the C# source code with Visual Studio.

This was terrible! Now I was getting 404 errors! So I used Visual studio to deploy the compiled code again and again 404 errors. (Attaching the Visual Studio debugger to the Azure function did not do any good because my Azure API Mgt (APIM) was not able to find the azure function).

So I destroyed the Azure function with powershell and deployed it again with my bicep script (and Visual studio for the C# code) and tried again and again 404 errors!

So I deleted the directory contained by csproj and C# source for the Azure function and used Visual Studio to (re) create a new Azure Function project and restored my original source code (without Phil's Authorizaton Attribute) and used by bicep code to deploy a new azure function. I deployed my original C# source code (no Authentication attribute) again and it started working. And again I added Phils source code and again I added that troublesome nuget package and again 404 errors.

So I delete & destroy everything and started again.

And again I added Phils source code to my working code and added and redeployed and again 404 errors.

So I deleted the source code directory again and recreated project with out Phil's source code and it is working again now (but no Authorization attribute).

Siegfried Heintze 1,861 Reputation points

2023-07-10T20:24:13.51+00:00

This is another nest, please ignore this.
Sign in to comment