Share via

How to Implement Easy Auth for Azure Function called from B2C Auth APIM

hampton123 1,175 Reputation points
2023-08-11T17:09:15.38+00:00

I have an APIM instance that is hosted with an Azure Function. The Azure Function in APIM calls a secondary Azure Function that manipulates blobs in my Azure Storage account. To access the APIM instance, the user first signs in through B2C, which generates a jwt token. I'm sending the jwt token through the API which uses an Azure Function. This first Azure Function sends the blob manipulation request and token to a second Azure Function, which performs the blob manipulation. I want the secondary Azure Function to validate the jwt token generated by B2C before running. How would I go about doing that? I was thinking about using easy auth through adding an identity provider, but I'm not 100% sure how to do that.

Please let me know if any more information is required, or if anything needs clarification.

Edit: Fixed because I did not intially explain that I had more than one Azure Function in the system.

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,369 questions
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,693 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
3,140 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,247 questions
0 comments
Accepted answer
  1. Hugo Barona 406 Reputation points MVP
    2023-08-11T17:58:03.8466667+00:00

    Hi Hunter,

    It works with Easy Auth.

    You have this great video showing step by step on how to do it - https://youtu.be/EmaHxGOzwS8?t=2064

    Also, this blog post explains it step by step - https://dev.to/425show/azure-app-service-authentication-ez-auth-with-azure-ad-b2c-30k4

    Note: They both are using App Service as example. Azure functions has a little (important) difference. After you enable the Easy Auth, you need to ensure you set all your functions as anonymous on the authentication level, otherwise, it will not work because, by default, the function will require the function key to authorize the request. So essentially you are disabling the authorization at the function runtime and leveraging the authentication at the App Service level.

    Edit: So let me try to explain the different flows:

    • APIM to Az Function 1 - You need to enable managed identity on APIM and then use policies, as per this link, to get a token using the APIM's MI and then set the Authorization header on the request to the backend (Function). Remember that after enabling APIM's Managed identity, you need to do a Role assignment for that identity on the Function to be called (contributor role works).
    • Az Function 1 to Az Function 2 - I would enable MI on the Az Function 1 and do a role assignment of Fn 1's MI on the Fn 2 (as you did for APIM). Then you can install MSAL library in your function and use the library to request an access token from AAD using the MI assigned to the function. Then you make the call from Fn1 to Fn2 and send that token in the Authorization header.
    • Fn2 is using Easy Auth, so the authorization happens at the App Service level. When the function receives the request, you just need to extract the token from the Authorization header and validate it, using MSAL again.

    That's what I would do!

    (If the reply was helpful, please don't forget to upvote and/or accept it as the answer, thank you)

    Regards
    Hugo Barona

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.