Active Directory Authentication and Azure functions: combining non signalR functions with SignalR functions

Bubba Jones 206 Reputation points
2023-08-14T12:24:44.7333333+00:00

TLDR; I am using both azure functions and azure functions with signalR. According to my reading, azure functions and azure functions with signalR both have their respective Active Directory Authentication routines. I want to avoid a situation where my users sign in twice with Active Directory Authentication just to have access to both server side resources.

I have a .NET (MAUI) client app and an azure functions (.NET) backend app. Some of my backend azure functions will use signalR and others will not. I am working on trying to implement end to end authentication for my backend functions app using Active Directory.

Azure functions (with no signalR) have this Configure your App Service or Azure Functions app to use Azure AD login authentication routine. Azure functions signalR have this Authorize request to SignalR resources with Azure AD from Azure applications authentication routine. Considering I will use both non-signalR and signalR based azure functions, how do I avoid a situation where the user has to visually sign it twice? Or can a user be signed in "behind the scenes" to access SignalR resources?

This question extends to the client side as well. Azure functions (non signalR) are invoked via a standard HttpClient and azure functions with signalR are invoked with a HubConnection client. How does authentication work when you need to invoke both in your client app? Can one pass an authentication token from the HttpClient to a HubConnection client? Should one authenticate separately with both the HttpClient and HubConnection?

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,299 questions
Azure SignalR Service
Azure SignalR Service
An Azure service that is used for adding real-time communications to web applications.
120 questions
.NET MAUI
.NET MAUI
A Microsoft open-source framework for building native device applications spanning mobile, tablet, and desktop.
2,901 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. MuthuKumaranMurugaachari-MSFT 22,146 Reputation points
    2023-08-22T14:29:39.8533333+00:00

    Bubba Jones Thanks for posting your question in Microsoft Q&A. Sorry for the delay in response. From the description above, you are referring to AD authentication docs in Azure Functions and SignalR and both provides a scenario where you set up an app registration and generate an authorization token via client credentials flow (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow).

    However, if you are looking for users to sign-in in your client app (MAUI), then use Authentication flow without provider SDK (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow) where users can sign-in to provider, generate a token and then submit the token to Azure Functions and SignalR for validation. Check out Customize sign-ins and sign-outs and this way, you don't have require users to sign-in multiple times as well.

    I hope this helps and let me know if any questions.

    1 person found this answer helpful.
  2. david iwuoha 100 Reputation points
    2023-10-28T16:12:18.55+00:00 
    To avoid a situation where a user has to sign in twice for Azure Functions with and without SignalR, you can set up your Azure Functions and SignalR to share the same authentication mechanism. This can be achieved by using Azure AD authentication for both your Azure Functions and SignalR endpoints, and then using the acquired authentication token for accessing both resources. Here's how you can approach this:

1. **Azure AD Authentication for Azure Functions (with and without SignalR):**
   - Configure your Azure Functions app to use Azure AD authentication as you've described for Azure Functions without SignalR.
   - For Azure Functions with SignalR, you can follow the authentication routine you mentioned for authorizing requests to SignalR resources with Azure AD.

2. **Client-Side Authentication:**
   - In your client app (e.g., .NET MAUI), authenticate the user using Azure AD once, and obtain an access token.

3. **Accessing Azure Functions (Non-SignalR) from Client:**
   - When invoking Azure Functions (non-SignalR) from your client app, you can include the Azure AD access token in the `Authorization` header of the HTTP request. This token should grant access to both Azure Functions with and without SignalR.

4. **Accessing Azure Functions with SignalR from Client:**
   - For invoking Azure Functions with SignalR, you can set up a SignalR connection and use the same Azure AD access token obtained during the initial authentication. You should attach the access token as a bearer token in the `Authorization` header of the HubConnection.

By using the same access token for both Azure Functions and SignalR, you ensure that the user is authenticated seamlessly across both resources, and they won't need to sign in again visually. The key is to manage the token correctly and pass it to the respective resources.



Remember that managing access tokens securely is crucial, and you should ensure that tokens are refreshed as needed and properly secured in your client app. Additionally, make sure to configure your Azure AD app registration with the necessary permissions for both Azure Functions and SignalR resources.
    0 comments