How to implement silent login/authorization/authentication REST calls for testing azure functions in Github deployment workflow?

Question

How to implement silent login/authorization/authentication REST calls for testing azure functions in Github deployment workflow?

Siegfried Heintze 1,906

I am working on a github workflow deployment script for the azure functions described here: https://learn.microsoft.com/en-us/azure/api-management/howto-protect-backend-frontend-azure-ad-b2c

In addition to Azure Active Directory (AAD) Authentication, I'm implementing authorization with an AAD extension attribute (or JWT claim).

I need some guidance on how to add an automated REST call to test to my deployment script.

To test that the deployment was successful, I want my github workflow to login to my front end application registration, fetch an access (or bearer) token and make REST calls to my azure functions (via my Azure API Mgt). I also want to do this several times with different accounts (that have different claims) to confirm that authorization is working.

Questions:

I started to follow this example (https://blog.simonw.se/getting-an-access-token-for-azuread-using-powershell-and-device-login-flow/) but realized that the browser popup would not be compatible with a github workflow. How can my script login in and silently get a bearer token to make the REST call to my azure function? Please point me to an example that specifies the user name & password (via github secrets, of course), silently fetches the bearer token and makes an authenticated REST call using powershell or azure cli.
What is your favorite testing framework for github deployment scripts? I found Pester (https://techcommunity.microsoft.com/t5/azure-developer-community-blog/test-your-powershell-code-with-pester/ba-p/2835759) , maybe I'll give it a try. Do you have a testing framework you like better?
Normally I do az ad sp create-for-rbac --name $sp --sdk-auth --role contributor --scopes $id` and store the resulting JSON in the github repository secret calls AZURE_CREDENTIALS. Is the role of contributor going to be sufficient for impersonating a user that logs in?

Thanks again!

Siegfried

1 answer

Your answer

Answer 1

MuthuKumaranMurugaachari-MSFT 22,441 Moderator

Siegfried Heintze Thanks for posting your question in Microsoft Q&A. I assume you are using GitHub Actions for Azure to create workflows for your deployment to Azure. From the description above, you are looking to generate access token in the workflow and make a call to Azure APIM (Azure Function as backend API).

Let me start with the part - 1 (generating access token)

Using Azure login action, you can achieve this with two different ways:

Service Principal with secrets
Connect OpenID Connect with Azure Service Principal using a Federated Identity Credential

Here is doc: Use GitHub Actions to connect to Azure with detailed step by step guide and also, https://github.com/marketplace/actions/azure-login has more info on this scenario. Make sure that you specify optional audience parameter as APIM when generating the token (so that it rightly validates in APIM via validate-jwt policy).

part -2 (make REST API call)

You can make a rest API call to API Management from Azure CLI action with inline script or explore HTTP Request Action if it fits your scenario with generated access token.

To answer your questions (in the order)

The device login flow cannot be used in your scenario and client credential flow is the best option for web application/non-interactive scenario as described in the doc.
Not really an expert in GitHub actions or related testing framework. I suggest you explore https://docs.github.com/en/actions/automating-builds-and-tests/about-continuous-integration or https://github.com/orgs/community/discussions and community experts can help in answering this.
The role contributor should be sufficient, and you can add --json-auth parameter as described in the doc: Configure a service principal with a secret or pass as individual parameters to address security concerns (the same has been described in the referenced doc).

I hope this helps and let me know if you have any questions.

Siegfried Heintze 1,906 Reputation points

2023-11-02T03:33:45.43+00:00

Muthu:

For my application I have workers, crew-chiefs and admins. They log in to my SPA with their email accounts (usually gmail accounts) are authenticated with Azure AD and my application detects the role by the different JWT claims. Please help understand how perform those REST calls inside by github work flow to my azure functions as a worker, crew-chief and admin by having the worker log in as a worker and make the REST calls, then as a crew-chief and make the REST calls and as an admin. I've been studying your explanations and links I don't see where I specify the gmail account for the worker, or the gmail account for the crew-chief and so on.

Thanks

Siegfried
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2023-11-02T17:56:55.18+00:00

Siegfried Heintze Thanks for elaborating more about your scenario. I see the above two ways i.e. Service Principal with secrets, OIDC using federated credentials (only-rep level not individual) are the only options with azure login action. From doc: Scenarios and supported authentication flows, there are other authentication flows to represent the user but those are interactive not suited for automated workflows.

I understand you are looking to validate different user scenarios and claims, and in those cases, you might need to set up different app registrations with specific claims (representing each user). Then, call APIM in the workflow and validate the token and handle the requests accordingly.

Let me know if you have any other questions.
Siegfried Heintze 1,906 Reputation points

2023-11-02T18:50:25.3166667+00:00

(1) Please guide me on setting up different user scenarios and claims. https://github.com/marketplace/actions/azure-login#sample-workflow-that-uses-azure-login-action-using-oidc-to-run-az-cli-linux allows me to specify a tenant and an object ID. When I look at one of my B2C users (that has the required claim) in my Azure AD tenant, I see a client ID. Is that the same as an ObjectID? If so, could I use this for the OIDC login and expect to get the required claims in the token when I get the access or bearer token using "az account get-access-token --tenant xxxxxxxx-xxxx-4bc9-xxxxxxxxxxxxxxxx --query accessToken"?

(2) What I really want is a single service principal assigned to a single github repo secret that I could use specify the tenant ID and the client ID when calling "az account get-access-token" or "Get-AzAccessToken" and get the claims I want. Is this possible? It sound you you are telling me this is not possible.

(3) So are you suggesting I need three github repos (with three different service principals): one for workers, one for chiefs and one for admins?

Thanks

Siegfried
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2023-11-03T18:31:45.67+00:00

Siegfried Heintze From the doc, you need to have Microsoft Entra application (previously Azure AD app) with service principal that has role permissions. If the user is not set up this way, I don't think you can use. (Adding Microsoft Entra ID team).

(2) Yes, it is possible to have a single service principal and get access token for the tenant targeting a specific resource (APIM in this case). However, you are interested in representing different user claims based on my understanding (if that case, not). Please correct me if I misunderstood your question.

If the question is more specific on Azure login action, then feel free to submit it in https://github.com/Azure/login/issues repo and experts/contributors from repo can help in answering those questions.
Siegfried Heintze 1,906 Reputation points

2023-11-03T18:49:39.77+00:00

You are correct. I need to reproduce the claims in the token that I get when I log in via a web site. Using powershell, I can use 'az account get-access-token' and get an token for that tenant but when I used http://jwt.ms.com to decode that token I see that it does not have my custom claims and this is a problem!

Please help me understand how to create a token with my required claims.
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2023-11-08T16:34:53.9166667+00:00

Siegfried Heintze The service principal needs to have different roles/permissions, so that the token reflects those claims when running az account get-access-token. I assume this behavior is same when running the PowerShell outside GitHub action as well?

I will reach out to Microsoft Entra experts to share the exact steps.
Siegfried Heintze 1,906 Reputation points

2023-11-14T16:22:39.61+00:00

Muthu: I'm looking forward to your update.

I've been thinking: maybe it is not possible to do a silent login by design because these are not trusted client and by design (for security) they need to pop up the browser sign-in for azure. This means it might not be possible to make this test run in a github workflow.

If this is the case, I would still be interested in getting help writing a manual powershell script that does REST calls to my Azure funcs in the context of my various logins to test that my authorization is working correctly in my azure functions.

Perhaps this is the correct documentation I need: https://learn.microsoft.com/en-us/graph/auth-v2-user?tabs=http? When running a powershell script, what do I specify for the redirect URI? If I converted this to a powershell script, would the custom claims I created in my Azure AD tenant be appearing in the access tokens?
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2023-11-14T16:34:39.8066667+00:00

Siegfried Heintze Sorry for the delay in response. To summarize, you are looking to set up app registrations to replicate B2C users and get an access token with necessary claims via PowerShell (or in the GitHub workflow). Later, the token will be sent in the REST API calls to Azure Functions. Is that correct?
Siegfried Heintze 1,906 Reputation points

2023-11-14T16:56:28.53+00:00

I'm not sure what you mean by "set up app registrations" because I already created the Azure AD B2C app registrations months ago as per the very first tutorial link above.

But yes: I want my powershell script to call my functions with the same custom claims my javascript browser resident clients are presently (successfully!) calling the my Azure CRUD functions.
Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator

2023-11-15T21:56:10.5966667+00:00

Hi @Siegfried Heintze ,

Since app role configuration isn't available directly in the blade for B2C tenants, it sounds like you would need to add the app role to the application manifest as described in this post: How to set up custom claims in Azure AD B2C Application and get the claim in access token - Microsoft Q&A
Siegfried Heintze 1,906 Reputation points

2023-11-15T23:32:30.2466667+00:00

MariLee: That link you gave me just takes me to the general list of questions: https://learn.microsoft.com/en-us/answers/questions/

However: I created that custom claim (extension attribute) in my tenant years ago and it has been working fine when I log in (for example, the javascript client in this tutorial: https://learn.microsoft.com/en-us/azure/api-management/howto-protect-backend-frontend-azure-ad-b2c)

The question is how to I create a token that has the claims for that user in a powershell script? I get tokens with the required claims when I use a razor client, a javascript client or a blazor client.
Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator

2023-11-16T22:53:41.1766667+00:00

Apologies, I meant to share this one. https://learn.microsoft.com/en-us/answers/questions/888691/how-to-set-up-custom-claims-in-azure-ad-b2c-applic
Siegfried Heintze 1,906 Reputation points

2023-11-17T04:52:56.05+00:00

Marilee: I'm confused. As per my discussion with Alfredo (https://learn.microsoft.com/en-us/answers/questions/271969/how-to-add-authorization-to-basic-aad-b2c-web-app) the technique for implementing authorization with Azure AD B2C was to create an extension attribute because Azure AD B2C does (or did) not have the roles feature.

Are roles a new feature of Azure AD B2C? Can you point me to the documentation?

Well regardless of whether we use extension attributes (as Alfredo guided me to do) or roles, they both appear the decoded token which means the process for getting a token is the same.

So I'm not clear on how Amanpreet is doing the REST POST. I think is using a web page and I need to use a powershell or azure cli command.

Furthermore, I don't see where Amanpreet is specifying a user name.

I think I need to get a token to POST to Azure AD (Graph) and then I definitely need to specify the user name because different users will have different values for the role claim that I need. How do I specify the username?

Please help me understand how use the azure CLI "az rest" command to fetch the token for a specific user in my Azure AD tenant where I can decode the token and see that the user is a worker, or crew chief or admin and then use that token to make a REST call to an authenticating azure function.

thank you!

Siegfried
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2023-11-22T14:17:58.1266667+00:00

Siegfried Heintze Sorry about the confusion. We are discussing internally and revert back to you.
Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator

2023-11-28T23:33:26.2066667+00:00

Siegfried Heintze, .

If you are looking for specific Azure CLI commands to get this information, I don't think the approach you are suggesting is officially supported or officially documented. The roles would need to be assigned within the B2C's AAD directory or hosted externally and retrieved via Graph API, or if you're using ROPC you would still have to make a call to the underlying AAD and only Microsoft accounts would be supported. Social accounts would not work.

In Aman's example he's using the client credentials flow to get the role claim in the token, which only applies to application roles/credentials. There are many separate questions in this thread so I didn't have the full context of your setup and that you are looking for a command to fetch the token for a specific user, rather than an application role.

Overview of tokens - Azure Active Directory B2C | Microsoft Learn

Similar discussion here:

authentication - Does Azure AD B2C support "roles" claim in JWT tokens for authorization? - Stack Overflow

I've shared your question with the broader team though to add additional thoughts.
Siegfried Heintze 1,906 Reputation points

2023-12-07T18:27:00.61+00:00

Thank you Marilee.

Shame on me for taking so long to get back to you. I just discovered that both of those links are broken. Could you correct them please.

Shame on me for getting distracted by other questions like roles.

Let's just focus on my original question: how can I write a script that uses a worker's email account (and password), a boss's email account (and password) and an admin's account (and password) to login into my Azure AD tenant and make authenticated REST calls (using curl or "az rest") to my authenticating azure functions sitting behind my authenticating APIM (Azure API Mgr Service that uses the validate jwt police as described in https://learn.microsoft.com/en-us/azure/api-management/howto-protect-backend-frontend-azure-ad-b2c) to demonstrate that the worker account fails on some calls (because if his claims) and succeeds on others and similarly with the boss's email account and of course, the admin account should never fail because admins have access to everything including the worker's sensitive information like social security numbers.

I want this to run as part of a github push (CI/CD) if possible. IF that is not possible, then maybe I could just run it manually whenever I do a git-push.

Thanks

siegfried
Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator

2023-12-12T21:56:20.71+00:00

I don't think it is possible since SSO requires interactive authentication.
Siegfried Heintze 1,906 Reputation points

2023-12-13T00:04:58.7466667+00:00

Ah shucks... I suspect you are right for B2C public clients.

I'm reading https://devblogs.microsoft.com/identity/public-v-confidential-clients/:

Don't you think I should be able to do this confidential clients? A blazor server web app perhaps? Does B2C have confidential clients? Never mind! I agree. An automated test that includes logging in does not make sense for B2C for any kind of client.

Marilee: I guess this answers my original question. Can we promote your comment to an answer?

Oh Wait! One more thought: Well what if I was using B2B? Could I write such a test with B2B?

Share via

How to implement silent login/authorization/authentication REST calls for testing azure functions in Github deployment workflow?

1 answer

Your answer