passing authentication token from 1 HTTP triggered function to another

Question

passing authentication token from 1 HTTP triggered function to another

Parag Kale 20

Hi

I am using durable functions monitor in injected mode and not using the inbuilt authentication provided in function app. Rather I am generating auth code and auth token using Microsoft identity platform auth code flow.

I have below function that when accessed presents the sign in screen

[Function("Function1")]

public HttpResponseData Run([HttpTrigger(AuthorizationLevel.Anonymous, "get", "post")] HttpRequestData req)

{

string tenant = "tenantId"; // or use your tenant ID

string clientId = "clientId";

// Ensure this redirect URI matches what is in your app registration

string redirectUri = "http://localhost:7267/api/Function2";

// Define the scopes you need (openid, profile, offline_access, etc.)

string scope = "openid profile email";

string authUrl = $"https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize" +

$"?client_id={clientId}" +

$"&response_type=code" +

$"&redirect_uri={WebUtility.UrlEncode(redirectUri)}" +

$"&response_mode=query" +

$"&scope={WebUtility.UrlEncode(scope)}" +

$"&state=12345&prompt=login"; // ideally, generate a dynamic state value

var response = req.CreateResponse(HttpStatusCode.Redirect);

response.Headers.Add("Location", authUrl);

return response;

}

This redirects me to Function2 where I get the auth token as below

[Function("Function2")]

public HttpResponseData Run([HttpTrigger(AuthorizationLevel.Anonymous, "get", "post")] HttpRequestData req)

{

string code = req.Query["code"]!;

string tenant = "tenantId"; // or your tenant-specific ID

string clientId = "clientId";

string clientSecret = "secret";

string redirectUri = "http://localhost:7267/api/Function2";

// Build the MSAL confidential client application

IConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create(clientId)

.WithClientSecret(clientSecret)

.WithRedirectUri(redirectUri)

.WithAuthority($"https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token")

.Build();

AuthenticationResult result = app.AcquireTokenByAuthorizationCode(

new string[] { "openid", "profile", "email" }, code)

.ExecuteAsync().Result;

if (result.AccessToken != null)

{

var response = req.CreateResponse(HttpStatusCode.Redirect);

response.Headers.Add("Location", "http://localhost:7267/api/DFM");

response.Headers.Add("Authorization", result.AccessToken);

return response;

}

else

{

return req.CreateResponse(HttpStatusCode.BadRequest);

}

The endpoint http://localhost:7267/api/DFM is my custom endpoint for the durable function monitor in injected mode

[Function(nameof(MyCustomDfMonEndpoint))]

public Task<HttpResponseData> ServeDfMonStatics(

[HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = Globals.DfMonRoutePrefix + "/{p1?}/{p2?}/{p3?}")] HttpRequestData req,

string p1,

string p2,

string p3

)

{

if (!req.Headers.TryGetValues("Authorization", out var authHeaders))

{

var unauthorizedResponse = req.CreateResponse(HttpStatusCode.Unauthorized);

unauthorizedResponse.WriteStringAsync("Missing Authorization header.");

return Task.FromResult(unauthorizedResponse);

}

return this.DfmServeStaticsFunction(req, p1, p2, p3);

}

Currently what I am seeing is the endpoint for DFM doesn't get the token in headers passed from Function2 using response.Headers.Add("Authorization", result.AccessToken);

What I am looking for is getting the token in the headers when it is redirected from Function2 and maintaining that token when the links on the durable function monitor are hit. so that the below check always prevents unauthorized access

if (!req.Headers.TryGetValues("Authorization", out var authHeaders))

{

var unauthorizedResponse = req.CreateResponse(HttpStatusCode.Unauthorized);

unauthorizedResponse.WriteStringAsync("Missing Authorization header.");

return Task.FromResult(unauthorizedResponse);

}

Khadeer Ali 5,065 Reputation points Microsoft External Staff Moderator

2025-05-09T17:04:50.62+00:00
@Parag Kale ,
It looks like you're trying to pass an authentication token from one Azure Function to another, but you're running into issues with the token not being included in the headers when redirecting to your Durable Function Monitor.
What you're encountering is a well-known limitation due to browser security constraints:

Custom headers like Authorization are not carried forward across browser redirects (e.g., 302/301).

This is by design and ensures that sensitive information is not unintentionally forwarded. As a result, setting the Authorization header in Function2 and expecting it to persist through the redirect to the Durable Function Monitor endpoint will not work.

Here's what you can do to resolve this:

Add the Token to the Redirect URL: Instead of trying to pass the Authorization token through headers during a redirect, consider sending it as a query parameter when redirecting to the Durable Function Monitor. For example, modify your redirection in Function2 like this:

response.Headers.Add("Location", $"http://localhost:7267/api/DFM?access_token={result.AccessToken}");

Modify Function to Accept Token: Update your durable function endpoint to check for the token in the query parameters:

string token = req.Query["access_token"]; if (string.IsNullOrEmpty(token)) { var unauthorizedResponse = req.CreateResponse(HttpStatusCode.Unauthorized); unauthorizedResponse.WriteStringAsync("Missing access token."); return Task.FromResult(unauthorizedResponse); }

Include Token in Further Calls: If your Durable Function Monitor needs to make other API calls, make sure you validate the token, and extract it accordingly.

This way, when you hit the Durable Function Monitor endpoint, you’ll have the token available and can validate it as needed.
Parag Kale 20 Reputation points

2025-05-09T18:22:33.96+00:00
Thank you for the reply

I see that on my target HTTP triggered function

[Function(nameof(MyCustomDfMonEndpoint))]

public Task<HttpResponseData> ServeDfMonStatics(

[HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = Globals.DfMonRoutePrefix + "/{p1?}/{p2?}/{p3?}")] HttpRequestData req,

string p1,

string p2,

string p3

)

{

string token = req.Query["access_token"]!;

if (string.IsNullOrEmpty(token))

{

var unauthorizedResponse = req.CreateResponse(HttpStatusCode.Unauthorized);

unauthorizedResponse.WriteStringAsync("Missing access token.");

return Task.FromResult(unauthorizedResponse);

}

return this.DfmServeStaticsFunction(req, p1, p2, p3);

}

I see that the access_token query parameter is lost when it again gets executed. Basically when I debugged it , the below statement gets called multiple times and I get null in access_token. How can I maintain the value of access_token once I reach the endpoint of MyCustomEndpoint

return this.DfmServeStaticsFunction(req, p1, p2, p3);
Parag Kale 20 Reputation points

2025-05-09T18:24:36.67+00:00

Basically the statement return this.DfmServeStaticsFunction(req, p1, p2, p3) is resulting in the HTTP triggered azure function getting called multiple times and hence results in the query parameter getting lost.

I want to maintain the value of access_token for the session
Praveen Kumar Gudipudi 350 Reputation points Microsoft External Staff Moderator

2025-05-09T23:37:51.0233333+00:00

@Parag Kale ,

We are reproducing issue from our end; we will let you know with an update.
Khadeer Ali 5,065 Reputation points Microsoft External Staff Moderator

2025-05-13T11:13:52.29+00:00

@Parag Kale ,

I wanted to check in and see if my earlier response addressed your question. If you still need assistance or have additional questions, please feel free to reach out.
Parag Kale 20 Reputation points

2025-05-13T11:17:28.56+00:00

Hi Khadeer,

yeah , this resolved my issue.

thank you so much for your help

1 answer

Your answer

Khadeer Ali 5,065 Reputation points Microsoft External Staff Moderator

2025-05-09T17:04:50.62+00:00

@Parag Kale ,
It looks like you're trying to pass an authentication token from one Azure Function to another, but you're running into issues with the token not being included in the headers when redirecting to your Durable Function Monitor.
What you're encountering is a well-known limitation due to browser security constraints:

Custom headers like Authorization are not carried forward across browser redirects (e.g., 302/301).

This is by design and ensures that sensitive information is not unintentionally forwarded. As a result, setting the Authorization header in Function2 and expecting it to persist through the redirect to the Durable Function Monitor endpoint will not work.

Here's what you can do to resolve this:

Add the Token to the Redirect URL: Instead of trying to pass the Authorization token through headers during a redirect, consider sending it as a query parameter when redirecting to the Durable Function Monitor. For example, modify your redirection in Function2 like this:

response.Headers.Add("Location", $"http://localhost:7267/api/DFM?access_token={result.AccessToken}");

Modify Function to Accept Token: Update your durable function endpoint to check for the token in the query parameters:

string token = req.Query["access_token"]; if (string.IsNullOrEmpty(token)) { var unauthorizedResponse = req.CreateResponse(HttpStatusCode.Unauthorized); unauthorizedResponse.WriteStringAsync("Missing access token."); return Task.FromResult(unauthorizedResponse); }

Include Token in Further Calls: If your Durable Function Monitor needs to make other API calls, make sure you validate the token, and extract it accordingly.

This way, when you hit the Durable Function Monitor endpoint, you’ll have the token available and can validate it as needed.
Parag Kale 20 Reputation points

2025-05-09T18:22:33.96+00:00

Thank you for the reply

I see that on my target HTTP triggered function

[Function(nameof(MyCustomDfMonEndpoint))]

public Task<HttpResponseData> ServeDfMonStatics(

[HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = Globals.DfMonRoutePrefix + "/{p1?}/{p2?}/{p3?}")] HttpRequestData req,

string p1,

string p2,

string p3

)

{

string token = req.Query["access_token"]!;

if (string.IsNullOrEmpty(token))

{

var unauthorizedResponse = req.CreateResponse(HttpStatusCode.Unauthorized);

unauthorizedResponse.WriteStringAsync("Missing access token.");

return Task.FromResult(unauthorizedResponse);

}

return this.DfmServeStaticsFunction(req, p1, p2, p3);

}

I see that the access_token query parameter is lost when it again gets executed. Basically when I debugged it , the below statement gets called multiple times and I get null in access_token. How can I maintain the value of access_token once I reach the endpoint of MyCustomEndpoint

return this.DfmServeStaticsFunction(req, p1, p2, p3);
Parag Kale 20 Reputation points

2025-05-09T18:24:36.67+00:00

Basically the statement return this.DfmServeStaticsFunction(req, p1, p2, p3) is resulting in the HTTP triggered azure function getting called multiple times and hence results in the query parameter getting lost.

I want to maintain the value of access_token for the session
Praveen Kumar Gudipudi 350 Reputation points Microsoft External Staff Moderator

2025-05-09T23:37:51.0233333+00:00

@Parag Kale ,

We are reproducing issue from our end; we will let you know with an update.
Khadeer Ali 5,065 Reputation points Microsoft External Staff Moderator

2025-05-13T11:13:52.29+00:00

@Parag Kale ,

I wanted to check in and see if my earlier response addressed your question. If you still need assistance or have additional questions, please feel free to reach out.
Parag Kale 20 Reputation points

2025-05-13T11:17:28.56+00:00

Hi Khadeer,

yeah , this resolved my issue.

thank you so much for your help

Answer 1

@Parag Kale

Use an HTTP-only cookie to store the token after it is first received. This way, the token gets automatically sent with every request by the browser — including JS, CSS, and static resource fetches from DFM.

Pseudo Code (Logical Flow)



FUNCTION ServeDfMonStatics(request):
    IF access_token IS IN QUERY PARAMS:
        // first request after login, store token in cookie
        SET COOKIE "access_token" with value from query
        REDIRECT to same endpoint WITHOUT token in query (clean URL)

    ELSE IF access_token IS IN COOKIE:
        // All future requests will have token from cookie
        PROCEED to serve DFM static content

    ELSE:
        // First time, no token yet — redirect to login
        REDIRECT to Azure login page with proper redirect_uri

Actual Code (C# Azure Function)



[Function(nameof(MyCustomDfMonEndpoint))]
public async Task<HttpResponseData> ServeDfMonStatics(
    [HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = Globals.DfMonRoutePrefix + "/{p1?}/{p2?}/{p3?}")] HttpRequestData req,
    string p1, string p2, string p3)
{
    // Check for token in query parameter
    string tokenFromQuery = req.Query["access_token"];

    // Step 1: If token found in query, save it as cookie and redirect to clean URL
    if (!string.IsNullOrEmpty(tokenFromQuery))
    {
        var response = req.CreateResponse(HttpStatusCode.Redirect);
        response.Headers.Add("Set-Cookie", $"access_token={tokenFromQuery}; HttpOnly; Path=/; SameSite=Lax");
        response.Headers.Add("Location", req.Url.AbsolutePath); // remove query from URL
        return response;
    }

    // Step 2: Check if access token exists in cookies
    string tokenFromCookie = null;
    if (req.Headers.TryGetValues("Cookie", out var cookies))
    {
        var cookieStr = cookies.FirstOrDefault();
        tokenFromCookie = cookieStr?
            .Split(';')
            .Select(c => c.Trim())
            .FirstOrDefault(c => c.StartsWith("access_token="))?
            .Split('=')[1];
    }

    if (!string.IsNullOrEmpty(tokenFromCookie))
    {
        // Token exists, proceed to serve DFM static resources
        return await this.DfmServeStaticsFunction(req, p1, p2, p3);
    }

    // Step 3: If no token anywhere, redirect to login
    var tenant = "your-tenant-id";
    var clientId = "your-client-id";
    var redirectUri = "https://yourfunctionhost/api/DFM"; // must match Azure AD redirect URI
    var authUrl = $"https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?" +
                  $"client_id={clientId}&response_type=code&redirect_uri={redirectUri}&response_mode=query&scope=openid%20profile%20email";

    var loginResponse = req.CreateResponse(HttpStatusCode.Redirect);
    loginResponse.Headers.Add("Location", authUrl);
    return loginResponse;
}

Summary of What This Code Does

First request with token (via ?access_token=xyz) → Stores token in cookie → Redirects to clean URL
All future requests → Token is read from cookie, allowing continued access to DFM content
If no token at all → Redirects user to Microsoft Login page
Hope this helps. Do let us know if you have any further queries.

If this answers your query, do click Accept Answer and Yes for "Was this answer helpful." And if you have any further questions, let us know.

Share via

passing authentication token from 1 HTTP triggered function to another

1 answer

Your answer